Attention! These Chrome extensions may steal your Telegram, Google data
What's the story
Cybersecurity experts have uncovered a massive attack involving 108 malicious Google Chrome extensions. The nefarious tools are said to be stealing user data, hijacking Telegram sessions, and injecting malicious code into web pages. The coordinated campaign was first reported by Hacker News and has been installed around 20,000 times from the official Chrome Web Store.
Deceptive tactics
Attackers used 5 different publisher names
The malicious extensions work under five different publisher names but share a single command-and-control (C2) infrastructure, cybersecurity firm Socket reported. They disguise themselves as legitimate tools such as Telegram sidebar clients, text translators, and slot machine games. However, they run malicious scripts in the background and route the stolen credentials, user identities, and browsing data to servers controlled by the same operator.
Data theft
What did the hackers do?
Among the malicious extensions, 54 targeted Google account identities and stole information such as email addresses and profile pictures via OAuth2 as soon as a user tries to log in. Meanwhile, 45 extensions came with a universal backdoor that made the browser open random URLs controlled by the attacker's server on startup. The most dangerous extension of this campaign is 'Telegram Multi-account,' which targeted Telegram users.
Security breach
Attackers could take over Telegram accounts without password
The 'Telegram Multi-account' extension stealthily stole active Telegram Web authentication tokens and sent the data to a remote server every 15 seconds. This allowed attackers to take complete control of an account without needing a password or two-factor authentication code. Five extensions even used Chrome's declarativeNetRequest API to remove the security headers from target sites before the page loads, Socket said in its blog post.
User protection
How to check if your account is compromised
If you think you have been affected by this attack, security experts recommend the following immediate steps. First, check your browser and remove any of the 108 malicious extensions. If you used the compromised Telegram extensions, log out of all active Telegram Web sessions via the 'Devices' menu in the Telegram mobile app. Lastly, if you signed into any of these extensions using Google, treat your Google identity as exposed, and revoke any unfamiliar third-party access in your account settings.