While Tuckner didn't catch any extensions stealing user passwords or cookies, the excessively risky capabilities, heavily obfuscated code, and hidden logic were enough for the researcher to label them as risky and, potentially, spyware. A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts. Through a domain called "unknow.com" contained in the extension, Tuckner found additional extensions containing the same domain that claim to provide ad-blocking or privacy protection services. "There are additional obfuscated signals in other functions that there is significant command and control potential like the ability to list top sites visited, open/close tabs, get top sites visited, and run many of the capabilities above in an ad hoc manner," explains Tuckner. Tuckner says that many of the extensions have been removed from the Chrome Web Store following his report from last week, but others still remain. These extensions are 'hidden,' meaning they don't show up on Chrome Web Store searches, nor do search engines index them, and can only be installed if the user has the direct URL. Google told BleepingComputer that they are aware of Tuckner's report and are investigating the extensions. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Earlier today, the researcher added 22 more extensions believed to belong to the same operation, taking the total to 57 extensions used by 6 million people. BleepingComputer also contacted the developer of these extensions with questions about the obfucated code but has not received a reply at this time.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 17 Apr 2025 16:50:11 +0000