Jeff Bruchado
Back to blog

7-Year Malicious Campaign: Backdoors in Chrome and Edge Extensions

Hello HaWkers, an alarming security discovery has been revealed: researchers identified a malicious campaign that operated for 7 years, installing backdoors in popular Chrome and Edge extensions. Millions of users may have been affected.

Do you know exactly what each extension installed in your browser does? This case shows why we need to be more careful with the permissions we grant.

What Was Discovered

Security researchers from ReasonLabs discovered a sophisticated network of malicious extensions that operated silently since 2018. The extensions appeared legitimate and offered useful functionality, but included hidden malicious code.

Scale of the Attack

Impressive Numbers:

  • 7 years of operation
  • 30+ compromised extensions
  • 4+ million active installations
  • Data from millions of users exposed

Affected Browsers:

  • Google Chrome
  • Microsoft Edge
  • Other Chromium-based browsers

How It Worked

1. Acquiring Legitimate Extensions:
Attackers purchased popular extensions from developers who wanted to sell their projects. The extension came with an already established user base.

2. Malicious Updates:
After acquisition, updates were released gradually, adding malicious code in small doses to avoid detection.

3. Data Exfiltration:
The backdoor collected:

  • Complete browsing history
  • Saved credentials
  • Form data
  • Session cookies
  • Payment information

4. C2 Communication:
Data was sent to command and control servers, disguised as legitimate analytics traffic.

Compromised Extensions

Researchers released a partial list of affected extensions:

Identified Extensions

Productivity Category:

  • PDF Converter Pro
  • Screenshot Tool Plus
  • Quick Notes Extension
  • Tab Manager Ultimate

Utilities Category:

  • Weather Now Widget
  • Currency Converter Fast
  • Download Manager Plus
  • Video Downloader HD

Customization Category:

  • Dark Mode for Web
  • Font Changer Pro
  • Custom New Tab
  • Theme Switcher Plus

⚠️ Attention: This is a partial list. The investigation is still ongoing and more extensions may be identified.

How To Check If You Were Affected

Follow these steps to verify and protect your browser:

1. Review Installed Extensions

In Chrome:

  • Go to chrome://extensions/
  • Review each installed extension
  • Check the origin and last update
  • Be suspicious of extensions you don't remember installing

In Edge:

  • Go to edge://extensions/
  • Follow the same review process

2. Check Permissions

Malicious extensions usually request excessive permissions:

Suspicious Permissions:

  • "Read and change all your data on all websites"
  • "Manage your downloads"
  • "Manage your apps, extensions, and themes"
  • Access to browsing history

How to Check:

  • Click on each extension's details
  • Review the "Permissions" section
  • Question whether the extension really needs those permissions

3. Monitor Network Traffic

For technical users:

// Check extension connections in DevTools
// Open DevTools (F12) > Network

// Filter by extension requests
// Look for suspicious domains or unusual patterns

// Indicators of Compromise (IOCs):
// - Domains with random names
// - Connections to IPs in unusual countries
// - Encrypted traffic to unknown endpoints
// - Requests at regular intervals (beaconing)

How To Protect Yourself

Security Practices For Extensions

1. Principle of Least Necessary:

  • Install only essential extensions
  • Remove extensions you don't use
  • Prefer native browser functionality

2. Verification Before Installing:

  • Research the developer
  • Read reviews carefully (look for criticisms, not just praise)
  • Check how long the extension has existed
  • Check the number of users and trend

3. Continuous Monitoring:

  • Review your extensions monthly
  • Watch for behavior changes
  • Check updates and changelogs

Security Settings

// Chrome: Restrict extensions to specific sites
// 1. Go to chrome://extensions/
// 2. Click on extension "Details"
// 3. In "Site access", select "On specific sites"
// 4. Add only the sites where you need the extension

// This limits the damage scope of compromised extensions

Safer Alternatives

For Common Functionality:

Functionality Instead of Extension Use
Ad Blocking Various extensions uBlock Origin (audited)
Password Manager Unknown extensions Bitwarden, 1Password
Screen Capture Various extensions Native OS tool
PDF Online converters Native browser
Dark Mode Theme extensions Browser preferences

The Bigger Problem: Extension Security

This case exposes systemic flaws in the extension ecosystem:

Identified Problems

1. Lack of Adequate Verification:

  • Chrome Web Store didn't detect malware for 7 years
  • Automatic reviews are insufficient
  • Malicious updates go unnoticed

2. Flawed Permission Model:

  • Permissions are "all or nothing"
  • Users don't understand what they're granting
  • Not enough granularity

3. Supply Chain:

  • Buying legitimate extensions is easy
  • No notification to users about ownership change
  • Reputation transferred automatically

What Should Change

For Google/Microsoft:

  • More rigorous audits
  • Ownership change notification
  • More granular permissions
  • Behavioral analysis of extensions

For Developers:

  • Don't sell extensions to anonymous buyers
  • Document code and security practices
  • Respond to security reports quickly

For Users:

  • Be skeptical with extensions
  • Review permissions periodically
  • Report suspicious behaviors

Impact and Consequences

For Affected Users

If you had compromised extensions installed:

Immediate Actions:

  1. Remove suspicious extensions
  2. Change all important passwords
  3. Enable 2FA on all accounts
  4. Monitor bank statements
  5. Consider resetting the browser

Long Term:

  • Watch for phishing attempts
  • Monitor your credit score
  • Consider credit freeze if necessary

For the Industry

This incident will likely result in:

  • Greater scrutiny over extensions
  • New security policies
  • Possible regulations
  • Improved detection tools

Conclusion

The discovery of this 7-year campaign is a serious reminder about the risks of browser extensions. Even apparently legitimate extensions can hide malicious code, especially after ownership changes.

The recommendation is clear: be extremely selective with extensions, review permissions regularly, and prefer native functionality when possible. The convenience of an extension is not worth the risk of compromising your data.

If you want to learn more about development security, I recommend checking out another article: Critical Vulnerability in React and Next.js where you will discover how to protect your applications.

Let's go! 🦅

📚 Want to Deepen Your JavaScript Knowledge?

This article covered browser security, but understanding programming is fundamental to comprehending how these attacks work.

Developers who invest in solid, structured knowledge tend to have more opportunities in the market.

Complete Study Material

If you want to master JavaScript from basics to advanced, I've prepared a complete guide:

Investment options:

  • 1x of $4.90 on card
  • or $4.90 at sight

👉 Learn About JavaScript Guide

💡 Material updated with industry best practices

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments