 (3).png)
3 hours ago
2
ARTICLE AD BOX
Cybersecurity experts have reported a coordinated attack involving 108 Google Chrome extensions that steal user data and hijack Telegram sessions. Researchers say these extensions have been installed approximately 20,000 times
Researchers say 108 Chrome extensions for stealing Google data(AI generated)Cybersecurity researchers have uncovered a massive, coordinated campaign involving 108 Google Chrome extensions designed to steal user data, hijack Telegram sessions, and inject malicious code into web pages. The hacking operation, first reported by Hacker News, is said to have collectively amassed roughly 20,000 installs on the Chrome Web Store.
How were hackers stealing Google and Telegram data?
According to a report by security firm Socket, the extensions operate under five distinct publisher identities but secretly share a single command-and-control (C2) infrastructure. The researchers noted that while the extensions masquerade as legitimate tools such as Telegram sidebar clients, text translators, and slot machine games, they execute malicious scripts in the background.
"All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator," Socket security researcher Kush Pandya explained in the report.
Socket noted that 54 of the extensions targeted Google account identities and harvested details like email addresses and profile pictures via OAuth2 the moment a user attempts to sign in. Meanwhile, the researchers noted that 45 extensions contained a universal backdoor that forced the browser to silently open arbitrary URLs dictated by the attacker's server on startup.
Researchers further noted that the ‘most severe extension’ in the campaign is called 'Telegram Multi-account'. Targeting Telegram users, the extension secretly extracted active Telegram Web authentication tokens and exfiltrated the data to a remote server every 15 seconds.
This, the researchers warned, allowed attackers to take full control of an account without needing a password or two-factor authentication code.
"Five extensions use Chrome's declarativeNetRequest API to strip security headers from target sites before the page loads," Socket said in the blog post.
108 extensions named in the attack:
| Telegram Multi-account |
| Web Client for Telegram - Teleside |
| YouSide - Youtube Sidebar |
| Web Client for Youtube - SideYou |
| Web Client for TikTok |
| Text Translation |
| Page Locker |
| Page Auto Refresh |
| Web Client for Rugby Rush - SideGame |
| Formula Rush Racing Game |
| Piggy Prizes - Slot Machine |
| Slot Arabian |
| Frogtastic |
| Black Beard Slot Machine |
| Indian - Slot Machine |
| Mahjong Deluxe |
| Crazy Freekick |
| Slot Car Racing |
| Clear Cache Plus |
| Galactica Delux - Slot Machine |
| Speed Test for Chrome - WiFi SpeedTest |
| Game SkySpeedster |
| Master Chess |
| Hockey Shootout |
| Odds Of The Gods - Slot Machine |
| Billiards Pro |
| Three Card Poker |
| Donuts - Slot Machine |
| Archer - Slot Machine |
| Rugby Rush |
| Bingo |
| Web Client for game Cricket Batter Challenge |
| Slot Machine Zeus Treasures |
| Horse Racing |
| Aztec - Slot Machine |
| Straight 4 |
| Slot The Gold Pot |
| American Roulette Royale |
| Asia Slot |
| Web Client for game Drive Your Car |
| Jurassic Giants - Slot Machine |
| Street Basketball |
| Tarot Side Panel |
| Dragon Slayer - Slot Machine |
| Best Blackjack |
| Book Of Magic - Slot Machine |
| Snake - Slot Machine |
| Dice King - Classic Craps And Roll Game |
| Slot Ramses |
| Battleship War |
| Gold Miner 2 |
| Greyhound Racing - Dog Race Simulator |
| Hercules: Sports Legend |
| Flicking Soccer |
| Voodoo Magic - Slot Machine |
| Web Client for Hockey Shootout - SideGame |
| MASTER CHECKERS |
| Watercraft Rush |
| Car Rush |
| Video Poker Deuces Wild |
| Slot Machine Ultimate Soccer |
| Christmas Eve - Slot Machine |
| Columbus Voyage - Slot Machine |
| High or Low Casino Game |
| Goalkeeper Challenge |
| Tropical Beach - Slot Machine |
| BlackJack 3D |
| Web Client for game Classic Bowling |
| Raging Zeus Mines |
| Classic Backgammon |
| Slot Machine The Fruits |
| Baccarat |
| Mini Golf World |
| Gold Rush - Slot Machine |
| Pirat Slot |
| 40 Imperial Crown - Slot Machine |
| 3D Soccer Slot Machine |
| Premium Horse Racing |
| Tanks Game |
| Caribbean Stud Poker |
| Wild Buffalo - Slot Machine |
| Aqua - Slot Machine |
| Game Crypto Merge |
| Sherwood Forest - Slot Machine |
| Web Client for game Fatboy Dream |
| Lone Star Jackpots - Slot Machine |
| Hidden Kitty Game |
| Keno |
| Jokers Bonanza - Slot Machine |
| Penalty Kicks |
| Pai Gow Poker |
| Metal Calculator |
| Farm - Slot Machine |
| Rail Maze Puzzle |
| RED DOG CARD GAME |
| Coin Miner 2 |
| Black Ninja - Slot Machine |
| Pyramid Solitaire |
| Chrome Client for Downhill Ski - SideGame |
| Slot Machine Mr Chicken |
| Web Client for French Roulette - SideGame |
| 3D Roulette Casino Game |
| Slot Machine Space Adventure |
| Whack 'em All |
| Video Poker Jacks or Better |
| Swimming Pro |
| InterAlt |
| Gold of Egypt - Slot Machine |
How to stay safe?
For users who may be impacted by the attack, security experts at Socket recommend taking the following immediate steps:
- Review your browser and completely remove any of the 108 identified malicious extensions.
- If you used the compromised Telegram extensions, immediately log out of all active Telegram Web sessions using the 'Devices' menu in the Telegram mobile app.
- If you signed into any of these extensions using Google, treat your Google identity as exposed and revoke any unfamiliar third-party access in your account settings.
About the Author
Aman Gupta
Aman Gupta is a Digital Content Producer at LiveMint with over 3.5 years of experience covering the technology landscape. He specializes in artificial intelligence and consumer technology, reporting on everything from the ethical debates around AI models to shifts in the smartphone market. <br> His reporting is grounded in first-hand testing, independent analysis, and a focus on how technology impacts everyday users. He holds a PG Diploma in Radio and Television Journalism from the Indian Institute of Mass Communication, Delhi (Class of 2022). <br> Outside the newsroom, he spends his time reading biographies, hunting for the perfect coffee beans, or planning his next trip. <br><br> You can find Aman on <a href="https://www.linkedin.com/in/aman-gupta-894180214">LinkedIn</a> and on X at <a href="https://x.com/nobugsfound">@nobugsfound</a>, or reach him via email at <a href="aman.gupta@htdigital.in">aman.gupta@htdigital.in</a>.
English (US) ·