35 Google Chrome Extensions Hacked to Inject Malicious Code | A Comprehensive Overview
A massive phishing campaign compromised 35 popular Google Chrome extensions, affecting millions of users and extracting sensitive information. This blog provides an in-depth look at the attack, the affected extensions, and the steps you should take to protect yourself.
On January 1, 2025, a massive phishing campaign targeted at least 35 Google Chrome extensions was reported, impacting a staggering 2.6 million users. These extensions, ranging from VPN tools to productivity add-ons, were compromised by attackers injecting malicious code to steal sensitive data. The malicious code was specifically designed to harvest user session tokens, cookies, and login credentials, with a focus on social media accounts like Facebook, particularly those with access to advertising features.
In this blog, we will dive deep into the nature of this attack, how it was carried out, and the impact on users and developers. Additionally, we’ll provide a detailed list of all the affected extensions, how they were compromised, and the steps users and developers can take to safeguard their accounts and data.
What Happened?
The attackers behind this campaign used a sophisticated phishing technique. They sent deceptive emails posing as notifications from Google Chrome Web Store Developer Support, warning extension developers about issues like “misleading metadata” or “unnecessary details in the description.” These emails were designed to trick developers into granting attackers OAuth permissions over their projects, effectively allowing the hackers to bypass multi-factor authentication and take control of the extension’s management.
By gaining access to the Chrome Web Store accounts of the extension developers, the attackers could upload new versions of the extensions, which contained malicious code. The compromised extensions were then pushed directly to the users without raising suspicion.
Key Features of the Malicious Code
Once the affected extensions were installed or updated, the malicious JavaScript code embedded in these extensions began its attack. The primary objective was to extract sensitive user data including:
- Session tokens
- Cookies
- Credentials for social media accounts, particularly Facebook Ads dashboards.
The attackers also embedded hard-coded command and control (C2) domains in the malicious code. These allowed them to remotely download configurations and exfiltrate private user data. In particular, corporate accounts with access to paid advertising features were targeted, potentially giving hackers access to advertising budgets, campaigns, and other sensitive business data.
The Affected Extensions
Here’s a detailed table of the 35 extensions that were affected by the attack:
| Extension Name | Status | Version / Identifier |
|---|---|---|
| Where is Cookie? | Not yet addressed | emedckhdnioeieppmeojgegjfkhdlaeo |
| Web Mirror | Not yet addressed | eaijffijbobmnonfhilihbejadplhddo |
| ChatGPT App | Not yet addressed | lbneaaedflankmgmfbmaplggbmjjmbae |
| Hi AI | Not yet addressed | hmiaoahjllhfgebflooeeefeiafpkfde |
| Web3Password Manager | Not yet addressed | pdkmmfdfggfpibdjbbghggcllhhainjo |
| YesCaptcha assistant | Not yet addressed | [email protected] |
| Bookmark Favicon Changer | Addressed | 5.1 / [email protected] |
| Proxy SwitchyOmega (V3) | Not yet addressed | [email protected] |
| GraphQL Network Inspector | Addressed | 2.22.7 / [email protected] |
| AI Assistant | Removed from store | bibjgkidgpfbblifamdlkdlhgihmfohh |
| Bard AI chat | Removed from store | pkgciiiancapdlpcbppfkmeaieppikkk |
| ChatGPT for Google Meet | Removed from store | epdjhgbipjpbbhoccdeipghoihibnfja |
| Search Copilot AI Assistant for Chrome | Removed from store | bbdnohkpnbkdkmnkddobeafboooinpla |
| TinaMind | Addressed | 2.14.0 / befflofjcniongenjmbkgkoljhgliihe |
| Wayin AI | Addressed | 0.0.11 / cedgndijpacnfbdggppddacngjfdkaca |
| VPNCity | Not yet addressed | nnpnnpemnckcfdebeekibpiijlicmpom |
| Internxt VPN | Addressed | 1.2.0 / dpggmcodlahmljkhlmpgpdcffdaoccni |
| Vidnoz Flex | Removed from store | cplhlgabfijoiabgkigdafklbhhdkahj |
| VidHelper | Not yet addressed | egmennebgadmncfjafcemlecimkepcle |
| Castorus | Addressed | 4.41 / mnhffkhmpnefgklngfmlndmkimimbphc |
| Uvoice | Not yet addressed | oaikpkmjciadfpddlpjjdapglcihgdle |
| Reader Mode | Not yet addressed | fbmlcbhdmilaggedifpihjgkkmdgeljh |
| ParrotTalks | Not yet addressed | kkodiihpgodmdankclfibbiphjkfdenh |
| Primus | Addressed | 3.20.0 / oeiomhmbaapihbilkfkhmlajkeegnjhe |
| Keyboard History Recorder | Not yet addressed | igbodamhgjohafcenbcljfegbipdfjpk |
| ChatGPT Assistant | Not yet addressed | bgejafhieobnfpjlpcjjggoboebonfcg |
| Reader Mode | Removed from store | llimhhconnjiflfimocjggfjdlmlhblm |
| Visual Effects for Google Meet | Addressed | 3.2.4 / hodiladlefdpcbemnbbcpclbmknkiaem |
