Two Chrome extensions, QuickLens and ShotBird, recently transitioned to new ownership and were subsequently updated with malicious code. These compromised tools now allow attackers to bypass security headers, inject unauthorized scripts, and extract private data from nearly 8,000 users.
The security breach began after the original developer of QuickLens and ShotBird transferred ownership to unknown parties, leading to the immediate introduction of malicious updates. While QuickLens has been removed from the official store, ShotBird remains available despite the change in its underlying behavior. This shift in ownership has transformed once-useful developer tools into high-risk assets that can execute arbitrary code on any website a user visits.
Technical analysis of the updates reveals a sophisticated method for bypassing modern browser protections like Content Security Policy. By stripping security headers from incoming web traffic, the extensions allow malicious scripts to communicate with external domains without the user's knowledge. This capability effectively breaks the sandbox that usually keeps web browsing safe, opening the door for large-scale data harvesting and session hijacking.
The malicious code also includes a persistent tracking mechanism that fingerprints the user's operating system, browser type, and geographic location. To maintain control over infected machines, the extension communicates with a remote server every five minutes to download new JavaScript instructions. This ensures that the attackers can update their tactics or change the nature of their exploit at any time without requiring further manual updates from the Chrome Web Store.
To execute this downloaded code discreetly, the extensions use an unconventional trick involving a hidden image element. By creating a microscopic one-pixel graphic and embedding the malicious script within its load attribute, the extension forces the browser to run the code the moment the invisible image appears on a page. This technique allows the malware to run silently in the background of every tab the victim opens, making detection difficult for the average user.
The history of these extensions suggests a deliberate pattern of building a reputable user base before selling the assets to bad actors. QuickLens was reportedly listed for sale on an extension marketplace just days after its initial release, and ShotBird received a featured badge from Google shortly before its ownership changed. This incident highlights a growing trend of supply chain attacks where legitimate browser tools are weaponized against their users following a quiet change in management.
Source: Chrome Extension Goes Rogue After Ownership Change, Injects Code, Steals Data