Threat Research

Chrome Extensions: Are you getting more than you bargained for?

Symantec
Chrome Extensions: Are you getting more than you bargained for?

Security research found multiple malicious or deceptive Chrome extensions that collectively reach over 100,000 users and perform undisclosed actions such as clipboard access, cookie exfiltration, command-and-control communication with a DGA fallback, search hijacking, ad injection, and an exploitable XSS vulnerability. Users are advised to uninstall affected extensions and the report highlights specific offenders like Good Tab and Children Protection for immediate action. #GoodTab #ChildrenProtection

Keypoints

  • Researchers identified several malicious Chrome extensions on the official Web Store with a combined user base exceeding 100,000, demonstrating that malicious extensions can bypass vetting.
  • Good Tab grants remote clipboard-read and clipboard-write permissions to an external HTTP domain via an iframe, exposing sensitive copied data to interception and manipulation.
  • Children Protection implements a full C&C framework with remote code execution, cookie harvesting/exfiltration, ad injection, and a date-based domain generation algorithm (DGA) for fallback C2 domains.
  • DPS Websafe performs search hijacking and covert tracking, abuses Adblock Plus branding to gain trust, and changes the default search provider to developer-controlled endpoints.
  • Stock Informer includes an exploitable XSS vulnerability (CVE-2020-28707) in an included plugin that allows arbitrary JavaScript execution and also monetizes searches via affiliate redirects.
  • The researchers reported the extensions to Google, recommend immediate removal/uninstallation, and advise using endpoint/browser protection and cautious extension-install practices.

MITRE Techniques

  • [None ] No MITRE ATT&CK technique identifiers were explicitly mentioned in the article.

Indicators of Compromise

  • [Extension ID ] Chrome Web Store extension identifiers – glckmpfajbjppappjlnhhlofhdhlcgaj (Good Tab), giecgobdmgdamgffeoankaipjkdjbfep (Children Protection), and 2 more extension IDs (bjoddpbfndnpeohkmpbjfhcppkhgobcg, beifiidafjobphnbhbbgmgnndjolfcho).
  • [Domain/URL ] Clipboard/C2/tracking/search endpoints referenced by extensions – http://api.office123456[.]com/vcx/ (clipboard access endpoint), https://codon[.]vn/ext/xmshield.json (primary C2 endpoint), and other domains such as http://www.dpswebsafe[.]com/rd/ and http://trk.entiretrack[.]com/trackerwcfsrv/tracker.svc/trackUpdate/.
  • [DGA pattern ] Fallback C2 / domain generation example – DGA-generated URL pattern like http://k8n1z40[.]live/k8n1z40.json (domains generated daily using base-36 encoded date).
  • [Vulnerability/CVE ] Exploitable component referenced – CVE-2020-28707 (XSS in Stockdio Historical Chart plugin prior to version 2.8.1) used to enable arbitrary script execution.

Read more: https://www.security.com/threat-intelligence/chrome-extensions-are-you-getting-more-you-bargained