# Over 100 Malicious Chrome Extensions on Official Web Store Caught Stealing User Credentials and Deploying Backdoors


A major security breach of Google's Chrome Web Store has exposed a sophisticated scheme involving over 100 malicious extensions designed to steal sensitive user authentication tokens, establish persistent backdoors, and conduct ad fraud. The discoveries underscore persistent vulnerabilities in Chrome's extension vetting process and highlight the critical importance of scrutinizing browser extensions before installation.


## The Threat: Scope and Methods


Security researchers have identified more than 100 malicious extensions currently or recently available on Google's official Chrome Web Store that employ multiple attack vectors to compromise user security and privacy. The primary objective of these extensions centers on intercepting and exfiltrating Google OAuth2 Bearer tokens—the digital keys that grant access to Google accounts and connected services.


The attackers deploy a multi-pronged approach:


  • OAuth Token Theft: Harvesting authentication tokens that provide direct access to user Google accounts
  • Backdoor Installation: Establishing persistent remote access channels for future exploitation
  • Ad Fraud Operations: Hijacking user browsing to generate fraudulent ad impressions and clicks
  • Data Exfiltration: Stealing browsing history, cookies, and other sensitive information
  • Credential Harvesting: Capturing login information from compromised users

    • This coordinated campaign represents one of the largest known supply chain attacks targeting Chrome's extension ecosystem, affecting potentially millions of users who downloaded these seemingly legitimate tools.


    ## Background and Context: The Extension Ecosystem Problem


    Chrome extensions represent one of the most powerful yet underutilized attack surfaces in modern computing. Users grant extensions broad permissions—including access to all visited websites, stored passwords, browsing history, and authentication tokens—often without fully understanding the security implications.


    While Google maintains a formal review process for Chrome Web Store submissions, the sheer volume of extensions (over 188,000 available) and the sophistication of modern malware make comprehensive vetting challenging. Attackers have repeatedly exploited gaps in this system:


  • 2018-2020: Multiple campaigns targeting Chrome extensions used to steal cryptocurrency and credentials
  • 2021-2022: Malware-as-a-Service platforms began specializing in browser extension distribution
  • 2023-2024: Supply chain attacks increasingly target the extension ecosystem as a high-impact, lower-scrutiny vector

    • The current incident represents an escalation in both scale and sophistication, suggesting attackers have refined their obfuscation and evasion techniques to bypass Google's automated and manual review processes.


    ## Technical Details: How the Attack Works


    ### OAuth Token Interception


    The malicious extensions employ JavaScript injection and network traffic interception to capture OAuth2 Bearer tokens at the moment of authentication. These tokens—typically transmitted in HTTP Authorization headers—provide complete access to user Google accounts without requiring passwords.


    Attack Flow:

    1. User installs the extension from Chrome Web Store

    2. Extension runs background scripts with broad web access permissions

    3. When user authenticates to Google services, the extension intercepts the authentication response

    4. OAuth2 Bearer token is extracted and transmitted to attacker-controlled servers

    5. Attackers use the stolen token to:

    - Access Gmail, Google Drive, and calendar data

    - Send emails on behalf of the user

    - Change account recovery settings

    - Access connected third-party services


    ### Backdoor Persistence


    The extensions incorporate mechanisms for persistent remote access, allowing attackers to:


  • Update malicious payload without reinstalling the extension
  • Execute arbitrary code within the browser context
  • Modify extension behavior based on command-and-control instructions
  • Evade detection by disabling or blocking security tools

    • ### Ad Fraud Operations


    A significant portion of the campaign focuses on ad injection and click fraud, where extensions:


  • Inject advertisements into web pages
  • Automatically click ads to generate fraudulent impressions
  • Redirect traffic to attacker-controlled affiliate links
  • Modify shopping cart contents to include affiliate codes

    • This component generates revenue while consuming user bandwidth and degrading browsing experience.


