Bitcoin Forum

Other => Beginners & Help => Topic started by: Yaunfitda on June 20, 2020, 06:42:06 AM

Title: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Yaunfitda on June 20, 2020, 06:42:06 AM
Another reason why we shouldn't trust Google and Google’s Chrome Web Store.

We all know how 'poor' their services are, specially in the last couple of months wherein we saw tons of fake crypto related apps in web store. But this report should put Google in the limelight again as obviously, their services have been taken advantage of cyber criminals, regardless if it is state sponsored or just hacking groups milking crypto enthusiast.


Spying campaign tied to 15,000 malicious or suspicious domains uploaded data.

Browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information, a security firm said on Thursday in a report that underscores lax security measures that continue to put Internet users at risk.

The extensions, which Google removed only after being privately notified of them, actively siphoned data such as screenshots, contents in device clipboards, browser cookies used to log in to websites, and keystrokes such as passwords, researchers from security firm Awake told me. Many of the extensions were modular, meaning once installed, they updated themselves with executable files, which in many cases were specific to the operating system they ran on. Awake provided additional details in this report.

Company researchers found that all 111 of the extensions it identified as malicious connected to Internet domains registered through Israel-based GalComm. The researchers eventually found more than 15,000 registered through GalComm hosting malicious or suspicious behavior. The malicious domains used a variety of evasion techniques to avoid being labeled as malicious by security products.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Upgrade00 on June 20, 2020, 08:28:02 AM
An important point in the link for users to note;
People should also periodically check their extensions page to check for notifications that have been removed or found to violate the browser maker’s terms of service. While there, remove any extensions that haven’t been used in a while or are no longer needed.
I usually don't use browser extensions and never use Google chrome services. They do very little on the area of security to verify which extensions they allow or which search result shows up on their page, while also accumulating user data and monitoring browsing behavior.
Some crypto users are still stuck with them, probably due to the ease of access and customization of browsing experience.
As a cryptocurrency user you would be safer using other privacy browsers such as TOR, or if it doesn't load properly on your device, you can take an advise I got on the forum;
Using TOR browser from mobile device is a huge pain in the ass, hence, Chrome from mobile.
You could use the Orbot app which routes all your mobile data through Tor, and then use a non-spyware browser like Firefox or DuckDuckGo.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Becky666 on June 20, 2020, 09:18:26 AM
^°°^ Thanks for the quote, this has been my issue since I Downloaded the Tor app. The app had never worked on my android phone. This time with the orbit am fine and happy surfing the internet.
Hope no much damages will done in respect to this breach of users sensitive informations. I still use chrome mewcx extension to access my ethereum wallet, hope am safe too?. Google should be proactive to bring to an end this stupid act from dubious individuals or groups that are reaping where they haven't sow.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: boyptc on June 20, 2020, 10:05:34 AM
The reason why I don't trust plugins and extensions is because of this. Whether you use google chrome or not, just be responsible when you download extensions because of them are fake and scam.

But it's best to choose a better browser.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: roberthays on June 20, 2020, 10:26:14 AM
Competitors of Chrome are arguably better options now. Every big browser has it's problems but Chrome has too many issues. I only use it for development purposes.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Chato1977 on June 20, 2020, 01:01:17 PM
Another reason why we shouldn't trust Google and Google’s Chrome Web Store.

We all know how 'poor' their services are, specially in the last couple of months wherein we saw tons of fake crypto related apps in web store. But this report should put Google in the limelight again as obviously, their services have been taken advantage of cyber criminals, regardless if it is state sponsored or just hacking groups milking crypto enthusiast.


Spying campaign tied to 15,000 malicious or suspicious domains uploaded data.

Browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information, a security firm said on Thursday in a report that underscores lax security measures that continue to put Internet users at risk.

The extensions, which Google removed only after being privately notified of them, actively siphoned data such as screenshots, contents in device clipboards, browser cookies used to log in to websites, and keystrokes such as passwords, researchers from security firm Awake told me. Many of the extensions were modular, meaning once installed, they updated themselves with executable files, which in many cases were specific to the operating system they ran on. Awake provided additional details in this report.

