This PDF Chrome extension might contain malware

The extension could be used to access every web page you currently have open in your browser.
chrome browser icons
Growtika / Unsplash

Share

This post has been updated. It was originally published on June 1, 2023.

An independent security researcher has found malicious code in 18 Chrome extensions currently available in the Chrome Web Store. Combined, the extensions have over 57 million active users. It’s yet more evidence that Chrome extensions need to be evaluated with a critical eye. 

Chrome extensions are apps built on top of Google Chrome that allow you to add extra features to your browser. The tasks that this customizable feature can do are wide-ranging, but some popular extensions can auto-fill your password, block ads, enable one-click access to your todo list, or change how a social media site looks. Unfortunately, because Chrome extensions are so powerful and can have a lot of control over your browsing experience, they are a popular target for hackers and other bad actors. 

Earlier this month, independent security researcher Wladimir Palant discovered code in a browser extension called PDF Toolbox that allows it to inject malicious JavaScript code into any website you visit. The extension purports to be a basic PDF processor that can do things like convert other documents to PDF, merge two PDFs into one, and download PDFs from open tabs. 

It’s that last feature that leaves PDF Toolbox open for bad intentions. Google requires extension developers to only use the minimum permissions necessary. In order to download PDFs from tabs that aren’t currently active, PDF Toolbox has to be able to access every web page you currently have open. Without this feature, it would not be able to pseudo-legitimately access your browser to the same extent.

While PDF Toolbox seemingly can do all the PDF tasks it claims to be able to, it also downloads and runs a JavaScript file from an external website which could contain code to do almost anything, including capture everything you type into your browser, redirect you to fake websites, and take control of what you see on the web. By making the malicious code resemble a legitimate API call, obfuscating it so that it’s hard to follow, and delaying the malicious call for 24 hours, PDF Toolbox has been able to avoid being removed from the Chrome Web Store by Google since it was last updated in January 2022. (It is still available there at the time of writing, despite Palant lodging a report about its malicious code.) 

Palant had no way of confirming what the malicious code in PDF Toolbox did when he first discovered it. However yesterday, he disclosed 17 more browser extensions that use the same trick to download and run a JavaScript file. These include Autoskip for Youtube, Crystal Ad block, Brisk VPN, Clipboard Helper, Maxi Refresher, Quick Translation, Easyview Reader view, Zoom Plus, Base Image Downloader, Clickish fun cursors, Maximum Color Changer for Youtube, Readl Reader mode, Image download center, Font Customizer, Easy Undo Closed Tabs, OneCleaner, and Repeat button, though it is likely that there are other infected extensions. These were only the ones that Palant found in a sample of approximately 1,000 extensions.

In addition to finding more affected extensions, Palant was able to confirm what the malicious code was doing (or at least had done in the past). The extensions were redirecting users’ Google searches to third-party search engines, likely in return for a small affiliate fee. By infecting millions of users, the developers could rake in a tidy amount of profit. 

Unfortunately, code injection is code injection. Just because the malicious JavaScript fairly harmlessly redirected Google searches to alternative search engines in the past, doesn’t mean that it does so today. “There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website,” writes Palant.

And what kind of dangerous things are those? Well, the extensions could be collecting browser data, adding extra ads to every web page someone visits, or even recording online banking credentials and credit card numbers. Malicious JavaScript running unchecked in your web browser can be incredibly powerful. 

If you have one of the affected extensions installed on your computer, you should remove it now. It’s also a good idea to do a quick audit of all the other extensions you have installed to make sure that you are still using them, and that they all look to be legitimate. If you not, you should remove them too. 

Otherwise, treat this as a reminder to always be vigilant for potential malware. For more tips on how to fight it, check out our guide on removing malware from your computer.

Update on June 2, 2023. A Google spokesperson said: “The Chrome Web Store has policies in place to keep users safe that all developers must adhere to. We take security and privacy claims against extensions seriously, and when we find extensions that violate our policies, we take appropriate action. These reported extensions have been removed from the Chrome Web Store.”

 

Win the Holidays with PopSci's Gift Guides

Shopping for, well, anyone? The PopSci team’s holiday gift recommendations mean you’ll never need to buy another last-minute gift card.