Google Chrome's Secret Extensions Are Stealing Your Passwords
By 813 Staff
Silicon Valley insiders report Google Chrome's Secret Extensions Are Stealing Your Passwords, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).
Source: https://x.com/BleepinComputer/status/2044152020983046572
The internal metrics dashboards at Google’s Chrome Web Store team have been flashing red for weeks, according to engineers close to the project, as automated detection systems flagged a coordinated surge in malicious activity. The source of the alarm, confirmed in a report by BleepingComputer (@BleepinComputer), is a sprawling campaign involving at least 106 fraudulent Chrome extensions that successfully bypassed the store’s review process. These extensions, posing as legitimate tools for productivity, PDF handling, and web search, were designed with a singular purpose: to hijack user sessions and exfiltrate sensitive data from social media, business, and e-commerce accounts.
The campaign’s sophistication lay in its patient deception. The extensions, which collectively boasted over 87,000 installs before being taken down, initially functioned as advertised to avoid suspicion. It was only after a period of user trust was established that the malicious code activated. This code employed cookie theft and credential harvesting, targeting platforms like Facebook, Google itself, and various cryptocurrency exchanges. The operation’s scale suggests a well-resourced, organized threat actor, not casual malware developers. Internal documents show the review team is under intense pressure to balance security with the velocity of developer submissions, a tension this campaign exploited perfectly.
For the average user, the impact is a stark erosion of trust in the browser extension ecosystem itself. These were not downloads from shadowy corners of the web, but from Google’s official and supposedly vetted marketplace. The compromise of session cookies is particularly insidious, as it can allow attackers to bypass two-factor authentication and maintain persistent access to accounts even after passwords are changed. The silent data siphon could have continued for months, turning infected browsers into persistent surveillance tools.
The immediate cleanup is underway, with Google confirming the extensions have been purged from the Web Store. However, the rollout of user-side remediation has been anything but smooth. While the extensions are deactivated remotely, they are not automatically removed from a user’s browser, requiring manual deletion. The larger, unresolved question is how the review gates failed so comprehensively. Google is likely accelerating a shift toward more stringent, potentially automated, code analysis and requiring greater transparency from developers. For now, the incident serves as a mandatory reminder for every tech insider and casual user alike: audit your extensions immediately, and assume no digital marketplace, no matter how prominent, is inherently safe.
Source: https://x.com/BleepinComputer/status/2044152020983046572
