Malicious browser extensions have compromised the data of 4.3 million users, collecting sensitive information before being removed by Google and Microsoft.
Malicious Chrome and Edge extensions have been implicated in a significant data breach affecting 4.3 million users, according to a report from Koi Security. These extensions, which initially appeared harmless, evolved into spyware through a long-running malware campaign known as ShadyPanda.
The ShadyPanda operation involved 20 malicious Chrome extensions and 125 extensions on the Microsoft Edge Add-ons store. Many of these extensions first appeared in 2018, presenting no obvious warning signs. Over the years, they underwent silent updates that transformed their functionality, enabling them to collect sensitive user data.
Users who downloaded these extensions unknowingly installed surveillance tools that harvested browsing history, keystrokes, and personal data. The updates were rolled out through each browser’s trusted auto-update system, meaning users did not need to click on anything or fall for phishing attempts; the changes occurred quietly in the background.
Once activated, the malicious extensions injected tracking code into legitimate links, earning revenue from users’ purchases. They hijacked search queries, redirected users, and logged data for sale and manipulation. ShadyPanda gathered a wide range of personal information, including browsing history, search terms, cookies, keystrokes, fingerprint data, local storage, and even mouse movement coordinates.
As these extensions gained credibility in the stores, attackers pushed a backdoor update that allowed for hourly remote code execution. This gave them full control over users’ browsers, enabling them to monitor visited websites and exfiltrate persistent identifiers.
Researchers also found that the extensions could launch adversary-in-the-middle attacks, leading to credential theft, session hijacking, and code injection on any website. Notably, if users opened developer tools, the extensions would switch to a harmless mode to avoid detection.
In response to the findings, Google removed the malicious extensions from the Chrome Web Store. A spokesperson confirmed that none of the identified extensions are currently active on the platform. Similarly, a Microsoft spokesperson stated, “We have removed all the extensions identified as malicious on the Edge Add-on store. When we become aware of instances that violate our policies, we take appropriate action that includes, but is not limited to, the removal of prohibited content or termination of our publishing agreement.”
For users concerned about their installed extensions, it is crucial to verify whether any malicious extension IDs are present. Users can check their installed extensions by following a few simple steps in both Chrome and Edge. If any matches are found, it is recommended to remove those extensions immediately and restart the browser.
In addition to removing suspicious extensions, users should consider taking further steps to protect their data. Resetting passwords can help safeguard against potential misuse, and using a password manager can simplify the process of creating strong, unique passwords for each account.
ShadyPanda’s operation highlights the risks associated with browser extensions, especially those that may seem innocuous at first glance. Users are advised to be vigilant about the permissions requested by extensions and to regularly review their installed extensions for any that appear unfamiliar or behave unusually.
While antivirus software may not have caught this specific threat due to its stealthy operation, it remains essential for blocking other forms of malware and protecting against phishing attempts. Users should ensure they have robust antivirus protection on all devices to safeguard their personal information and digital assets.
As the ShadyPanda campaign demonstrates, even trusted extensions can become dangerous through silent updates. Staying alert to changes in browser behavior and limiting the number of installed extensions can help reduce exposure to such threats.
For further information on the ShadyPanda campaign and to review the full list of affected extensions, users can visit Koi Security’s website. It is essential to remain proactive in monitoring and managing browser extensions to protect personal data from potential breaches.
For more insights on cybersecurity and best practices, visit CyberGuy.com.