Data-scraping Chrome extension steals more than a million users' data

News by Rene Millman

Discovery of data theft leads to Google pulling more than 200 dodgy extensions from Chrome Web Store.

 Security researchers have unearthed a Google Chrome extension that has potentially leaked the personal information of more than a million users back to a single IP address in the US.

Called Webpage Screenshot, the extension allows users to take a screen capture and store it. The extension has been downloaded 1.2 million times but hides the ability to copy data from a user.

Martin Zetterlund, founding partner at IT security firm ScrapeSentry, said that the firm had “identified an unusual pattern of traffic to one of our client's sites which alerted our investigators that something was very wrong.”

The team then discovered that the Chrome extension contained malicious code that allowed copies of all a user's browsing data to be sent to a server in the US. This information included data visible in a user's page title, such as email if using a web email service, could be sent without their knowledge to the IP address.

“The repercussions of this could be quite major for the individuals who have downloaded the extension,” said Cristian Mariolini, a security analyst at ScrapeSentry. “What happens to the personal data and the motives for wanting it sent it to the US server is anyone's guess, but ScrapeSentry would take an educated guess it's not going to be good news.”

“And of course, if it's not stopped, the plugin may, at any given time, be updated with new malicious functionality as well. We would hope Google will look into this security breach with some urgency.”

Problems with rogue extensions has lead to Google pulling around 200 extensions fro the Chrome Web store, following the revelations that these rogue apps were stealing sensitive data from millions of users.

According to reports from the BBC, the University of California at Santa Barbara has worked alongside the search engine giant to remove the offending extensions after research found that five per cent of users visiting a Google page had at least malicious extension running within the browser.

UC Santa Barbara researcher Alexandros Kapravelos said the problem is made more difficult as malicious extensions use the same methods as genuine tools to collect data.

"Even when we have a complete understanding of what the extension is doing, sometimes it is not clear if that behaviour is malicious or not," he said. "You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar."

Wim Remes, manager of Strategic Services EMEA at Rapid7, said in a public statement that in a online world where personal information has become our accepted currency, users have to make decisions on what the functionality they desire is worth.

“App Stores can certainly implement rules that discourage or eliminate egregious data gathering practices,” he said. “And in many cases, they do, but between safeguarding ethics and maintaining an ecosystem of developers, exists a grey zone where trade-offs are made.”

“App Stores could enforce proper advertisement of what the apps gather, but I'm not convinced that we can have free apps without some form of compromise."

Adam Tyler, chief innovation officer at fraud detection firm CSID told that a research project was released last year during the Usenix Security Symposium which highlighted the extent of the problem. “Analysis conducted by various university-based researchers highlighted that on the Chrome Browser ‘store' alone there were 130 specifically malicious extensions, and more than 4700 ‘suspicious' extensions,” he said.

Tyler said that browser extensions allow developers to effectively re-write or re-design virtually any part of the browser experience.

“These malicious extensions make use of these capabilities and effectively harvest and gather data from viewed/accessed pages, and send back to a malicious entity when the information is of interest/value ( eg passwords, emails, contacts etc )."

He said this kind of attack can be prevented, but only by minimising the browser extensions that employees use on work-connected devices. “Employees need to understand that browser extensions are essentially just as powerful as native applications nowadays, and they must ensure that they do not install any packages before checking with the network administrator or relevant IT staff first,” he adds.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews