500 Chrome extensions secretly uploaded personal data from hundreds of thousands of people
More than 500 browser extensions downloaded thousands and thousands of times from Google’s Chrome Internet Keep surreptitiously uploaded private searching knowledge to attacker-managed servers, researchers reported on Thursday.
The extensions were being aspect of a lengthy-jogging malvertising and ad-fraud plan that was discovered by independent researcher Jamila Kaya. She and scientists from Cisco-owned Duo Protection sooner or later recognized 71 Chrome World-wide-web Retailer extensions that had much more than 1.7 installations. Soon after the researchers privately described their conclusions to Google, the company discovered much more than 430 additional extensions. Google has considering that removed all recognized extensions.
“In the situation documented in this article, the Chrome extension creators had exclusively designed extensions that obfuscated the underlying advertising and marketing features from people,” Kaya and Duo Security Jacob Rickerd wrote in a report. “This was accomplished in buy to connect the browser shoppers to a command and manage architecture, exfiltrate personal browsing facts with out the users’ information, expose the person to danger of exploit as a result of advertising streams, and endeavor to evade the Chrome Website Store’s fraud detection mechanisms.”