Skip to content

Title: Chrome Bypasses More Than Just 2FA, Leaving Millions Vulnerable

In the digital realm, cybercriminals have been outsmarting traditional security measures, notably two-factor authentication (2FA), through maliciously crafted Chrome extensions. Recent analyses expose a more expansive threat as hackers also manage to bypass Google's other protective shields.

Curious fingers hover over the Google Chrome app icon.
Curious fingers hover over the Google Chrome app icon.

Title: Chrome Bypasses More Than Just 2FA, Leaving Millions Vulnerable

Recently, I reported on the alarming situation where millions of Google Chrome users were at risk due to numerous fake browser extensions. These malicious duplicates replaced genuine extensions, allowing hackers to bypass 2FA protections. Unfortunately, things have taken a turn for the worse. Recent security and privacy analyses reveal that hackers are manipulating Google's search protections to expose hundreds of millions more users to harmful and potentially dangerous extensions. Let me break it down for you.

Manipulation of Google Search for Malicious Extensions

Although the phishing attacks at the end of 2024 used this technique to gain access to developer accounts and replace genuine extensions with malicious ones, phishing is not the only tactic employed by dodgy extension threat actors. Security and privacy researcher Wladimir Palant has conducted a deep-dive technical analysis revealing how hackers are exploiting Google's search protections to ensure their dangerous extensions are ranked higher in search results, even when users search for unrelated and genuine products.

Here's how hackers do it: by stuffing the extension descriptions with keywords in as many as 55 different languages, the manipulated extensions then appear at the top of search results for these keywords, even when searched in English. This technique allows hackers to bypass Google's safeguards and lure unsuspecting users into installing these harmful extensions.

Multi-Lingual Extensions and Manipulation Tactics

Palant's analysis reveals that most manipulated extensions employ a combination of different approaches, using a pick-and-mix attack methodology. Here are some techniques hackers use:

  1. Different extension name: Taking advantage of the way Google's search algorithm weighs extension names more than descriptions, hackers often use slight variations of original names depending on the language.
  2. Different short description: Hackers include different variations of short descriptions depending on the language being used.
  3. Using competitors' names: Hackers sometimes rename themselves to compete in a different language.
  4. Extensive and often nonsensical extension descriptions: Taking advantage of messy translation management, some hackers use a massive wall of text, which can be extended with a lengthy English passage and a list of keywords in different languages.
  5. Keywords at the end of extension descriptions: Separated by empty lines, hackers use a long list of keywords and phrases in various languages.
  6. Keywords within the extension description: Using synonyms, slight variations, or automated translations, hackers hide keywords in the extension description to bypass search filters.
  7. Different extension descriptions: Some manipulated extensions use completely unrelated text for the description.

Mitigating the Attack Risk

To mitigate this risk, Palant suggests that Google could focus on existing rules in their Chrome Web Store abuse policy, make adjustments to the store, or even consider technical solutions such as a separate search index per language to remove the incentives for manipulation. I've reached out to Google for an official statement.

In the meantime, be aware of the tactics hackers use to lure you into installing malicious extensions, and always practice caution when installing extensions, especially from third-party sources.

  1. The manipulated Chrome extensions are using various languages to stuff their descriptions with keywords, allowing them to bypass Google's search protections and appear at the top of search results, even when searched in English.
  2. Hackers are exploiting Google's search protections to bypass 2FA protections on Google Chrome, putting millions of users at risk, as revealed in recent security and privacy analyses.
  3. Google Chrome users should be cautious when installing extensions, especially from third-party sources, as hackers are manipulating Google search results to promote harmful and potentially dangerous extensions.
  4. Recent analysis shows that hackers are using multi-lingual manipulation tactics to improve the ranking of their malicious Chrome extensions, including using different extension names, descriptions, and keywords.
  5. To mitigate the risk, Google could make adjustments to their Chrome Web Store abuse policy, create a separate search index per language, or focus on existing rules to remove the incentives for manipulation.

Read also:

    Comments

    Latest