How popular browser extensions became spying tools
Why companies should now take a closer look - and how they can protect themselves: What looks like a practical everyday tool - color picker, emoji keyboard, volume booster - can turn out to be a massive security risk. The latest case of a large-scale attack campaign shows just how dangerous browser extensions have become.
At least 18 Chrome and Edge extensions have been installed millions of times over the years - well rated, officially listed in the Chrome Web Store, unobtrusive. But according to an Israeli security company, these popular browser extensions are spying tools. This is because the add-ons have been retrofitted with malicious code. The operation goes by the name of "ReDirection" - Over 2.3 million users are affected.
Particularly perfidious: the extensions were not malicious from the outset. They worked perfectly for a long time, collected good ratings - and thus enjoyed the trust of users. A single update was enough to turn them into tools for data theft and targeted redirects.
Our recommendation at DEFENDERBOX:
We support you in identifying exploitable security gaps! How? Find out how secure your company really is! Now to the Familiarization price the DEFENDERBOX test!
The infected extensions analyzed every website visited, sent the data including the user ID to a remote server and redirected those affected to fake pages when certain triggers occurred - including:
-
Deceptively real banking portals
-
Alleged Zoom updates with malware
-
fake download pages
Although the extensions appeared to come from different developers with their own websites and brand names, the technical analysis showed that they all ran via a central infrastructure. A clear indication of a coordinated campaign that specifically exploits trust in well-known platforms such as the Chrome Web Store.
You should remove these extensions immediately
-
Emoji keyboard online - copy&paste your emoji
-
Free Weather Forecast
-
Volume Max - Ultimate Sound Booster
-
Unlock Discord - VPN Proxy
-
Color Picker, Eyedropper - Geco colorpick
-
Dark Theme - Dark Reader for Chrome
-
Youtube Unblocked
- SearchGPT - ChatGPT for Search Engine
Even though many of these extensions have since been removed, the underlying servers are still in use, according to Koi Security still active. Therefore applies:
1. check and delete extensions
→ Only use add-ons that you really need. If unsure, it is better to remove them.
2. delete browser data
→ To remove saved redirect URLs.
3. scan the system with up-to-date antivirus software
4. monitor online accounts
→ Report suspicious activities immediately.
5. sensitize employees
→ Especially with BYOD devices or hybrid working models.
Conclusion: Small tools - big impact
The biggest vulnerability in this case was not a technical hole, but user trust. ReDirection shows how a harmless update can turn a useful browser tool into a digital bug - without any phishing or social engineering.
For companies, this means that browser extensions must become part of the IT security strategy. Policies, regular checks and technical protective measures should ensure that even seemingly small risks cannot cause major damage unnoticed.
Acting now will prevent the damage of tomorrow.