500 Google Chrome extensions secretly uploaded private data from millions of users. The technique used by hackers, called "malvertising", remains difficult to spot. The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security. Over 500 Google Chrome browser extensions, downloaded millions of times, siphoned user data.

In a report published on Thursday, February 13, 2020, cybersecurity expert Jamila Kaya indicated that she had identified a large number of Google Chrome browser extensions to be operating in a manner that initially seemed legitimate. Upon further investigation, they were found to infect user's browsers and ex-filtrate private user's data.

Together, they managed to isolate 71 modules with suspicious behavior thanks to the free extension published by Duo Security, called CRXcavator. The two sides then informed Google of their discoveries, which, after further research, identified 430 other malicious extensions. They were immediately removed from the Chrome Web Store.

500 Chrome Extensions Caught Stealing Data of Million Users

The level of permissions requested on each plugin is similarly high and is identical between them, allowing it to access a large amount of data in the browser. In addition, the external sites contacted are identical between all the plugins involved, with the exception of the plugin "front" site.

500 Chrome Extensions Caught Stealing Data of Million Users

Once on the user's browser, the plugin will call out to the site referenced by its name, Mapstrekcom, ArcadeYumcom, or the like (partial list in the IOC document), and do so on regular intervals to receive instruction as to whether to uninstall or not. Sandboxes report that trying to navigate to each of the plugin sites immediately takes them to a gdprcountryrestrictioncom site, to which impacted users are not taken. This could indicate that the plugin is attempting to appear legitimate and obfuscate its behavior from sandboxes.


Extensions for web browsers are often singled out for the poor protection they offer. "Here, the ones we spotted voluntarily concealed functionality designed for advertising purposes. They exiled the user's browsing history without their knowledge, increasing the risk that they would receive targeted promotion campaigns. They completely escaped the mechanism of Google Chrome security, "said Jamila Kaya in a post.

Called "malvertising" for malicious advertising, this technique is popular because it allows redirecting user's traffic without their consent. Presented to the user as a way to get promotions, these extensions redirected most of the time to harmless advertisements for Macy’s, Dell and Best Buy. In addition, they are sometimes redirected to phishing sites in order to get them installing malware. According to the researchers, these techniques have occurred for at least a year, since January 2019.


Malvertising, which can be found in a wide variety of programs, most often leads to attacks such as ad fraud or phishing. "The preeminence of this technique will continue as long as behavioral advertising services are ubiquitous on the Internet," said Jamila Kaya. The 500 extensions in question all display similar source code. The simple fact that certain functions are called differently prevents their systematic detection.

"We value the work of the scientific community. When we are alerted to potential policy violations, we react and exploit the reported incidents as part of improving our automated and manual analyses. We regularly scan our web Store to find the extensions using these techniques codes, and behaviors, then delete them when necessary, "said a Google spokesperson, adding that the affected users have received a notification to inform them that they have installed an offending plugin.