Security researchers have analysed an apparently innocent Chrome browser extension and found that it represents a significant threat to the data of millions of web users.
ScrapeSentry reported that the Chrome store’s Webpage Screenshot extension that takes and stores screenshots can also send personal information to an IP address in the US.
The firm said that the extension has been downloaded 1.2 million times, and that users could be unwittingly sharing personal information to be used for illegal purposes.
“We are in the business of detecting and blocking scrapers and bots that break the terms and conditions of use of our customers’ websites,” said Martin Zetterlund, founding partner at ScrapeSentry.
“We recently identified an unusual pattern of traffic to one of our client’s sites which alerted our investigators that something was very wrong.”
The team studied the software and found that it features malicious code that could be used to send a complete history of browsing data to an unknown third-party IP address. The content of emails and other documents could also be at risk.
“The repercussions of this could be quite major for the individuals who have downloaded the extension,” said Cristian Mariolini, security analyst at ScrapeSentry.
“What happens to the personal data, and the motives for wanting it sent it to the US server, is anyone’s guess, [but] it’s not going to be good news.
“And, of course, if it’s not stopped the plugin may, at any given time, be updated with new malicious functionality. We would hope that Google will look into this security breach with some urgency.”
Google is making efforts in this direction. The company said earlier this month that it was tackling ad-injecting software affecting Chrome users and had removed 195 maliciously deceptive extensions.
The real risk here is that the threat is hidden away in an otherwise innocuous application. Mark James, security specialist at internet security firm ESET, warned that this kind of thing is ripe for exploitation.
“The downside to this type of technology is that it can be easily misused, and it appears that’s exactly what’s happening here,” he said.
“The Chrome extension contains malicious code that has the ability to send all your browsing data to a single server in the US. Any information, including page titles, could be sent off without your knowledge.”
James recommended that web users or admins should review extensions carefully before adopting them, paying particular attention to their permissions.
“Extensions can enhance our browsing experience but, like a lot of free software, we need to evaluate it and what it offers versus the risks of it being ‘free’,” he added.
“Have a read of the reviews, do a few searches on the extension itself to better understand what it does.
“And remember that, even if it looks safe, if you give it permission to do something it may update itself at a later date to do something malicious and still have that authorisation. Review them often to see if you really need them, and if not remove them.”
The Webpage Screenshot extension has been removed from the Chrome store. A note on its page explains that this may be the work of its author.