Security Alert: Webpage Screenshot Leaks Private Data For 1.2 Million Users
Be careful about the extensions you download in your browser.
Are you ready for Webpage Screenshot, the latest Trojan horse?
Our malware labs have detected a popular extension in Google Chrome – Webpage Screenshot – that systematically collects your browsing details in order to sell them to a third party.
In Denmark alone, the extension has been downloaded by 39.289 users (see the attached screenshot) and more than 1.2 million users worldwide. At the same time, we notice a really good rating – 4.5 points from a total of 5.
The main problem with this extension, or should we say spyware, is that it collects information on a user’s traffic details and sends it to a server located in the United States.
Peter Kruse, founder of CSIS Security Group, says:
To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.
Apparently, there is an important vulnerability in how code validation is done for each extension in Google Chrome, which makes us wonder how many extensions are still out there that hide spyware.
Our research revealed that this type of spyware has affected not just normal users, but even large companies in Sweden:
The browser receives instructions to constantly send away information about what websites have been visited to a server in United States… The owner of the Webpage screenshot confirmed that he has entered a code that sends the data on which sites users visit. The aim is to “produce statistics on surfing behavior” and sell it. He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together.
Where is this extension coming from?
The extension homepage is located at this address webpagescreenshot[.]info, with the following registrant information:
Registrant Name:Danny Gembom
Registrant Organization:
Registrant Street: Rehovot POB 80
Registrant City:Rehovot
Registrant State/Province:
Registrant Postal Code:38819
Registrant Country:IL
Registrant Phone:+972.542290258
It also features an email address, which makes use of the domain bubbles.co.il. This domain gives us more detailed information:
person: Aminadav Glickshein
address: Nof Ayalon P.O.B 6
address: D.N. Shimshon
address: 99785
address: Israel
phone: +972 8 9790049
e-mail: AminadavG AT gmail.com
Although the website appears to be running, when you hit the Download option, which should direct you to Google Chrome, you can notice the extension has been removed.
How does Webpage Screenshot behave?
We will present shortly the main events that occur when this extension is installed:
- The user installs the extension from Google Chrome Web Store.
- A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features.
- Once the extension has activated its private data collecting ability, the sensitive information that can be used to identity an individual is transmitted in the United States at the following IP address: 64.34.175.88 (Serverbeach, New York, USA).
- The analyzed IP address gives us a number of subdomains related to this service:
webpagescreenshot[.]info
c.webpagescreenshot[.]info
ch.webpagescreenshot[.]info
s1.webpagescreenshot[.]info
ww.webpagescreenshot[.]info
che.webpagescreenshot[.]info
ftp.webpagescreenshot[.]info
www.webpagescreenshot[.]info
cheg.webpagescreenshot[.]info
youtube.cwww.webpagescreenshot[.]info
ywww.webpagescreenshot[.]info
youtube.cowww.webpagescreenshot[.]info
yowww.webpagescreenshot[.]info
youtube.comwww.webpagescreenshot[.]info
youwww.webpagescreenshot[.]info
youtwww.webpagescreenshot[.]info
youtuwww.webpagescreenshot[.]info
youtubwww.webpagescreenshot[.]info
Our malware specialists have already blocked these IP addresses in order to protect our users.
Conclusion
Cybercriminals’ ability and imagination seem to have no limits when it comes to retrieving sensitive data and financial information.
And web browser extensions are nevertheless pieces of code, which means they have the ability to deliver malicious payloads or can prove to be “Trojan horses”, that hide spyware functions and steal personal details from users.
Though Google Chrome has moved fast and removed the extension from its web store, it is obvious that security mechanisms should be improved fast, especially when we see this extension has reached over one million users.
If you have already installed this Google Chrome extension, make sure you remove it as soon as possible. Stay Safe!
This post was originally published by Aurelian Neagu in April 2015.
It’s like you’re angry because you foudn someone shooting in the middle of a war.
Dude – EVERYTHING collects all the stuff you do all the time now – Microsoft calls it “Telemetry”, Google calls it “predictive search”. and everything else calls it “quality” or “statistics” etc, most of these things are now trending towards not letting you opt out, or making it extremely hard to do that, and I’m not even *starting* on all the global laws that make it mandatory for companies to spy on you and backdoor their products to remove encryption when asked by any number of governments, all in a way that makes it a criminal offence to disobey or to tell anyone. Oh yeah, and lets not forget the cyberwar and millions of hackers in nation states everywhere subverting open-source products, injecting rootkits, and so on…
In July 2015, online dating service Ashley Madison, known for encouraging users to have extramarital affairs, suffered a data breach, and the identities of more than 30 million users of the service were leaked to the public. The data breach received wide media coverage, presumably due to the large number of impacted users and the perceived shame of having an affair. According to Hunt, the breach’s publicity resulted in a 57,000% increase in traffic to HIBP.
Thanks for sharing.
how to check chrome extension security???
After uninstalling this Webpage Screenshot extension, Chrome keeps notifying me (after every restart) that this extension has been removed automatically… although I obviously don’t reinstall it every time. Chrome seems to keep track of something left over. Is there any way to clean this mess up?
I have the same issue. Go to your extensions directory ( OSX in your Library/Applications Support/Google/Default/Extensions) and delete the directory ckibcdccnfeookdmbahgiakhnjcddpki.
As long as they disclose that they are collecting this anonymous browsing behavior, which they were, what’s the problem? Seems like a fair exchange for a well designed free app.