'Hidden tracking code' found in Chrome extension with 6 million total installs
Secure Annex, a security company specializing in extensions, has reported that 57 Google Chrome extensions with approximately 6 million users have been found to have highly dangerous functions, such as monitoring browsing behavior, accessing cookies, and executing remote scripts.
Searching for something unknown | Secure Annex
Chrome extensions with 6 million installs have hidden tracking code
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/
While reviewing Chrome extensions, Secure Annex founder John Tuckner identified 132 extensions that were 'hidden' from the Chrome Web Store.
Private extensions are extensions that are set not to be found in Google searches or Chrome Web Store searches, and can only be downloaded by directly accessing the URL. Many of them are internal tools for companies or extensions under development, and are private to prevent general users from unintentionally downloading them, but there are also many cases where they are used to secretly spread malware without attracting attention.
Sure enough, Tackner found a suspicious extension called 'Fire Shield Extension Protection.' This extension claims to check browser extensions and warn if it finds any problems. It has 300,000 users and a rating of 2.2. It's not surprising that it has such a low rating considering the large number of users, but private enterprise extensions tend to be difficult to use or not usable for normal purposes, so it's not particularly unnatural.
However, after analyzing the extension, Tuckner found that it contained highly obfuscated
Using the misspelled URL 'unknow.com' extracted from the URLs of the extension as a clue, the researchers discovered 34 similar extensions.
'These extensions suggest significant command and control, including the ability to list top sites visited, open and close tabs, retrieve top sites visited, and perform these functions in an ad-hoc manner,' Tackner said. 'Although not fully verified, the presence of these capabilities in 35 extensions that claim to perform something as simple as 'protecting users from malicious extensions' is extremely concerning.'
Subsequent investigation uncovered 22 more extensions that appeared to be developed by the same group, for a total of 57 extensions that had been downloaded approximately 6 million times.
UPDATE: 22 more malicious HIDDEN extensions with over 1.5 million users found As a result of my research last week, Obsidian Security reached out after finding more extensions matching the behaviors. We're now tracking 57 extensions used by almost 6 million users. pic.twitter.com/CuGapuGbLX
— tuckner (@tuckner) April 16, 2025
The full list of 57 extensions can be found at this link , which includes not only private extensions but also public extensions such as 'Cuponomia,' which claims to distribute coupons and notify users of cashback offers and has 700,000 users.
In response to a question from IT news site BleepingComputer, Google said it was aware of Tuckner's report and was investigating the problematic extensions, but Cuponomia and Fire Shield Extension Protection remained available for installation on Chrome as of the time of writing.
'If you have these extensions installed in your browser, we recommend that you remove them immediately and, to be on the safe side, change the passwords for any online accounts you may have,' BleepingComputer said.
Related Posts:
