These 108 Malicious Chrome Extensions Are Stealing Google and Telegram Data

Key Points:

• Cybersecurity researchers from Socket's Threat Research Team discovered 108 malicious Google Chrome extensions that steal login credentials, user IDs, and browsing data, all controlled by a single operator despite being published under five different developer names.
• These extensions, collectively installed around 20,000 times, span categories like Telegram sidebar clients, gambling games, YouTube and TikTok enhancers, page utilities, and a text translation tool, all delivering advertised features while secretly running malicious activities.
• Key malicious behaviors include stealing Telegram Web sessions every 15 seconds, leaking Google account identity details upon sign-in, injecting HTML code, opening arbitrary URLs, and removing security measures on YouTube and TikTok to inject gambling ads.
• Users are advised to check for these extensions, log out of Telegram Web sessions if affected, review Google third-party app permissions, and exercise caution when installing new extensions, especially those requiring sensitive information or with poor reviews.
• A complete list of the malicious extensions and their Chrome Extension IDs is available in Socket's report for users to verify and remove compromised extensions.