Keypoints
- 108 malicious Chrome extensions were identified across multiple product categories and installed by over 20,000 users.
- Fifty-four extensions stole Google OAuth2 bearer tokens to collect user identity information.
- Forty-five extensions contained a backdoor that opens attacker-controlled URLs every time the browser starts.
- Some extensions exfiltrated Telegram Web sessions and enabled account takeover by overwriting local storage.
- The extensions were published under five accounts but share the same command-and-control infrastructure and remained available after disclosure.
Read More: https://www.securityweek.com/100-chrome-extensions-steal-user-data-open-backdoor/