Google Chrome Extensions Vulnerabilities

WHAT HAPPENED

In late December 2024, researchers discovered more than 30 browser extensions hosted on the Google Chrome Web Store that were thought to be malicious. Of the 30+ extensions, 20 stole credentials and session cookies via injected malicious code. The maintainers of those 20 extensions had their Chrome Web Store developer credentials phished, allowing the threat actor to publish the maliciously modified extensions through Google’s infrastructure. The others enabled web tracking via a legitimate third party monetization library that, although dubious, was in compliance with Google’s policies. The 20 Malicious Credential Stealing Extensions have since been updated to known-good code, or were removed from the Chrome Web Store.

WHAT ISO HAS DONE

The ISO analyzed historical network and endpoint (EPDR a.k.a. CrowdStrike) telemetry to identify affected machines that connected to the campus network and/or were running CrowdStrike. Notifications were sent to the affected machine owners with instructions to update or remove malicious extensions, and for the user to change their Andrew account password along with any other passwords entered into the Google Chrome browser. ISO continues to monitor and notify for new connections that would indicate the use of the malicious extensions.

ISO requested that the Desktop Support Program (DSP) apply Google Chrome policies to DSP managed machines to block the malicious extensions that were withdrawn from the Chrome Web Store without being updated.

WHAT YOU SHOULD DO

1. Foundation Services customers should implement the Google Chrome extension blocking policies per the instructions from Foundation Services. See 

Foundation Services: Blocking Tainted Browser Extensions.

1. If not using Foundation Services, see the following references for how to implement the Google Chrome extension blocking policies:
   • Windows: Set Chrome app and extension policies (Windows)
   • macOS: Set Chrome app and extension policies (Mac)
   • Linux: Set Chrome app and extension policies (Linux)

Consult the Policy Block Implemented column of the Malicious Credential Stealing Extensions table (see below) for the five extensions that were withdrawn from the Chrome Web Store without being updated and need to be blocked.

1. For non-domain joined machines make sure that all Google Chrome extensions are updated and/or delete any that you do not need. The following link contains instructions on locating, updating and deleting extensions:

Chrome Web Store Help - Install and manage extensions

1. If you still have any of the specific extension name and version combinations from Malicious Credential Stealing Extensions (see below), remove them.

1. If you think that your browser had one or more of the malicious extensions (see list below):
   • Change your Andrew account password using a different browser by visiting https://identity.andrew.cmu.edu
   • Change any other passwords entered into the Google Chrome browser
   • Inform the ISO (iso-ir@andrew.cmu.edu, 412-268-2044) so that we can determine whether any additional actions might be necessary

Any questions or comments can be directed to the Computing Services Help Center (it-help@cmu.edu).

MALICIOUS CREDENTIAL STEALING EXTENSIONS