Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft
Source: The Hacker News
Overview
Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer. The compromised extensions now allow attackers to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.
Affected Extensions
Both extensions were originally associated with a developer identified by the email akshayanuonline@gmail.com (BuildMelon). The extensions are:
- QuickLens – Search Screen
- (additional extensions may be listed in the original article)
Malicious Behavior
- Code Injection: The extensions can inject arbitrary JavaScript into web pages visited by the user, enabling a wide range of attacks such as credential harvesting, session hijacking, and drive‑by downloads.
- Data Theft: Sensitive information—including login credentials, browsing history, and form inputs—can be captured and exfiltrated to attacker‑controlled servers.
- Malware Distribution: Attackers can push additional malicious payloads to users of the compromised extensions, effectively turning the extensions into a delivery mechanism for further threats.
How the Transfer Occurred
The extensions were originally published under the legitimate developer “akshayanuonline@gmail.com.” At some point, ownership of the extensions was transferred to a different Google account. After the transfer, the new owner updated the extensions with malicious code, which was then automatically distributed to all existing users through Chrome’s update mechanism.
Mitigation Steps
- Remove the Extensions: Users should uninstall the affected extensions immediately from Chrome’s Extensions page (
chrome://extensions). - Revoke Permissions: After removal, clear any residual permissions or data the extensions may have stored.
- Check for Compromise: Review recent activity on accounts that may have been accessed through the compromised extensions (e.g., email, banking, social media). Change passwords and enable two‑factor authentication where possible.
- Monitor Chrome Web Store: Keep an eye on the Chrome Web Store for any re‑published versions of the same extensions under different names or developers.
- Report to Google: Use the Chrome Web Store’s Report Abuse function to notify Google of the malicious extensions.
Recommendations for Developers
- Maintain Strict Ownership Controls: Limit who can transfer ownership of extensions and require multi‑factor authentication for such actions.
- Monitor Extension Updates: Implement automated checks for unexpected changes in code or permissions after an update is published.
- Use Code Signing: Sign extension code to detect unauthorized modifications.
- Educate Users: Inform users about the risks of installing extensions from unknown developers and the importance of reviewing requested permissions.
References
- Chrome Web Store – QuickLens – Search Screen (link to the extension’s store page, if still available)
- Google Chrome Help – Manage extensions
If you suspect that your system has been compromised, consider running a full malware scan and consulting a security professional.