Chrome Extension with 6M+ Installs Found Executing Remote Commands

A major security incident has come to light involving a family of Chrome browser extensions, collectively installed by over six million users, that have been found executing remote commands and potentially exposing sensitive user data.

The discovery, made by cybersecurity researcher John Tuckner, reveals a sophisticated network of at least 35 extensions leveraging excessive permissions, remote configuration, and obfuscated code to enable command-and-control capabilities within users’ browsers.

Unlisted and Hidden, Yet Widely Installed

The investigation began with the identification of “Fire Shield Extension Protection,” an unlisted Chrome extension boasting 300,000 users despite not being searchable in the Chrome Web Store.

Unlisted extensions, accessible only via direct URL, are often used by enterprise vendors for controlled distribution—but, as Tuckner notes, they can also be exploited for malicious purposes, making them difficult for security teams to detect.

Further analysis uncovered a network of related extensions, many masquerading as privacy tools, ad blockers, or search enhancers.

Despite their purported functions, the actual code was often minimal or missing, with the bulk of the logic devoted to gathering browser data and communicating with external servers.

Overbroad Permissions and Obfuscated Code

A deep dive into the extensions’ manifest files revealed a troubling pattern: requests for permissions far beyond what their stated functions required.

These included access to all URLs, cookies, browser tabs, and the ability to execute scripts—capabilities that, if abused, could allow for extensive surveillance and manipulation of user activity.

Analysis using Secure Annex AI flagged these extensions for their broad permissions, suspicious external URLs, and behaviors matching known spyware signatures.

The code was heavily obfuscated, further complicating efforts to ascertain its full capabilities. However, it was confirmed that the extensions regularly sent event data, such as user actions and browser “heartbeat” pings, to remote servers, with the potential for these servers to push new configurations or commands back to the extension.

Command and Control via Remote Configuration

The most alarming finding was the extensions’ ability to be remotely reconfigured by external servers.

By manipulating user configuration parameters, such as setting a “vLvl” value to 5, researchers demonstrated that the extensions could be instructed to increase the level of tracking or activate new data collection routines—all without any visible change to the user.

This remote control mechanism, combined with the extensions’ broad permissions, enabled a range of invasive activities, including:

• Retrieving all cookies for any domain, potentially exposing authentication tokens and session data
• Setting long-lived tracking cookies across websites
• Intercepting sensitive HTTP headers, including authorization tokens
• Executing scripts within active browser tabs via embedded iframes
• Modifying search providers to redirect queries through affiliate networks for revenue generation

Widespread Impact and Ongoing Risk

The family of extensions—linked by common code patterns, callback domains, and even identical permission hashes—includes both obscure tools and more reputable offerings like “Cuponomia,” a Brazilian discount code extension.

While not all exhibited overtly malicious behavior, the presence of remote command execution and heavy tracking was consistent across the network.

Some extensions have been removed from the Chrome Web Store, but many remain active, with some even featured as “recommended” by Google.

The origins of their widespread installation remain unclear, though distribution via malicious ads or bundled software is suspected.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates