Many Chrome extensions start as small developer projects, and once they gain users, are sold on. But what if the new owner turns out to be a bad actor who gains the ability to update software running inside thousands of browsers?

Two separate pieces of research carried out on extensions highlight how hackers are acquiring legitimate ‘featured’ extensions with an existing user base and then modifying them to deliver malware.

Both extensions, ShotBird and QuickLens, were originally associated with the same developer – "[email protected]/ “Buildmelon.com” – and started out as legitimate projects that were later sold on.

ShotBird was originally launched as a productivity tool designed to help users create stylized screenshots. At one point last year it even featured in the Chrome Web Store, a promotion that can dramatically increase downloads.

However, research published by monxresearch-sec found that “at sometime between December and March” this year the extension was passed on to a different developer ("[email protected]") .

The research notes how an update of the extension then began pulling instructions from attacker-controller servers and displaying fake Chrome update prompts designed to trick users into installing malware.

Victims were then hit with a ClixFix, and told that their browser needed a manual update and were instructed to run a command that downloaded a malicious programme disguised as a Chrome update.

Once installed, the malware moved beyond the browser. Researchers say it was capable of monitoring form fields and capturing information typed by users, including passwords, credit card numbers and authentication codes, while also accessing saved credentials in browser data.

QuickLens extension: compromised ownership

A separate investigation by Annex investigated a Chrome extension called QuickLens, billed itself as a “Pixel Perfect” feature to help designers inspect webpage layouts.

According to researcher John Tuckner last month the extension's owner changed to "[email protected]" on the Chrome Web Store listing page.

An update then allowed the extension to bypass browser security protections and inject malicious scripts into websites users visited.

In this case, the extension stripped security headers from webpages and used a small tracking pixel to trigger hidden JavaScript codes.

"The actual malicious code never appears in the extension's source files," Tuckner noted.

This, the researcher added, allows attackers to run commands inside the browser, potentially stealing session tokens, capturing data from web pages or injecting more malicious software.

"This is a two-stage abuse chain: extension-side remote browser control plus host-level execution pivot via fake updates.”

Browser extensions and the “supply chain problem”

Annex notes that the original extension developer "[email protected]" has published several other extensions under their name on the Chrome Web Store and all of them have received a ‘Featured’ badge.

"This is the extension supply chain problem in a nutshell. A 'Featured,' reviewed, functional extension changes hands, and the new owner pushes a weaponized update to every existing user."

John Tuckner, founder and researcher, Annex Security

And because browser extensions update automatically, a single malicious update may hit thousands of users at once – turning a once useful tool into an embedded surveillance or malware delivery system inside a browser.

Last week, LayerX Security researchers warn that browser extensions have a massive security blind spot, demonstrating this fact with their own extension which they labelled “Totally Innocent Extension."

“In our demonstration, the payload simply opens the calculator app as a benign visual indicator,"noted Iyar Segev, a Layer X security researcher. "In a real-world scenario, it could enable persistence, lateral movement, data exfiltration, or full remote control of the machine."

---

Unlock more exclusive Cybernews content on YouTube.