FraudWatch International Blog

You are here: Home » Blog » Chrome Extension Hijacking – how did it happen?

Chrome Extension Hijacking – how did it happen?

On multiple occasions in recent weeks, Chrome browser extension developers lost control of their code, when hackers infiltrated the Google Chrome Web Store used to deploy updates to users.

Two of these recent hijackings occurred to the creator of the extension called 'Web Developer' (which adds a toolbar of web development tools to Chrome) and to the developers of 'Copyfish', an extension for optical character recognition. With both of these Chrome extensions, unauthorised access was obtained, enabling the hackers to publish fake updates, which, by default, were automatically pushed out to thousands of Chrome users who had the extension installed. The fake extensions also infiltrated the official Chrome Web Store, which made them available for download. Thankfully, the updates only caused annoyance, rather than damage, as they just injected an overlay of ads onto the websites visited by the infected user.

The developers of Copyfish released a day-by-day account of how the hack occurred and what they were doing to fix it. They pointed out that only the Chrome version of their extension was affected, not their Firefox version.

The report detailed how:

  • a staff member had fallen for a phishing email (thinking it was from Google) and divulged the password to their developer account;
  • the hackers updated the Copyfish extension without anyone realising;
  • the fake version of Copyfish started to insert ads/spam into all websites their users (including themselves) visited;
  • they logged into their developer account to fix it, but their extension had been moved by the hackers and they had no access to it anymore;
  • one of their Copyfish users posted their situation on HackerNews and managed to get a fix, which stopped the adware, however they still didn't have access to their account, so couldn't guarantee the hackers wouldn't do another malicious update;
  • they finally regained control of their extension code, and released a new, clean, safe version of Copyfish (approved by Google). They advised that Google had disabled any previous versions, to protect their users.

Whilst transforming useful browser extensions into adware causes little more than frustration for users, it highlights a serious flaw in Chrome, which is widely thought of as the safest browser out there. Research into previous attacks on the Google Chrome Web Store shows that, not only can criminals modify the code of genuine extensions, but they can also gain control of social media accounts, deploy malicious code and collect browsing histories and user data. The hack that occurred to the Web Developer extension gave the criminals access to the computer's microphone, camera etc., which is a little too close for comfort.

Google prides itself in making Chrome resistant to the types of drive-by attacks that were commonplace in years gone by, however, with two accounts hacked in the space of five days, extensions are clearly still a vulnerability, and a way that hackers can target Chrome users. Whilst Google provides the functionality for free, developers of the Copyfish extension admitted that two-factor authentication was not used on their developer account.

Two-factor authentication isn't mandatory for extension developers, which is surprising, given that extensions push code into millions of user's computers every day – a goldmine for cyber-criminals. Both Copyfish and Web Developer extensions were compromised because one of their developers fell for a phishing email impersonating Google, informing them that their extension was in breach of Google rules and needed to be updated immediately.

Here is a sample of the email:


Figure 1: Sourced from Bleeping Computer

The extension developers were tricked into clicking a link which brought up a site for them to log into their Google developer account, a step they would do regularly when updating code. The login page was identical to the real Google account login page, so the developers of the Copyfish and Web Developer extensions had no idea that they were compromising their accounts.

This same phishing email was also sent to the developer of two popular Chrome extensions named 'Blue Messenger' and 'Websta' for Instagram. Each of these apps has over 80,000 users. Research into the attacks found that the common denominator was a domain called 'Freshdesk'. This was reported to Google, who blocked and flagged the websites as a scam. However, the hackers were smart and kept changing domains and continuing to launch further attacks on extension developers.

Eventually, Google was forced to admit that there was an issue with their security, and on the 4th August 2017, they issued the following email to all of their extension developers:


Figure 2: Sourced from Bleeping Computer

Whilst we can hope that Chrome extension developers heed the warnings about not logging into their developer accounts on webpages hosted on non-Google domains, owners of extensions remain a prime target for money-hungry cyber-criminals.

Receive Blog updates to your Inbox! Subscribe Now

Sales Enquiry