    ## Implications for Users and Organizations


    ### Individual User Impact


    Users who installed these extensions face immediate and long-term risks:


    | Risk Category | Impact |

    |---------------|--------|

    | Account Compromise | Attackers gain full Google account access and connected services |

    | Identity Theft | Stored personal information accessible for fraudulent activity |

    | Financial Fraud | Unauthorized purchases, subscription charges, cryptocurrency theft |

    | Privacy Violation | Email, documents, photos, and location history exposed |

    | Credential Exposure | Passwords and authentication methods may be captured |

    | Malware Distribution | Compromised accounts used to spread malware to contacts |


    ### Organizational Risk


    Enterprises face compounded exposure, particularly organizations with minimal Chrome extension policies:


  • Compromised Employee Accounts: Attackers gain access to corporate Google Workspace accounts
  • Lateral Movement: OAuth tokens can be leveraged to access connected corporate systems
  • Data Exfiltration: Sensitive files stored in Google Drive and shared drives may be stolen
  • Compliance Violations: Unauthorized access may trigger breach notification requirements
  • Supply Chain Risk: Compromised employee accounts could be used to target business partners

    • ## How to Identify Compromised Extensions


    The following indicators suggest an extension may be malicious:


  • Unusual Permission Requests: Extensions asking for overly broad permissions unrelated to stated function
  • Vague Descriptions: Poor grammar, unclear purpose, or generic functionality descriptions
  • Frequent Updates: Unusually rapid version updates, especially without visible feature changes
  • Low or Missing Reviews: Recently published extensions with few user ratings
  • Suspicious Developer: Published by recently created developer accounts or unfamiliar publishers
  • Performance Issues: Degraded browser performance, unexpected ads, or page redirection

    • ## Recommendations and Mitigation


    ### Immediate Actions for Affected Users


    1. Audit Installed Extensions

    - Review all installed extensions in chrome://extensions/

    - Remove any unfamiliar or suspicious extensions immediately

    - Check extension permissions via chrome://extensions/?id=[EXTENSION_ID]/details


    2. Secure Your Google Account

    - Change your Google account password immediately

    - Enable 2-Step Verification (if not already enabled)

    - Review account recovery options and remove unauthorized methods

    - Check connected apps/devices at myaccount.google.com and revoke suspicious access


    3. Monitor Account Activity

    - Review Gmail login history and active sessions

    - Check Google Drive access logs for suspicious file access

    - Monitor credit reports and bank accounts for unauthorized activity

    - Consider freezing credit with major bureaus if identity theft is suspected


    ### For Organizations


  • Deploy Extension Management Policies: Use Google Admin Console to whitelist approved extensions and block malicious ones
  • Provide Security Training: Educate employees about extension risks and vetting best practices
  • Monitor Extension Use: Implement Chrome Enterprise reporting to track extension installation across devices
  • Require Approval Workflows: Mandate IT approval before installing browser extensions
  • Implement Browser Isolation: Consider browser isolation solutions for high-risk work environments

    • ### For Chrome Users Going Forward


  • Prefer Native Alternatives: Use built-in Chrome features when possible rather than extensions
  • Verify Developer Identity: Research extension developers through their published portfolio
  • Check Reviews Carefully: Read recent negative reviews for patterns of malicious behavior
  • Grant Minimal Permissions: Use "On specific sites" permissions rather than all websites
  • Enable Safe Browsing: Ensure Chrome's Safe Browsing protection is enabled
  • Stay Updated: Keep Chrome and all extensions automatically updated

    • ## Conclusion


    This incident represents a critical reminder that the Chrome Web Store—despite Google's oversight—remains an attractive target for sophisticated attackers. The combination of broad user permissions and the challenge of scaling security reviews has created exploitable gaps.


    Users must adopt a defensive posture toward browser extensions: assume suspicion rather than trust, audit installed extensions regularly, and understand that installation convenience doesn't guarantee security. Organizations should implement strict extension policies and monitor usage within their environments.


    As browser-based attacks continue to evolve in sophistication, the security community will need to push for stronger vetting mechanisms, better permission models, and improved transparency in extension marketplaces.