ReDirection

At least 18 Chrome and Edge extensions have been installed millions of times over the years — well rated, officially listed in the Chrome Web Store, inconspicuous. However, according to an Israeli security company, these add-ons were retrofitted with malicious code. The operation goes by the name of “ReDirection” — Over 2.3 million users are affected.

Particularly perfidious: the extensions were not malicious from the outset. They worked perfectly for a long time, collected good ratings — and thus enjoyed the trust of users. A single update was enough to turn them into tools for data theft and targeted redirects.

Our recommendation at DEFENDERBOX:

We support you in identifying exploitable security gaps! How? Find out how secure your company really is! Now to the Familiarization price the DEFENDERBOX test!

How the attack worked

The infected extensions analyzed every website visited, sent the data including the user ID to a remote server and redirected those affected to fake pages when certain triggers occurred — including:

• Deceptively real banking portals

• Alleged Zoom updates with malware

• fake download pages

Although the extensions appeared to come from different developers with their own websites and brand names, the technical analysis showed that they all ran via a central infrastructure. A clear indication of a coordinated campaign that specifically exploits trust in well-known platforms such as the Chrome Web Store.

❌ You should remove these extensions immediately

• Emoji keyboard online — copy&paste your emoji

• Free Weather Forecast

• Volume Max — Ultimate Sound Booster

• Unlock Discord — VPN Proxy

• Color Picker, Eyedropper — Geco colorpick

• Dark Theme — Dark Reader for Chrome

• Youtube Unblocked

• SearchGPT — ChatGPT for Search Engine

What you should do now

Even though many of these extensions have since been removed, the underlying servers are still in use, according to Koi Security still active. Therefore applies:

1. check and delete extensions
→ Only use add-ons that you really need. If unsure, it is better to remove them.

2. delete browser data
→ To remove saved redirect URLs.

3. scan the system with up-to-date antivirus software

4. monitor online accounts
→ Report suspicious activities immediately.

5. sensitize employees
→ Especially with BYOD devices or hybrid working models.

Conclusion: Small tools — big impact

The biggest vulnerability in this case was not a technical hole, but user trust. ReDirection shows how a harmless update can turn a useful browser tool into a digital bug — without any phishing or social engineering.

For companies, this means that browser extensions must become part of the IT security strategy. Policies, regular checks and technical protective measures should ensure that even seemingly small risks cannot cause major damage unnoticed.

Acting now will prevent the damage of tomorrow.

➡️ Test now
➡️ Become a partner
➡️ Career with us