Google Chrome: legit EditThisCookie extension removed instead of malicious copycat

[harlan4096]

EditThisCookie is a specialized extension for Google Chrome that you may use to edit cookie data stored by the browser. I mentioned it back in 2015 here on Ghacks.

The extension, with over 3 million users and 11,000 ratings, has been removed from the Chrome Web Store. What Google has not removed is a copycat extension, first called EditThisCookies and now EditThisCookie®, which is malicious.

When you try to launch the Chrome Web Store address of the legitimate extension, you get the "This item is not available" error message. The page of the fake extension is still up (not linked, because it is malicious).

Eric Parker, known for his malware investigations, analyzed the malicious extension in a YouTube video.

The extension had 30,000 users at the time the video was published on YouTube. Today, it sits at more than 50,000 users.

Parker installed the extension on a test system and discovered several anomalies. These include:

• A fake website for the fake extension.
  
• Obfuscated code.
  
• Information stealing code, especially when on Facebook.
  
• Phishing.
  
• Advertising code.
  

The researcher did not find code to exfiltrate cookie data, which means that session cookies are not touched by the analyzed version of the extension.

With automatic extension updates enabled by default in Chrome, there is a chance that additional spyware or malware capabilities are added via updates.

Contnue Reading...