Share This Post

Tech

500 Chrome extensions secretly uploaded private data from millions of users

500 Chrome extensions secretly uploaded private data from millions of users
500 Chrome extensions secretly uploaded private data from millions of users

Enlarge

More than 500 browser extensions downloaded millions of times from Google’s Chrome Web Store surreptitiously uploaded private browsing data to attacker-controlled servers, researchers said on Thursday.

The extensions were part of a long-running malvertising and ad-fraud scheme that was discovered by independent researcher Jamila Kaya. She and researchers from Cisco-owned Duo Security eventually identified 71 Chrome Web Store extensions that had more than 1.7 million installations. After the researchers privately reported their findings to Google, the company identified more than 430 additional extensions. Google has since removed all known extensions.

“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” Kaya and Duo Security Jacob Rickerd wrote in a report. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

Read 10 remaining paragraphs | Comments

You deserve a better Internet. Brave Browser

So we reimagined what a browser should be.

It begins with giving you back power. Get unmatched speed, security and privacy by blocking trackers. Earn rewards by opting into our privacy-respecting ads and help give publishers back their fair share of Internet revenue.

 

Share This Post

Leave a Reply