Security News Popular Chrome Extension to Hide YouTube Shorts Turned Malicious

enaph

Level 29
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,845
A Chrome extension titled “Hide YouTube Shorts,” used by 100,000 people, was recently discovered to secretly collect users' browser activity, raising serious concerns about user privacy on Google Chrome Web Store.

Despite appearing to fulfill its stated purpose of hiding YouTube Shorts, the extension was caught transmitting detailed user data to an external server on AWS, potentially exposing numerous users to data theft and phishing attacks. The issue, brought to light by GitHub user ‘c0m4r' investigating suspicious activity, highlights significant security gaps in Google's vetting of Chrome extensions.

Doing more than hiding YouTube Shorts​

The extension's activity initially sparked suspicion when users began noticing unusual search suggestions on YouTube in various languages, seemingly disconnected from their search history. Further investigation into the extension's network activity revealed it was sending URLs, including specific paths and parameters, alongside other identifying information to a remote server on AWS. Detailed analysis uncovered that the extension was capturing sensitive browsing data, including a unique user ID, installation ID, timestamps, and potentially sensitive data from form entries.

After debugging the extension, c0m4r found that it was sending requests to a suspicious endpoint on AWS and redirecting some users to phishing sites. The extension's current version, 1.8.7, contains a script, background.js, which initiates these requests to an AWS-based API endpoint. Additionally, parts of the code reference an unfamiliar domain, “kra18.com,” which is associated with a potentially malicious DNS entry.

extension_network_log-1.png
Capturing users' browsing activity and sending it to an external server
c0m4r | GitHub

Ownership change​

Originally developed by a GitHub user named “Probably Raging,” the extension was taken over by a different developer, Roni Shilop. The GitHub repository for the extension was archived in September 2023, and the extension's behavior changed shortly afterward, suggesting a malicious modification post-transfer.

During this transition, the extension adopted broader permissions, which allowed it to access and transmit all visited URLs. The new developer defended these permissions in public comments, disregarding user concerns and signaling possible intentional misuse.

Implications and user impact​

The “Hide YouTube Shorts” extension's unauthorized data collection capabilities give it broad potential to exploit user information, from viewing history to sensitive credentials. Browser extensions, often granted high-level permissions, can read web traffic, access form data, and send out HTTP requests silently, even when set to specific pages like YouTube.

Since Google's Chrome Web Store does not currently monitor such permissions rigorously, malicious extensions like this can infiltrate browsers with minimal oversight, endangering user privacy.

The Chrome Web Store, serving millions, has previously come under scrutiny for hosting malicious extensions. Despite Google's promises to improve extension security, many users report that the Chrome Web Store lacks sufficient reporting mechanisms and security checks, unlike Mozilla's Addons Store.

In this case, the extension continued to collect data and attract users even after reviews indicated potential security issues, and is still listed on the Web Store.

reports-1-893x1024.png
Multiple user reports on the Chrome Web Store from many months ago reporting malicious activity
CyberInsider

Defense measures and recommendations​

For users who have installed the “Hide YouTube Shorts” extension, immediate action is recommended:

  1. Uninstall the extension immediately and delete its data if possible.
  2. Clear browser cache and cookies to remove potentially saved data.
  3. Change all passwords used since the extension's installation, especially for sensitive accounts.
  4. Enable multi-factor authentication for added security on important accounts.
  5. Monitor accounts closely for any unusual activity.
To avoid nasty surprises with extensions that change behavior following ownership transfers, consider installing the ‘Under New Management' extension, which constantly monitors all other extensions installed on Chrome for such changes and alerts the user accordingly.
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,255
Guys, remember... only download extensions that are open source and have clearly written privacy policy and ask for reasonable permissions. Bonus is if they are recommended by Google or Mozilla. Otherwise, I prefer user-scripts.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,229
More info here:
The affected extensions:
NameWeekly active usersExtension IDMalicious functionality
Hide YouTube Shorts100,000aljlkinhomaaahfdojalfmimeidofpihAffiliate fraud, browsing profile collection
DarkPDF40,000cfemcmeknmapecneeeaajnbhhgfgkfhpAffiliate fraud, browsing profile collection
Sudoku On The Rocks1,000dncejofenelddljaidedboiegklahijoAffiliate fraud
Dynamics 365 Power Pane70,000eadknamngiibbmjdfokmppfooolhdidcAffiliate fraud, browsing profile collection
Israel everywhere70eiccbajfmdnmkfhhknldadnheilniafp
Karma | Online shopping, but better500,000emalgedpdlghbkikiaeocoblajamonohBrowsing profile collection
Where is Cookie?93emedckhdnioeieppmeojgegjfkhdlaeo
Visual Effects for Google Meet1,000,000hodiladlefdpcbemnbbcpclbmknkiaemAffiliate fraud
Quick Stickies106ihdjofjnmhebaiaanaeeoebjcgaildmk
Nucleus: A Pomodoro Timer and Website Blocker20,000koebbleaefghpjjmghelhjboilcmfpadAffiliate fraud, browsing profile collection
Hidden Airline Baggage Fees496kolnaamcekefalgibbpffeccknaiblpiAffiliate fraud
M3U8 Downloader100,000pibnhedpldjakfpnfkabbnifhmokakfbAffiliate fraud
 

lokamoka820

Level 22
Mar 1, 2024
1,113
Guys, remember... only download extensions that are open source and have clearly written privacy policy and ask for reasonable permissions. Bonus is if they are recommended by Google or Mozilla. Otherwise, I prefer user-scripts.
Exactly, this is why I don't use security extensions on my browsers, because browsers doesn't recommend it, I didn't come across security extension on Firefox that have the badge of meeting the standards of Mozilla yet.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top