Company researchers found that all 111 of the extensions it identified as malicious connected to Internet domains registered through Israel-based GalComm. The researchers eventually found more than 15,000 registered through GalComm hosting malicious or suspicious behavior. The malicious domains used a variety of evasion techniques to avoid being labeled as malicious by security products.
Chrome should be banned because this is not safe anymore,they are more on money than service.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: ethereumhunter on June 20, 2020, 03:04:11 PM
When it comes to the extension for the browser, I never installed it again because I have a bad experience by installing some extension. The extension contains a new search engine page that replacing the default search engine. Some of the extension has an advertisement that will show over and over while I am browsing. I don't have any problem with using Chrome without any extension, but I have another browser besides Chrome.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Jating on June 22, 2020, 09:22:12 AM
I think by now we should know that Google and majority of those extensions are really geared towards spying/stealing not just in crypto sphere. Heck even state sponsored hackers are using it to exploit and hack their 'enemies' that's why we really need to be careful what applications are we going to download from google store. We really don't know, from a simple calendar to tik-tok apps contains a very malicious malwares and viruses.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Lucius on June 22, 2020, 10:55:12 AM
If you’re wondering why hackers take Chrome users as an extremely popular target, then take a look at the following image :

Of course, this is because Chrome is still the most popular browser and thus has the largest user base. If we can conclude that most such users do not have a sense of any protection of their privacy, and that they may not even know that there are alternatives then such results are quite expected.
Using Chrome is in itself a bad choice, and downloading various plug-ins is just a continuation of that bad choice.

The solution can be very simple and consists of downloading Firefox, and not experimenting with plug-in/extensions. All you need is AdBlock and maybe a few more plugins that have a long-standing reputation.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: smyslov on June 22, 2020, 11:56:30 AM
After reading this I checked all the extensions I have installed and take some of it that I think could harm my browsing experienced I just retain a small number like Alexa extension to check the ranking of a site, and some extensions that I need to help me post.I may have to use other browser from now, 33 million downloads is such a big number.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: apoh6Shah on June 22, 2020, 12:07:30 PM
Chrome browser is considered one of the spy tools that Google uses to know more about you. Therefore, if you are interested in protecting your data, it is better to try any other browser or at least not to install any unnecessary additions.
Many browsers are built on the open source Chrome system. Do not use it too.
Do not download any plugins unless you are certain of them, and there was a reason for you to use them.
The more you reduce unnecessary programs, especially freebies, the more your chance to maintain your personal data.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Kakmakr on June 22, 2020, 12:51:13 PM
I have to say, I was one of the people who were irritated to say the least, when hardware wallet manufacturer, "Ledger" developed their own application to access their hardware wallet and they stopped supporting the browser App, but now I can see why they decided to do that.

Google are just in the business to collect people's data and then to sell it to make a profit. (Also sharing the info with 3letter agencies) They do not care about the security of their users, because they can blame a breach on third party application developers using their plugin/App functionality.  >:(

I seldom use Chrome for anything, because I know they collect massive amounts of private data. Firefox + Tor gives you some privacy.. but not all sites allow it.  ::)  

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: seoincorporation on June 22, 2020, 01:56:38 PM
It's sad to see how the main web browser doesn't care about the security on the extensions, i have see and i have reported tons of this kind of addons, and is a complex process to take them down. Too bad Google doesn't double-check the code before making it public. The only thing w ca do is to avoid installing unknown extensions.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: NavI_027 on June 22, 2020, 02:42:29 PM
Now I wonder what happened to my classmate who brag about his Cryptotab Chrome extension. He always telling us before that he can earn bitcoin passively lol. I guess he is f*cked up now unless he quit ;D.

Though I'm not using such extensions, I am quite alarmed as well because I'm currently using Chrome. I am aware of its security issues in the past but I chose to ignore because it's so hassle to install another one (my bad). I mean this app already installed here right after I bought it so why don't I use it? But I guess it's better to be late than sorry, I will now go back to Brave despite of its huge size.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: NeuroticFish on June 22, 2020, 03:06:19 PM
Google proved themselves careless on Andoid play store, more than once.
Seeing that they are careless with the extensions comes as no surprise, especially as we talk "only" about user's private data. Did they ever gave a sh*t about their users' privacy needs?

Maybe somebody who has lost mysteriously a big amount of Bitcoin can get a good lawyer and sue them. Maybe it was caused by his clipboard data going to 3rd party via some of those extensions.
(Of course, the problem is that nobody will be able to actually prove anything.)

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: Lucius on June 23, 2020, 10:18:28 AM
Google proved themselves careless on Andoid play store, more than once.

I would not call it carelessness, but business policy to make as much profit as possible with as little investment as possible. And what such big companies save the most on are people who should be the first line of defense when it comes to malicious apps or malicious ads that Google displays through its platform. Such work is largely left to AI, which is still far from being able to replace man to recognize good from bad. Such an attitude is widely used for abuse and it will not change so soon, so all risk of using extensions has been transferred to the user's back.

Maybe somebody who has lost mysteriously a big amount of Bitcoin can get a good lawyer and sue them.

