John Tuckner discovered 58 Chrome extensions with hidden malicious code that were installed over 6 million times. Some of them even had the “Recommended” status in the Chrome Web Store.
According to Tuckner, these extensions were disguised as security tools or utilities — from coupon apps to “anti-spyware” defenders. In reality, they received excessive permissions and secretly:
– read cookies and tokens;
– tracked user behavior;
– changed search settings;
– executed remote code.
The danger is that most of them were hidden in the Chrome Web Store (unlisted), that is, available only via direct links — which were distributed through fake updates, pop-up banners or malvertising.
Tuckner and his team at Obsidian Security found a shared code base, code obfuscation, similar domains with errors (*unknow[.]com*), and the ability to change the configuration remotely. This is direct evidence of the info-styling nature of these plugins.
The most common malicious extensions:
Chrome extensions are add-ons that run in the browser and can gain extensive access to your activity. Each of them has a manifest.json file, where permissions are defined. Tuckner notes that 86 of the 100 most popular extensions request dangerous permissions, which opens the door to espionage.
Most users do not check permissions during installation, and the “Featured” label in Chrome is perceived as a guarantee of reliability – even if the extension is hidden.
And most importantly – never blindly rely on the “recommended” status without checking.
61 
72 
97 