Yet Another App on the Chrome Web Store Is Found to Collect Sensitive Data

Cybersecurity specialists always recommend against downloading applications from unreliable or unknown sources, but what about legitimate platforms, such as Chrome Web Store? While it is advisable to obtain desired tools from legitimate sites, it does not mean you have to let your guard down. Sadly, even reputable sources can contain potentially dangerous software from time to time. Not so long ago, researchers started warning users about an extension called Stylish, as it was discovered it could collect personally identifiable information.

After the reports, both Google and Mozilla removed the possibly dangerous extension from their web stores. However, soon enough there was talk about another Chrome extension that records data. This time, the suspicious plugin was targeted at web developers. As a result, specialists suggested a possibility the application's creators might be raising an industrial espionage campaign. As you continue reading our blog post, we will tell you more about the tool in question and how the situation was handled.

We would like to stress that the application that was accused of collecting web developers' data was a clone of a Chrome extension called Postman. In other words, even though the tools look the same, they are not, as one of the applications was created by a legitimate company, and the other one comes from unknown developers that seek to deceive and steal users' data.

The original plugin was created for web developers as it can speed up API (Application Programming Interface) development. Since the fake Chrome extension that recorded data was the Postman's clone, it offered the same features, and even experienced web developers were unable to notice any difference. More than 3.5 million developers use the original tool, and its clone was reported to have over 27 thousand installs before it was discovered by cybersecurity experts from ExtraHop. According to their team, the extension remained on Chrome Web Store for a month after they found about its malicious activity. As the specialists' report claims, they have informed the mentioned store about the suspicious tool on November 7, 2018, and asked to take it down. Nonetheless, the fake Chrome extension was removed from the platform only on December 6, 2018, after ExtraHop published their report on their website.

It all started when the experts detected one of their organization's computers communicating to an external IP address on an unusual port (6332). Further research revealed there had been plaintext HTTP traffic that was obfuscated, or, in other words, changed from its original form into discrete form to make it look like normal Internet traffic, and it was sent forth to the mentioned IP address. Meaning, some data was being transferred from the company's computer without its authorization. Later on, ExtraHop discovered another employee's computer with the same traffic. What made it look even more suspicious was that both of the computers communicated with the unknown IP address even when they were not being used, as both of the employees were not at work that day. Thus, the specialists had to shut down the machines and forcibly log out their users from all accounts for safety reasons.

Next, the cybersecurity specialists learned that the mentioned HTTP traffic had a header of a Chrome extension named Postman. Knowing the original tool, they immediately realized it could not be it, and so they began to examine it. The fake Postman had an unknown publisher called hanterforme, and it had a different logo image. This only proves how essential it is to learn more about a program before installing it as knowing just its name is not enough. Luckily, in this case, the company discovered the fake Chrome extension was unable to exfiltrate any sensitive information, although it is possible the tool might have recorded visited URL addresses or similar information about the users' browsing habits.

However, if the extension was left unattended for a longer time, it is possible it could have stolen sensitive data like login credentials, session cookies, or URLs with internal hostnames. Gaining URLs of any company's internal network could reveal various details about unreleased products, new features, or the internal network's structure. Consequently, it is only natural specialists suspected the unreliable extension could have been developed as a mean to spy and obtain secrets of various organizations. Whatever the case was, it is fortunate the fictitious Chrome extension that recorded data was discovered and dealt with rather fast. Clearly, the incident with ExtraHop and the fake Chrome extension was most likely only one out of many because, as we said earlier, quite a lot of web developers downloaded the suspicious tool. Nonetheless, it is still unknown how many businesses it might have affected or if its creators were successful in obtaining sensitive data from anyone.

All things considered, it is entirely possible the discussed extension is not the last fake extension we are going to hear about. Thus, it is apparent that platforms like the Chrome Web Store need to find a way to stop potentially dangerous tools from getting overlooked. Nevertheless, it is crucial users are more careful as well. Before downloading new extensions, you should always do a little research so you know how their logos are supposed to look like and who developed them. This way, you could recognize applications pretending to be legitimate just by looking at their description. For more tips on how to protect yourself from malicious Chrome extensions, you should continue reading here.

January 10, 2019

Leave a Reply