| AI Shop Buddy | Not yet addressed | epikoohpebngmakjinphfiagogjcnddm |
| Cyberhaven V3 Security Extension | Addressed | pajkjnmeojmbapicmbpliphjmcekeaac |
| Earny | Not yet addressed | oghbgbkiojdollpjbhbamafmedkeockb |
| Rewards Search Automator | Not yet addressed | eanofdhdfbcalhflpbdipkjjkoimeeod |
| Tackker | Addressed | ekpkdmohpdnebfedjjfklhpefgpgaaji |
| Sort By | Not yet addressed | miglaibdlgminlepgeifekifakochlka |
| Email Hunter | Not yet addressed | mbindhfolmpijhodmgkloeeppmkhpmhc |
How the Attack Happened
The phishing email was crafted to look like an official Google notification. The email warned developers about supposed violations like “misleading metadata” or “unnecessary details in the description” of their extensions. Clicking on the provided link took developers to a fake login page, posing as a legitimate Google Chrome Web Store login interface. The login page was actually an attacker-controlled site named "Privacy Policy Extension."
Once the developers entered their credentials, they unknowingly granted the attackers OAuth access to their Chrome Web Store accounts. This access allowed the hackers to bypass multi-factor authentication, upload malicious updates to the extensions, and push them to users.
Impact of the Attack
Once the malicious extensions were pushed to users, the malicious JavaScript code was executed. It targeted the following:
- Session tokens: Critical pieces of information that authenticate user sessions on various platforms.
- Cookies: Stored data that identifies a user during a session on websites.
- Login credentials: Information used to log in to social media platforms and business tools, particularly Facebook Ads dashboards.
The primary victims of this attack appear to be corporate accounts with access to Facebook's advertising tools, giving the attackers the opportunity to steal advertising budgets, campaigns, and other business-related information.
What Should You Do?
For Users:
- Uninstall or update affected extensions immediately.
- Reset passwords and revoke active sessions.
- Review browser extension permissions and make sure they are still appropriate.
- Monitor for unusual activity on personal and business accounts.
- Be wary of suspicious emails, especially those claiming to be from Google.
For Developers:
- Verify the legitimacy of any emails related to extension compliance or policy issues.
- Enable two-factor authentication (2FA) on all developer accounts.
- Ensure that you have implemented secure coding practices to prevent malicious code injections.
- Stay vigilant for any unexpected changes to your extensions and keep an eye on any unusual activity in your accounts.
Conclusion
The hacking of 35 Google Chrome extensions serves as a stark reminder of the evolving nature of cyber threats. As attackers continue to exploit trusted platforms like the Chrome Web Store, users and developers alike must remain vigilant and proactive in safeguarding their data and systems.
By taking the necessary precautions and staying informed about potential threats, we can mitigate the risks posed by such attacks and continue to use online tools safely.
FAQs:
1. How do attackers gain control over Chrome extensions?
Attackers use phishing emails to trick developers into granting OAuth access to their projects, allowing them to upload malicious code.
2. What type of data do the attackers steal?
The attackers steal session tokens, cookies, and social media credentials, especially those related to Facebook Ads.
3. How can I protect myself from such attacks?
Users should uninstall or update affected extensions, reset passwords, and monitor unusual activities.
4. What extensions were affected by this attack?
Extensions like AI Assistant, Web Mirror, VPNCity, and ChatGPT App were among the 35 affected.
5. What should developers do to secure their extensions?
Developers should enable two-factor authentication, verify emails related to compliance issues, and follow secure coding practices.
6. Are these extensions still available for download?
Some extensions have been removed from the Chrome Web Store, while others have been patched or updated.
7. How can I identify phishing emails related to this attack?
Look out for emails claiming to be from Google regarding policy violations or extension compliance issues.
8. Can this attack affect other browsers?
While this attack specifically targeted Chrome extensions, similar phishing tactics could be used on other browsers.
9. What happens if my credentials were stolen?
If your credentials were stolen, reset your passwords immediately and review your account for suspicious activity.
10. What is OAuth and how was it exploited in this attack?
OAuth is an authorization protocol. The attackers exploited it to gain unauthorized access to developer accounts by tricking them into granting permissions.
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
