Encrypted exfiltration made detection difficult: The researcher said in a blog post that several of these extensions attempted to hide the nature of transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, preventing automated inspection.”Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ-String compression, and full AES-256 encryption wrapped in RSA-OAEP,” the researcher said in a separate report published on the findings. “Decoding these payloads showed raw Google search URLs, page referrers, user IDs, and timestamps being sent to a network of proprietary domains and cloud-provider endpoints.The researcher’s testing environment ran Chrome inside a Docker container, allowing each extension to be isolated and analyzed consistently.”We should note that probably not all of the browser history leaking extensions have malicious intent,” the researcher said, clarifying they had to manually remove a few false positives from the logs of extensions tagged by their automated scanner. “Some of the extensions might be benign and may need to collect browser history for functionality such as ‘Avast Online Security & Privacy,’ for example.”The disclosure included a list of Chrome Web Store URLs and actors behind these extensions for reference.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4132712/leaky-chrome-extensions-with-37m-installs-caught-shipping-your-browsing-history.html
