2.3 Million Users Infected By Verified Chrome and Edge Extensions

Image by Firmbee.com, from Unsplash

2.3 Million Users Infected By Verified Chrome and Edge Extensions

Reading time: 2 min

A major security breach of browsers exposed more than 2.3 million users to malware, it did this through verified Chrome and Edge extensions that appeared safe.

In a rush? Here are the quick facts:

  • Malware was hidden in verified and featured extensions with legitimate functions.
  • Malware silently installed through updates after years of clean operation.
  • Extensions hijacked browsers, tracked activity, and redirected users to fake sites.

According to research from Koi Security, 18 extensions in a campaign dubbed RedDirection secretly hijacked browsers, tracked user activities, and enabled additional attacks through trusted interfaces.

The main extension responsible for the security breach was “Color Picker, Eyedropper — Geco colorpick.” The extension delivered its promised functionality by providing a complete color selection feature. The extension operated as a color selection tool, but it secretly tracked all websites users visited, transmitted URL data to command and control servers, and redirected users to fake websites.

“This isn’t some obvious scam extension thrown together in a weekend” the researchers wrote.

“This is a carefully crafted trojan horse that delivers exactly what it promises (a functional color picker) while simultaneously hijacking your browser, tracking every website you visit, and maintaining a persistent command and control backdoor. Not only that, but it remained legitimate for years before becoming malicious through a version update,’’ the researchers noted.

Indeed, the researchers explain how these extensions were clean for years before malicious code was added through silent version updates, a move that took advantage of Google and Microsoft’s trust systems, including verification badges and featured placements.

“This isn’t just another malware discovery,” researchers said. “It’s proof that the current marketplace security model is fundamentally broken,” the research team added.

The RedDirection campaign included popular extensions that functioned as emoji keyboards, video speed controllers, VPN proxies, and dark themes, which appeared and operated like standard tools. The extensions operated as a single network through their identical malware structures and command servers, to steal login details, banking information, and install additional malware.

Koi Security advises users to eliminate untrusted extensions, while performing browser data cleaning, malware scanning, and account monitoring. The discovery raises doubts about Chrome and Edge’s extension verification process, and the ability of users to trust installed extensions.

“This is a supply chain disaster,” researchers warned.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback