#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

chrome extension | Breaking Cybersecurity News | The Hacker News

Category — chrome extension
When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions

When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions

Dec 30, 2024 Browser Security / GenAI Security
News has been making headlines over the weekend of the extensive attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, over 25 extensions, with an install base of over two million users, have been found to be compromised, and customers are now working to figure out their exposure (LayerX, one of the companies involved in protecting against malicious extensions is offering a complimentary service to audit and remediate organizations' exposure - to sign-up click here ). While this is not the first attack to target browser extensions, the scope and sophistication of this campaign are a significant step up in terms of the threats posed by browser extensions and the risks they pose to organizations. Now that details of the attack have been publicized, users and organizations need to assess their risk exposure to this attack and to browser extensions in general. This article is aimed at helping organizations understand t...
Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft

Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft

Dec 29, 2024 Endpoint Protection / Browser Security
A new attack campaign has targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure and credential theft. The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens. The first company to shed light the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension. On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data. The phishing email, which purported...
Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Jan 20, 2025Data Security / Data Monitoring
Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

Jun 28, 2024 Cyber Espionage / Cyber Attack
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames, passwords, cookies, and browser screenshots. The targeted campaign is said to have been directed against South Korean academia, specifically those focused on North Korean political affairs. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities. A sister group of the Lazarus cluster and part of the Reconnaissance General Bureau (RGB), it's also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velv...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Aug 18, 2023 Browser Security / Malware
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to proactively alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware. The tech giant said it intends to highlight such extensions under a "Safety check" category in the "Privacy and security" section of the browser settings page. "When a user clicks 'Review,' they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed," Oliver Dunk, a developer relations engineer for Chrome extensions,  said . "As in previous versions of Chrome, extensions marked as malware are automatically disabled." The development co...
New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

Aug 03, 2023 Browser Security / Malware
Cybersecurity researchers have discovered a new version of malware called  Rilide  that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency. "It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the  Chrome Extension Manifest V3 , and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk  said  in a report shared with The Hacker News. Rilide was  first documented  by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000. The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and...
Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising

Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising

Mar 13, 2023 Browser Security / Artificial Intelligence
A fake ChatGPT-branded Chrome browser extension has been found to come with capabilities to hijack Facebook accounts and create rogue admin accounts, highlighting one of the different methods cyber criminals are using to distribute malware. "By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus," Guardio Labs researcher Nati Tal  said  in a technical report. "This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner." The "Quick access to Chat GPT" extension, which is said to have attracted 2,000 installations per day since March 3, 2023, has since been pulled by Google from the Chrome Web Store as of March 9, 2023. The browser add-on is promoted through Facebook-sponsored posts, and while it offers the ability to connect to the ChatGPT service, it's also engineered to surreptitiously harvest cookies and...
This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

Nov 22, 2022
A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX . Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. ViperSoftX, which first  came to light  in February 2020, was characterized by  Fortinet  as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst  Colin Cowie  earlier this year. "This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher ...
Experts Find Malicious Cookie Stuffing Chrome Extensions Used by 1.4 Million Users

Experts Find Malicious Cookie Stuffing Chrome Extensions Used by 1.4 Million Users

Aug 31, 2022
Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users' browsing activity and profit off retail affiliate programs. "The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole  said . "The latter borrows several phrases from another popular extension called GoFullPage." The browser add-ons in question – available via the Chrome Web Store and downloaded 1.4 million times – are as follows - Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) - 800,000 downloads Netflix Party (flijfnhifgdcbhglkneplegafminjnhn) - 300,000 downloads Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) - 200,000 downloads AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) - 20,000 downloads The extensions are designed to load a pi...
Malicious Browser Extensions Targeted Over a Million Users So Far This Year

Malicious Browser Extensions Targeted Over a Million Users So Far This Year

Aug 17, 2022
More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show. "From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company  said . As many as 1,311,557 users fall under this category in the first half of 2022, per Kaspersky's telemetry data. In comparison, the number of such users peaked in 2020 at 3,660,236, followed by 1,823,263 unique users in 2021. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers and other utilities, and comes with capabilities to collect and analyze search queries and redirect users to affiliate links. WebSearch is also notable for modifying the browser's start page, which contains a search engine and a number of links to third-party sour...
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

