A popular Chrome extension, originally marketed as a color picker tool for web designers and developers, has been found to contain sophisticated spyware. With over 100,000 downloads, it has exposed many users to risks by hijacking browser sessions and redirecting them to malicious sites.
Discovery and Impact
Security researchers recently identified that the extension, after a seemingly routine update, began exhibiting malicious behavior. Each time a user navigated to a new webpage, the extension would hijack the session, enabling attackers to monitor browsing activity and potentially harvest sensitive information such as login credentials and personal data.
In addition to session hijacking, the extension forcibly redirected users to fraudulent or ad-laden websites, including fake search engines designed to mimic legitimate ones. These redirects not only disrupt the user experience but also expose users to further phishing schemes and malware.
Technical Details
The malicious extension operated as a browser hijacker, modifying key browser settings such as the homepage, new tab page, and default search engine. It also employed techniques to evade detection, such as delaying the activation of its malicious payload until days or weeks after installation. This allowed the extension to bypass security checks and remain undetected for longer periods.
Furthermore, the spyware component collected extensive data on users’ browsing habits, search queries, and potentially even cookies and authentication tokens. This information could then be sold to third parties or used for further cyberattacks.
Challenges in Mitigation
One of the most concerning aspects of this incident is the extension’s persistence. Many affected users reported difficulty in removing the extension or restoring their browser settings, as the malware actively obstructed access to Chrome’s settings and extension management tools.
