Malicious code in PDF Toolbox extension

[Gandalf_The_Grey]

Content source

https://palant.info/2023/05/16/malicious-code-in-pdf-toolbox-extension/

The PDF Toolbox extension for Google Chrome has more than 2 million users and an average rating of 4,2 in the Chrome Web Store. So I was rather surprised to discover obfuscated code in it that has apparently gone unnoticed for at least a year.

The code has been made to look like a legitimate extension API wrapper, merely with some convoluted logic on top. It takes a closer look to recognize unexpected functionality here, and quite some more effort to understand what it is doing.

This code allows serasearchtop[.]com website to inject arbitrary JavaScript code into all websites you visit. While it is impossible for me to tell what this is being used for, the most likely use is injecting ads. More nefarious uses are also possible however.

Malicious code in PDF Toolbox extension

PDF Toolbox extension (used by more than 2 million users) contains obfuscated malicious code, allowing serasearchtop[.]com website to inject arbitrary JavaScript code into all websites you visit.

palant.info

 

[ForgottenSeer 97327]

So I was rather surprised to discover obfuscated code in it that has apparently gone unnoticed for at least a year.

That is the worrying part of this good read, thanks GTG