Google ousted 49 Chrome extensions from its Chrome Web Store because they contained malicious code, a ritual that should be familiar after a decade of purges.
“Essentially, extensions look for secrets – mnemonic phrases, private keys and key files,” said Harry Denley, security director at MyCrypto, on Tuesday. blog post. “Once the user has entered them, the extension sends an HTTP POST request to their backend, where the bad actors receive the secrets and empty the accounts.”
Denley said the expansion package – which targeted services such as Ledger, Trezoe, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeyKeep – was associated with 14 command and control servers that would be linked to the same person or group, maybe in Russia.
A video of the MEW CW extension (MyEtherWallet) shows how it listens to secrets entered in the browser and sends them over the network to the author of the malware.
According to Denley, some of the command and control servers were old, but 80% of them were associated with domains registered in March or April. The extensions themselves started appearing in February, most arriving within the next two months.
Some of the extensions, he said, were backed by false five-star reviews; some good internet samaritans also tried to warn others that the extensions were malicious. Google did not immediately respond to a request for comment, but the 49 extensions identified by MyCrypto and PhishFort are no longer available in the Chrome Web Store.
Google tests hide default Chrome extension icons, developers are certainly not amused by the change
About two million people are currently using extensions from the Chrome Web Store, according to a report released earlier this month by Extension Monitor. Last month, the store had 213,054 extensions, up 3,468 from February.
In the same month, Google confirmed a major purge of the Chrome extension, amounting to about 500 extensions. In January, Google briefly stopped publication of any new extension due to an increase in fraud.
The security of Chrome extensions has been an issue since the launch of the Chrome Web Store in December 2010. Reminder our report on a Chrome extension Trojan from April 2010.
His most recent effort is to reorganize its extension APIs to make them less powerful, a project called Manifest v3. This should limit abuse, but it can also hamper legitimate developers trying to implement content blocking and privacy features that rely on intercepting and rewriting network traffic. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud