Hackers are bypassing Google search protections to push malicious Chrome extensions.
I recently reported how millions of Google Chrome users were being put at risk by dozens of fake browser extensions as part of an attack that replaced the genuine ones in order to bypass 2FA protections. If you thought that things couldn’t get much worse, you’d be wrong: new security and privacy analysis has revealed how hackers are manipulating Google’s search protections to expose hundreds of millions more users to malicious and potentially dangerous extensions. Here’s what you need to know.
How Hackers Manipulate Google Search To Distribute Dodgy Chrome Extensions
Although the wave of attacks towards the end of 2024 that replaced genuine Google Chrome web browser extensions with malicious duplicates capable of bypassing account 2FA protections used phishing methodology to gain access to the developer accounts required to pull off the switch, phishing is not the only tactic that is being employed by dodgy extension threat actors.
As first reported by Dan Goodin at Ars Technica, security and privacy researcher Wladimir Palant has undertaken a deep-dive technical analysis of how Google’s search protections are being manipulated by hackers to ensure their potentially dangerous and definitely dodgy Chrome extensions are pushed to the top of the search results even when users are searching for a genuine and unrelated product.
“Apparently, some extension authors figured out that the Chrome Web Store search index is shared across all languages,” Palant said, and to avoid being flagged as spam by adding the names of other products to the extension description, hackers are stuffing descriptions with the keywords they want to exploit, in as many as 55 different languages. This means, dear reader, that the extension then “starts showing up for these keywords even when they are entered in the English version of the Chrome Web Store.”
Lost In Translation – How Chrome Extension Manipulators Use More Than Language Tricks
Palant found all the extensions, and go read the report to see the shockingly extensive list of these that was uncovered, used the translation technique to manipulate Google search results, this wasn’t the only trick in the Chrome extension hacking magic box. Most extensions combined a number of different approaches in a pick-and-mix attack methodology.
Here are the techniques that Palant spotted the most:
- Different extension name—most likely thanks to the Google Chrome Web Store search algorithm weighting extension names more than descriptions. “Many extensions will use slight variations of their original name depending on the language,” Palant said.
- Different short description—some extensions were found to contain different variations of their short description depending upon the language being used.
- Using competitors’ names—although this would appear to be unhelpful given Google’s rules on doing so, Palant observed some extensions renaming themselves to the competition in a different language, for example.
- Considerably more extensive extension description—taking advantage of messy translation management in the Chrome Web Store, according to Palant, some extensions use “a massive wall of text, often making little sense” which is extended with “a lengthy English passage.”
- Keywords at the end of extension description—often separated by empty lines, a long list of keywords and phrases are employed in different languages.
- Keywords within the extension description—this technique involves hiding keywords in the extension description by using slight variation of the same text or automated translations with “a bunch of (typically English) keywords in these translations.”
- Different extension description—“in a few cases,” Palant said, “the extension description just looked like a completely unrelated text.”
Mitigating The Google Chrome Extension Attack Risk
Palant recommended that Google itself pushes back against the manipulation methods in the analysis by employing existing rules in the Chrome Web Store abuse policy. “There is also a possible technical solution here,” Palant said, “by making Chrome Web Store search index per language, Google could remove the incentives for this kind of manipulation. If search results for Bengali no longer show up in English-language searches, there is no point messing up the Bengali translation anymore.”
I have reached out to Google for a statement regarding the manipulation of Chrome extensions within search results.