Attention Google Chrome users: recent findings reveal that you might unknowingly have harmful extensions installed. According to cybersecurity experts from Socket's Threat Research Team, a total of 108 Chrome extensions have been identified as tools for stealing sensitive information, including login credentials and browsing data. These extensions, despite being developed by five distinct entities--GameGen, InterAlt, Rodeo Games, SideGames, and Yana Project--are all funneling data back to a single operator. While these extensions have garnered around 20,000 installations, which is relatively small compared to Chrome's vast user base of 3.62 billion, the coordinated nature of this scheme raises significant concerns.
The malicious extensions fall into several categories, such as Telegram sidebar clients that create a functional chat interface, gambling games like slot machines and Keno, and tools that claim to enhance YouTube and TikTok experiences. Although these extensions appear legitimate in the Chrome Web Store, they are running harmful scripts in the background.
For instance, the Telegram client may provide users with a working chat interface, but it surreptitiously captures user sessions every 15 seconds, exposing messages, contacts, and linked accounts. Fifty-four of these extensions compromise Google account identities upon sign-in, revealing personal information like email addresses and profile pictures to the operator, although they do not gain access to the Google account itself. Additionally, some extensions possess backdoors that can open any URL the operator desires, while others can inject HTML code into web pages. Five specific extensions even disable security measures on YouTube and TikTok to inject gambling advertisements.
Protecting Yourself from Malicious Extensions
To safeguard your data, start by checking for any of the identified extensions in your browser. Notable examples include "Telegram Multi-account," "Black Beard Slot Machine," and "Page Locker." A comprehensive list, including Chrome Extension IDs, can be found in Socket's report.
If you've used the Telegram Multi-account extension, it's advisable to log out of all Telegram Web sessions through the Telegram app by navigating to Settings > Devices > Terminate all other sessions. Should you have signed in using your Google account, consider your identity compromised and review third-party app permissions accordingly. If you utilized the text translation tool, your name and email address may have been exposed.
In the future, exercise caution when installing new extensions. Although the Chrome Web Store aims to host safe extensions, malicious applications can still infiltrate the platform. Always scrutinize listings for sensitive information requests, lack of reviews, or poor presentation, and avoid such extensions whenever possible.