Tech

`Industrial espionage fears arise over Chrome extension caught stealing browsing history

Company test runs own traffic analysis service and finds malicious Chrome extension in its own backyard. Ooops!

Written by Catalin Cimpanu, Contributor Dec. 6, 2018 at 4:06 p.m. PT

Valid arguments about a possible industrial espionage campaign are being raised surrounding a Google Chrome extension that was caught collecting browsing history, ZDNet has learned from ExtraHop, a real-time IT analytics firm.

Security

The company said today it detected the malicious code hidden inside a Google Chrome extension aimed at web developers. The extension, named Postman, is still available in the Chrome Web Store, despite ExtraHop reporting it to Google more than a month ago.

The extension, which has over 27,000 installs, is a blatant clone of Postman, a very popular Chrome extension that can be used for testing and real-time editing of API requests. For the rest of this article, the name Postman will be used to refer to the malicious extension, and not the legitimate one. There is no connection between the two extension besides the same name.

Because of its features, Postman is usually found installed on Chrome browsers used by web developers.

An extension collecting browsing history might sound benign, but in a phone call today, the ExtraHop team told ZDNet that this behavior is extremely worrisome when observed in this particular case.

The ExtraHop team raised concerns that developers usually access URLs of internal networks, APIs, and applications, and whoever is collecting this browsing history will gain access to URLs that may reveal details about unreleased products, hidden features, or a company's intranet or internal network structure. For example, a developer making API calls to something like "/product/beta/car_dashboard/automatic_breaks/engage/pedestrian_detection/" may reveal quite a lot.

In the hands of a determined attacker, such information is both valuable, as it could be sold to unethical competitors, but it could also be used to plan future attacks.

The discovery of this extension comes on the heels of Netscout revealing that North Korean nation-state hackers have used a Chrome extension for the first time in a government-orchestrate cyber-espionage campaign.

ExtraHop told ZDNet that the IP address where Postman collected browsing history data appears to be "clean," and was not associated with the infrastructure of any other criminal group.

The Postman Chrome extension is also not the first one to be caught collecting user browsing history. Usually, the extensions that engage in such practices have large userbases. The makers of these extensions collect and sell bulk user browsing data to analytics and advertising firms as a way of monetizing user installs.

A Chrome extension like Postman, intended for web developers, doesn't have the user pool to be monetized in the same way, as, for example, Stylish --another popular extension with millions of installs that did the same thing earlier this year.

Both Google and Mozilla prohibit extension developers from collecting browsing data, which is a mystery why Google has failed to remove this one.

The ExtraHop team has also published a blog post detailing the extension's technical inner workings. ExtraHop said they detected the Postman extension's data collection on the workstation of one of its own developers who, ironically, was using it to test the company's suspicious traffic analysis product --Reveal(x).

Article updated on December 19 to clarify that there is no connection between the two extensions named Postman.