Massive Data Breach: 108 Malicious Chrome Extensions Compromise Google and Telegram Accounts
In a significant cybersecurity incident, researchers have identified a coordinated campaign involving 108 malicious Google Chrome extensions designed to steal user data and manipulate browser behavior. These extensions, collectively installed approximately 20,000 times, pose a substantial threat to user privacy and security.
Discovery and Analysis
The cybersecurity firm Socket uncovered this campaign, noting that all 108 extensions communicate with a common command-and-control (C2) infrastructure. This centralized control allows attackers to collect sensitive user information and inject arbitrary JavaScript code into every webpage visited by the user. The extensions are published under five distinct identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt.
Malicious Activities
The identified extensions engage in various nefarious activities, including:
– Google Account Identity Theft: Fifty-four extensions are designed to steal Google account identities via OAuth2, capturing details such as email addresses, full names, profile pictures, and unique account identifiers.
– Universal Backdoor Implementation: Forty-five extensions contain a backdoor that opens arbitrary URLs upon browser startup, allowing attackers to load malicious sites without user consent.
– Telegram Session Hijacking: Certain extensions exfiltrate Telegram Web session data every 15 seconds, enabling attackers to hijack active sessions and impersonate users.
– Security Header Manipulation: Some extensions strip security headers from YouTube and TikTok, such as Content Security Policy and X-Frame-Options, to inject gambling overlays and advertisements.
– Content Script Injection: Several extensions inject scripts into every webpage visited, potentially altering content or capturing additional user data.
– Translation Request Interception: A subset of extensions proxies all translation requests through attacker-controlled servers, allowing for data interception and manipulation.
Examples of Malicious Extensions
Among the identified extensions are:
– Telegram Multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa): This extension extracts the user_auth token from Telegram Web and transmits it to a remote server. It can also overwrite local storage with attacker-supplied session data, effectively replacing the victim’s active Telegram session.
– Web Client for Telegram – Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno): This extension removes Telegram’s security headers and injects scripts to steal session data.
– Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj): Upon the user’s first sign-in, this extension captures Google account information, including email, full name, profile picture URL, and account identifier.
Technical Insights
Five of the extensions utilize Chrome’s declarativeNetRequest API to strip security headers from target sites before page loading, facilitating the injection of malicious content. All 108 extensions share a common backend hosted at the IP address 144.126.135[.]238. Analysis of the source code reveals Russian language comments, suggesting a possible origin or influence.
Implications and Recommendations
The discovery of these malicious extensions underscores the persistent threats posed by seemingly benign browser add-ons. Users are advised to:
1. Immediate Removal: Uninstall any of the identified extensions to prevent further data compromise.
2. Session Management: Log out of all active Telegram Web sessions via the Telegram mobile app to secure accounts.
3. Vigilant Installation Practices: Scrutinize browser extensions before installation, paying close attention to permissions requested and the credibility of the publisher.
4. Regular Security Audits: Periodically review installed extensions and browser settings to detect and remove any unauthorized or suspicious add-ons.
Broader Context
This incident is part of a larger trend of malicious browser extensions compromising user security. Previous campaigns have involved extensions hijacking sessions, stealing credentials, and injecting ads. For instance, in May 2025, over 100 fake Chrome extensions were found to be hijacking sessions and stealing credentials. Similarly, in December 2024, dozens of Chrome extensions were hacked, exposing millions of users to data theft. These recurring incidents highlight the need for continuous vigilance and robust security measures when using browser extensions.
Conclusion
The identification of these 108 malicious Chrome extensions serves as a stark reminder of the evolving tactics employed by cybercriminals. Users must exercise caution when installing browser extensions and remain proactive in managing their digital security to mitigate potential risks.