Good luck to anyone who would engage in a legal battle with Google, because they have the best lawyers and a mountain of money to win every such lawsuit in their favor. Of course, there are those who sue Google, but these are mostly professional lawsuits ( that look for possible weak points in order to gain material benefits.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: NeuroticFish on June 23, 2020, 10:30:16 AM
Maybe somebody who has lost mysteriously a big amount of Bitcoin can get a good lawyer and sue them.

Good luck to anyone who would engage in a legal battle with Google, because they have the best lawyers and a mountain of money to win every such lawsuit in their favor. Of course, there are those who sue Google, but these are mostly professional lawsuits ( that look for possible weak points in order to gain material benefits.

I wrote that's hard to prove anything, isn't it?
The beauty is that such a lawsuit could damage Google's image even without proving anything, so they'll could find a way of settlement. (I don't know how big the chances are though, you are right that they probably have very good lawyers.)

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: joniboini on June 24, 2020, 10:15:36 AM
The beauty is that such a lawsuit could damage Google's image even without proving anything, so they'll could find a way of settlement. (I don't know how big the chances are though, you are right that they probably have very good lawyers.)

Google image is probably damaged just a little bit (if not at all). A better move would be to encourage more users to leave them altogether. But judging from how people comments on the internet, I honestly doubt most of us trust Google. It's just hard to find other alternatives or some are too lazy and believe they won't get the same problem. I certainly hope so.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: hatshepsut93 on June 24, 2020, 03:45:09 PM
Users often only look at the download count to determine if an app is trustworthy or not, but this example should clearly demonstrate that this is not sufficient at all. Ideally people should only install open-source extensions and apps that are signed by developers and were reviewed by community (because let's be honest, most users can't review any software by themselves).

It can also be a good idea to have multiple browsers, and use one for sensitive tasks, and others for entertainment, and don't install any extensions on the former.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: aioc on June 24, 2020, 04:24:56 PM
Users often only look at the download count to determine if an app is trustworthy or not, but this example should clearly demonstrate that this is not sufficient at all. Ideally people should only install open-source extensions and apps that are signed by developers and were reviewed by community (because let's be honest, most users can't review any software by themselves).

It can also be a good idea to have multiple browsers, and use one for sensitive tasks, and others for entertainment, and don't install any extensions on the former.

That's true another thing is the reviews, but those reviewers are not techie enough to look in the inner nature of the application these are just average users also and they cannot explore about the application, it's better to not install so many extensions and just retain those proven extensions that will not snooped on our privacy if you cannot stop using Chrome.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: pakhitheboss on June 24, 2020, 06:33:58 PM
Another reason why we shouldn't trust Google and Google’s Chrome Web Store.

We all know how 'poor' their services are, specially in the last couple of months wherein we saw tons of fake crypto related apps in web store. But this report should put Google in the limelight again as obviously, their services have been taken advantage of cyber criminals, regardless if it is state sponsored or just hacking groups milking crypto enthusiast.


Spying campaign tied to 15,000 malicious or suspicious domains uploaded data.

Browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information, a security firm said on Thursday in a report that underscores lax security measures that continue to put Internet users at risk.

The extensions, which Google removed only after being privately notified of them, actively siphoned data such as screenshots, contents in device clipboards, browser cookies used to log in to websites, and keystrokes such as passwords, researchers from security firm Awake told me. Many of the extensions were modular, meaning once installed, they updated themselves with executable files, which in many cases were specific to the operating system they ran on. Awake provided additional details in this report.

Company researchers found that all 111 of the extensions it identified as malicious connected to Internet domains registered through Israel-based GalComm. The researchers eventually found more than 15,000 registered through GalComm hosting malicious or suspicious behavior. The malicious domains used a variety of evasion techniques to avoid being labeled as malicious by security products.

I think we should avoid Google chrome itself after the recent Google Chrome privacy goof up. You cannot believe Google at all but most of us use it because of it is easy to access all your data regardless of device. I have recently started using Brave and the new Microsoft edge, these two browsers are far better than Chrome.

Title: Re: Chrome extensions with 33 million downloads slurped sensitive user data
Post by: NeuroticFish on June 25, 2020, 07:10:44 AM
I think we should avoid Google chrome itself after the recent Google Chrome privacy goof up.

We should have done that long ago. Doing that is a very good step forward. I've done it too (quite late!) and I can tell that Firefox is a worthy replacement.
It may also worth reading #DeGoogle - Take back control of your privacy (

I have recently started using Brave and the new Microsoft edge, these two browsers are far better than Chrome.

I think that you are doing it wrong. I am almost sure that Microsoft has added its own tracking into Edge, also it's based on Chromium, meaning that's not really 100% free of Google.
Also, Brave is no longer the great thing to trust: New stupid/greedy move from Brave Browser (