These 108 Malicious Chrome Extensions Are Stealing Google and Telegram Data
If you use Google Chrome, listen up: You may be running malicious extensions without even knowing it. As reported by The Hacker News, cybersecurity researchers with Socket's Threat Research Team have identified 108 extensions available in Google Chrome that steal login credentials, user IDs, and browsing data. All 108 extensions route that information back to servers controlled by a single operator, despite these extensions being published by five different developers (GameGen, InterAlt, Rodeo Games, SideGames, and Yana Project). These extensions collectively have around 20,000 installations, which isn't a massive pool of targets considering Chrome's 3.62 billion users, but is still a concern given the number of extensions involved in this coordinated scheme.
Socket's team identified that there are some key categories these extensions are published under: Telegram sidebar clients, which display a working Telegram chat interface in the browser; slot machine and Keno games, which offer a playable gambling experience; YouTube and TikTok "enhancers;" page utility extensions; and one text translation tool. All extensions appear to offer the services advertised in the Chrome Web Store, all the while running malicious programs under the surface.
Users who install the Telegram client may get a functioning chat experience, but underneath, the extension is stealing that user's Telegram Web sessions every 15 seconds, which leaks all messages, contacts, and linked accounts. 54 of the extensions steal your Google account identity when you click the "sign-in" option, which leaks your email, name, and profile picture to the operator. (Notably, the scheme does not grant the operator access to your Google account.) Forty-five of the extensions have a backdoor that can open any URL the operator wants in your browser. Seventy-eight of the extensions can inject HTML code into your browser. Five extensions can remove YouTube and TikTok security measure in order to inject gambling ads and overlays onto the sites. And when you sign up for the text translation tool, it sends your email and full name to the server, as well as anything you translate with the extension.
You May Also Like
How to protect yourself from these malicious extensions
The first thing you should do is check to see whether you have any of these extensions running in your browser. Some of the more popular extensions identified here include "Telegram Multi-account," "Black Beard Slot Machine," "Page Locker," and "InterAlt," but you can find a complete list of the extensions, including their Chrome Extension IDs, on Socket's report here.
What do you think so far?
If you used Telegram Multi-account, Socket recommends logging out of all Telegram Web sessions using the Telegram app. You can find the option from Settings > Devices > Terminate all other sessions. If you signed into any of these extensions with your Google account, assume your identity was exposed, and review your third-party app permissions here. Unfortunately, if you used Text Translation with your email, your name and email address were exposed.
Going forward, exercise extreme caution before installing new extensions in your browser. While the Chrome Web Store should only contain "safe" extensions, malicious programs find their way onto the marketplace. Always carefully review each listing before installing the extension: If the extension requires sensitive information, lacks many reviews, or the listing is poorly constructed, it's best to avoid it entirely.