In a startling revelation, a security breach has affected over 3.2 million users through compromised browser extensions posing as legitimate tools. These extensions, which were once trusted by millions, have been found to inject harmful scripts and exfiltrate user data without the slightest hint of suspicion. The attack was facilitated through a supply chain compromise, allowing perpetrators to infiltrate known extensions and distribute malicious updates unnoticed.
Originally created for functionalities such as ad-blocking, emoji usage, and screen capturing, these extensions sadly became tools for the attackers. Recently introduced updates included obfuscated scripts enabling data theft, HTTP request modifications, and advertisement injections into users’ browsing sessions. Given the permissions these extensions had, including host access and scripting controls, the attackers could manipulate web activities on the fly, making these extensions potentially very harmful.
The following is the list of the 16 affected Chrome extensions:
– Blipshot (one-click full-page screenshots)
– Emojis – Emoji Keyboard
– WAToolkit
– Color Changer for YouTube
– Video Effects for YouTube and Audio Enhancer
– Themes for Chrome and YouTube™ Picture in Picture
– Mike Adblock für Chrome | Chrome-Werbeblocker
– Page Refresh
– Wistia Video Downloader
– Super Dark Mode
– Emoji Keyboard Emojis for Chrome
– Adblocker for Chrome – NoAds
– Adblock for You
– Adblock for Chrome
– Nimble Capture
– KProxy
Investigations have linked this breach to compromised developer accounts, with some developers unknowingly transferring control over to attackers. These cybercriminals then utilized the official browser extension stores to push out harmful updates. The infrastructure behind the attack is apparently tied to known phishing operations.
The danger in this attack lies in its method, reminiscent of past supply chain attacks where trusted software is weaponized to spread malware. By utilizing browser extension update mechanisms, attackers bypass typical security barriers, creating a significant threat.
Fortunately, these malicious extensions have been removed from verified platforms for now. However, users are urged to exercise caution when installing extensions, not relying solely on positive reviews. With cyber threats evolving, it is crucial to remain vigilant and informed.
