< IMG SRC = "/Uploads/Blogs/55/71/IB-FRLTCLM6K_EE975947.jpg" Alt = "these Google extensions perform suspicious actions on more than 4 million devices-how to detect them"/> ~ < p > Media Ars Technika & nbsp; Nbsp; the researcher found dozens of harmful extensions in Chrome on 4 million devices. We tell you how to detect them and whether you can neutralize.
< h2 class = "wp-block-glading" > that happened
< p >Researcher John Tainer and founder of the SECure Annex Browser Analysis Company, came across an extension cluster that shows that Google places dozens of extensions in its Chrome web store. These extensions, in turn, perform suspicious actions on more than 4 million devices on which they are installed. It is likely that the developers have made efforts to hide them. Dangerous extensions can be found in this plate.
< P >< IMG SRC = "/Uploads/Wysiwyg/%D0%90%D1%80%D1%82%D0%B5%D0%BC/24032025/VCTR.MEDIA-1744377 Alt = "VCTR.MEDIA-1744377001.PNG.WEBP (42 KB)" Width = "557" Height = "380" />0 ~ /P > > 62 > 62 > 62 < P > Extension, currently at least 35 use the same code templates, connect to the same servers, & nbsp; Require a similar list of confidential system permits, allow interaction with web traffic on all visited URLs, access to cookies and control browser tabs. Among the popular permissions are:
< Ul > < li > tabs & mdash; controls the windows of the browser and interacts with them.
< li >Cookies of cookies & mdash; Allows you to install and access saved cookies browser based on cookies or domain names (eg & laquo; authorization & raquo; or & laquo; all cookies for github.com & raquo; < li > WebreQuest & mdash; intercepts and changes the web entries that make the browser.
< li > storage & mdash; constantly stores small amounts of information in the browser (here these extensions retain their configuration of commands and management). < li > scripts & mdash; Ability to introduce a new javascript into web pages and manipulate Dom. < li > signals & mdash; uses the internal community exchange service to initiate events. < li > & lt; all_urls & gt; & mdash; Allows you to interact functionally with all the browser activities.
< p >Such permits give the expansion the ability to make all sorts of potentially suspicious or negative actions, and therefore they should be reasonably given only reliable extension that cannot perform basic functions without them.
< p > John Tainer indicated that the only permission that is required by any of 35 programs is control. Extensions have other & nbsp; doubtful & nbsp; or suspicious similarities. Much of the code in each of them is strongly confusing, and the method of created code only complicates the process of analyzing and understanding how the extension behaves.
< h2 class = "wp-block-glading" > why is it important
< p > These 35 hidden harmful extensions for & nbsp; chrome & nbsp; not displayed in a web store, but have a total of 4 million installations, which raises questions about their way. Anyone who has installed one of these extensions should immediately delete it. & Amp; nbsp;
< p >Ten of these extensions even have a & laquo; chosen & raquo; or & laquo; recommended & raquo; from Google, which testifies to their test, despite the detected harmful activity. One example is & nbsp; extensions & nbsp; fire shield expression process, which, despite its stated protection function, contains a code that interacts with suspicious domains that appear in most of the detected malware.
< p >Researcher Tainer has faced considerable difficulties when trying to analyze the behavior of suspicious Chrome extensions through a complex code and deliberate steps of the developer to conceal their activities. Fire Shield extensions on the laboratory device did not show any parameters when pressed on its icon and opened only an empty web page. The analysis of the background process in Chrome developer's tools showed connection to the URL Fireshieldit.com and the fixation of the event & laquo; browser_action_ction_clicked & < p > changing tactics, Tainer used the configuration file of another suspicious extension, Browse Securely for Chrome (later Secured Connection by Security Browse), loaded on GitHub by a user who considered it harmful. The introduction of a unique ID of this extension into the Fire Shield installation has led to the latter began to send data on & nbsp; behavior & nbsp; user and information:< Ul > < li > about the websites visited;
< li > Previous pages;
< li > Size and screen details;
< P > Although the direct evidence of the theft of credentials has not been found, the possibility of remote control of configuration and available in the code extension of the opportunity forced the researcher to conclude that there is spy software or storage of information in all these extensions.
~ ~ < P > This discovery indicates the importance of conscious installation of extensions for browsers. They should only be installed if you need, having previously examined user reviews and the reputation of the developer. Google has not yet answered whether the company is conducting the investigation and what inspection it has completed to give some of these applications status & laquo; recommended & raquo;.~