Jul 30, 2022
A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL. Cybersecurity firm Volexity attributed the malware to an activity cluster it calls  SharpTongue , which is said to share overlaps with an  adversarial collective  publicly referred to under the name  Kimsuky . SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who "work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," researchers Paul Rascagneres and Thomas Lancaster  said . Kimsuky 's use of rogue extensions in attacks is not new. In 2018, the actor was seen utilizing a Chrome plugin as part of a campaign called  Stolen Pencil  to infect victims and steal browser cookies and passwords. But the latest espionag...
Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

Jul 08, 2022
A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. Mobile security firm Zimperium dubbed the malware family  ABCsoup , stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores." The rogue browser add-ons come with the same extension ID as that of Google Translate — " aapbdbdomjkkjkaonfhkkikfgjllcleb " — in an attempt to trick users into believing that they have installed a legitimate extension. The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser. In the event the targeted user already has the Google Translate ext...
Here's How to Find if WhatsApp Web Code on Your Browser Has Been Hacked

Here's How to Find if WhatsApp Web Code on Your Browser Has Been Hacked

Mar 11, 2022
Meta Platforms' WhatsApp and Cloudflare have banded together for a new initiative called Code Verify to validate the authenticity of the messaging service's web app on desktop computers. Available in the form of a Chrome and Edge  browser extension , the  open-source add-on  is designed to "automatically verif[y] the authenticity of the WhatsApp Web code being served to your browser," Facebook  said  in a statement. The goal with Code Verify is to confirm the integrity of the web application and ensure that it hasn't been tampered with to inject malicious code. The social media company is also planning to release Firefox and Safari plugins to achieve the same level of security across browsers. The system works with Cloudflare acting as a third-party audit to compare the cryptographic hash of WhatsApp Web's JavaScript code that's shared by Meta with that of a locally computed hash of the code running on the browser client. Code Verify is also meant t...
Over 100 New Chrome Browser Extensions Caught Spying On Users

Over 100 New Chrome Browser Extensions Caught Spying On Users

Jun 22, 2020
Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, GalComm. However, it's not immediately clear who is behind the spyware effort. "This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input," Awake Security said. The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them. Furthermore, the...
49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

Apr 15, 2020
Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified  (find the list here) by researchers from MyCrypto and PhishFort. "Essentially, the extensions are phishing for secrets — mnemonic phrases , private keys, and keystore files," explained Harry Denley, director of security at MyCrypto. "Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts." Although the offending extensions were removed within 24 hours after they were reported to Google, MyCrypto's analysis showed that they began to appear on the Web Store as early as February 2020, before ramping up in subsequent months. In addition, all the extensions functioned a...
500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users

500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users

Feb 14, 2020
Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers. These extensions were part of a malvertising and ad-fraud campaign that's been operating at least since January 2019, although evidence points out the possibility that the actor behind the scheme may have been active since 2017. The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations. Upon sharing the discovery privately with Google, the company went on to identify 430 more problematic browser extensions, all of which have since been deactivated. "The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms," sa...
Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Dec 03, 2019
If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible. Avast Online Security AVG Online Security Avast SafePrice AVG SafePrice Why? Because these four widely installed browser extensions have been caught collecting a lot more data on its millions of users than they are intended to, including your detailed browsing history. Most of you might not even remember downloading and installing these extensions on your web browser, and that's likely because when users install Avast or AVG antivirus on their PCs, the software automatically installs their respective add-ons on the users' browsers. Both online security extensions have been designed to warn users when they visit a malicious or phishing website; whereas, SafePrice extensions help online shoppers learn about best offers, price comparisons, travel deals, and discount coupons from variou...
Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Sep 20, 2019
Two widely used Adblocker Google Chrome extensions , posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently. There's no doubt web extensions add a lot of useful features to web browsers, making your online experience great and aiding productivity, but at the same time, they also pose huge threats to both your privacy and security. Being the most over-sighted weakest link in the browser security model, extensions sit between the browser application and the Internet — from where they look for the websites you visit and subsequently can intercept, modify, and block any requests, based on the functionalities they have been designed for. Apart from the extensions which are purposely created with malicious intent , in recent years we have also seen some of the most popular legitimate Chrome and Firefox extensions g...
Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Jun 13, 2019
Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed. Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser. Discovered by Guardio, the vulnerability ( CVE-2019-12592 ) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser's same-origin policy (SOP) and domain-isolation mechanisms. According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue. "A full exploit that would allow loading a remote hacker contr...
Expert Insights / Articles Videos
Cybersecurity Resources