• Researchers have found yet another family of malicious extensions in the Chrome Web Store. • This time, 30 different Chrome extensions were found stealing credentials from more than 260,000 users. • The extensions rendered a full-screen iframe pointing to a remote domain. • This iframe overlaid the current webpage and visually appeared as the extension’s interface. • Because this functionality was hosted remotely, it was not included in the review that allowed the extensions into the Web Store. • In other recent findings, we reported about extensions spying on ChatGPT chats, sleeper extensions that monitored browser activity, and a fake extension that deliberately caused a browser crash.
Article Summaries:
- Researchers have uncovered a new family of malicious Chrome extensions that stole credentials from over 260,000 users. Thirty different extensions used a full‑screen iframe pointing to a remote domain, overlaying the current webpage and masquerading as the extension’s interface. Because the malicious code was hosted remotely, it bypassed the Web Store review process. Attackers employed “extension spraying,” giving each copy a unique name and ID to evade detection. The report offers users a step‑by‑step guide to locate and remove such extensions via chrome://extensions/ or by deleting the extension folder on Windows.
Sources: