According to security researchers more then a millions of users who visit Google sites use a browser loaded with malicious add-ons. Google chrome extension available until recently in Google Chrome’s Web Store, has been delivering browsing information collected from a large amount of users personal data and sending it back to a central US server.
The extension, named Web Screenshot, had been given a 4.5 rating from users and it is also provides different drawing tools to highlight portions of the image.
Martin Zetterlund, founding partner at IT security firm ScrapeSentry, said that the firm had “identified an unusual pattern of traffic to one of our client's sites which alerted our investigators that something was very wrong.”
The team then discovered that the Chrome extension contained malicious code that allowed copies of all a user's browsing data to be sent to a server in the US. This information included data visible in a user's page title, such as email if using a web email service, could be sent without their knowledge to the IP address.
“The repercussions of this could be quite major for the individuals who have downloaded the extension,” said Cristian Mariolini, a security analyst at ScrapeSentry. “What happens to the personal data and the motives for wanting it sent it to the US server is anyone's guess, but ScrapeSentry would take an educated guess it's not going to be good news.”
“And of course, if it's not stopped, the plugin may, at any given time, be updated with new malicious functionality as well. We would hope Google will look into this security breach with some urgency.”
Wim Remes, manager of Strategic Services EMEA at Rapid7, said in a public statement that in a online world where personal information has become our accepted currency, users have to make decisions on what the functionality they desire is worth.
“App Stores can certainly implement rules that discourage or eliminate egregious data gathering practices,” he said. “And in many cases, they do, but between safeguarding ethics and maintaining an ecosystem of developers, exists a grey zone where trade-offs are made.”
“App Stores could enforce proper advertisement of what the apps gather, but I'm not convinced that we can have free apps without some form of compromise."
Adam Tyler, chief innovation officer at fraud detection firm CSID told SCMagazineUK.com that a research project was released last year during the Usenix Security Symposium which highlighted the extent of the problem. “Analysis conducted by various university-based researchers highlighted that on the Chrome Browser ‘store' alone there were 130 specifically malicious extensions, and more than 4700 ‘suspicious' extensions,” he said.
Tyler said that browser extensions allow developers to effectively re-write or re-design virtually any part of the browser experience.
“These malicious extensions make use of these capabilities and effectively harvest and gather data from viewed/accessed pages, and send back to a malicious entity when the information is of interest/value."
