Google was forced to swing into action after researchers drew its attention to 500+ malicious Chrome browser extensions.
Some time ago, Cisco’s Duo Security had released CRXcavator, an automated Chrome extension security assessment tool, for free last year in order to reduce the risk that Chrome extensions present to organizations & to enable others to “create a safer Chrome extension ecosystem for all.”
Cisco Duo security team & security researcher Jamila Kaya (@bumblebreaches) used CRXcavator to uncover a large scale campaign of copycat Chrome extensions that infected users & exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. Duo, Jamila, & Google worked together to ensure these extensions, & others like them, were promptly found & removed.
Cisco Duo said in a blog post that these extensions were commonly presented as offering advertising as a service. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality.
Once the report was submitted, Google worked to validate the findings & went on to fingerprint the extensions. This allowed Google to search the entire Chrome Web Store corpus to discover & remove more than 500 related extensions.
For more on this, click here.
