Over 500 Chrome Extensions Secretly Uploaded Private Data
A security researcher, Jamila Kaya, exposed that hundreds of extensions in the Google Chrome’s Web Store were carrying out long-running malvertising and ad-fraud scheme.
As a result, Google removed over 500 Chrome extensions, which were downloaded millions of times. The extensions uploaded private browsing data to attacker-controlled servers, compromising your online privacy.
A total of 71 extensions were independently discovered by Jamila Kaya, while Google identified more than 430 additional extensions. Although the extensions have been taken down, it’s clear that the privacy breach exposed your sensitive online data.
Over the years, Google has been struggling to revise the way Chrome extensions work. This is because the APIs that are available to extension developers can be abused.
What are Extensions?
The Chrome Web Store hosts thousands of extensions where you can come across an extension for almost everything. You can search for extensions in the search field and filter your search by ratings, features, and multiple categories.
Once you find an extension you’re looking for or any extension you like, you can try it out by simply clicking install. The best part about extensions is that they’re super convenient, automatically update themselves, and there’s no need to restart your browser.
Online Activities are at Risk
Be it extensions or any other tool, online privacy and security are always at risk when you head online without protective measures.
In today’s digital era, everything is interconnected. From your smart fridge to the power grid, the internet is utilized by all industries, making them susceptible to cyberattacks. Phishing attacks have been known to hack the US power grid, disrupting systems that cost millions in damage.
In this growing tense cyber world, it’s imperative that you have the necessary tools which ensure the safety of your digital existence and online activities.
Past Extension Breaches
It’s not the first time that Google extensions have faced criticism for leaking private data of users. In 2019, an independent security researcher discovered eight browser extensions that were harvesting user data. Almost 4 million Chrome users were using the extensions.
The extensions collected people’s data through capturing titles and URLs, or web addresses, every time a user clicked on a page. This data collection, which wasn’t authorized by the browser, included sensitive information such as medical records and credit card information.
This should go to show the sheer magnitude a malicious extension can have on a user’s online privacy and security. The very extensions that claim to make user’s browsing more convenient and secure are harming users. This is why developers must be thoroughly verified, and Google’s extension vetting team should validate the code running their extensions.
Here’s what Luke Taylor, founder, and COO of TrafficGuard has to say:
“Browser extensions are notorious for stealing data and/or committing ad fraud. They facilitate domain spoofing, ad injection, and cookie stuffing, sending faux ad engagements from genuine devices. Because engagements come from real browsers with normal human activity, on the surface, they look legitimate. From a user perspective, these browser extensions perform some utility for the user for free, while performing the malicious background task that generates revenue.
“Given the prolific nature of these extensions and the impact on the digital advertising ecosystem and consumer privacy, you would expect browsers to be taking more proactive steps to mitigate these practices.”
The discovery of more malicious and fraudulent browser extensions is a reminder that online users should be cautious when installing these tools and use them only when they provide substantial benefit.
Before installing an app or an extension, be sure to read user reviews to check for reports of any suspicious behavior. If you haven’t been using an extension for a while or don’t recognize installing it, it’s best that you remove the extension.
Frequently Asked Questions
1. How many Chrome extensions are removed from google chrome?
Approximately 500+ chrome extensions and counting were removed from Google Chrome for facilitating ad fraud and data theft.
2. What steps should google chrome need to take against these malware extensions?
Google should change the way chrome extension works because of the API available to extension developers can be abused, and they should prevent developer misbehavior.
3. What action should google chrome take against the malware extension owners?
Sadly, most of these accidents are isolated. Google should take a strong stand and bring heavier punishment to malware extension owners. Google could permanently ban their account.
4. Steps to identify if the extension is secure and reliable to use before installing it?
The easiest way to check extension safety is by CRXcavator, a web tool from security firm Duo Labs analyzes Chrome extensions. It gives you a security report based on the findings from an ongoing review of the Chrome Web Store.
5. What will be the consequences if one is using an unsecure extension?
By using an insecure extension, you risk your private information like online passwords and browsing history on the web.
6. How to fight against these malware extensions or how a VPN can help against these extensions to steal user data?
Don’t install unnecessary extensions, and if installing an extension, check the developer’s credibility and avoid extensions from unknown sources. A Chrome VPN only masks your online data by providing you supreme encryption when you’re online and does not protect you from malware extensions.