Chrome Web Store 中有多达 111 个扩展秘密收集用户敏感数据,而它们被总计下载了 3296 万次,Google 官方已经将其下架。
这些恶意扩展被发现会收集屏幕截图、设备剪贴板内容,用户登陆网站的浏览器 Cookies,密码等按键。
绝大部分扩展都是模块化的,安装之后可以用可执行文件进行更新。
按照如下步骤操作看看自己有没有中招。
1.在 Chrome 中输入 chrome://extensions/ 打开扩展程序页面
2.在该页面按下F12,在Console 控制台中运行以下代码,回车,✅为无风险,❌为风险项
// https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-Appendix-B.txt
上面的网址实时更新有问题的插件,复制后按格式写入malicious中
----------以下是真正的执行代码-----------------
malicious = [
"acmnokigkgihogfbeooklgemindnbine",
"apgohnlmnmkblgfplgnlmkjcpocgfomp",
"apjnadhmhgdobcdanndaphcpmnjbnfng",
"bahkljhhdeciiaodlkppoonappfnheoi",
"bannaglhmenocdjcmlkhkcciioaepfpj",
"bgffinjklipdhacmidehoncomokcmjmh",
"bifdhahddjbdbjmiekcnmeiffabcfjgh",
"bjpknhldlbknoidifkjnnkpginjgkgnm",
"blngdeeenccpfjbkolalandfmiinhkak",
"ccdfhjebekpopcelcfkpgagbehppkadi",
"cceejgojinihpakmciijfdgafhpchigo",
"cebjhmljaodmgmcaecenghhikkjdfabo",
"chbpnonhcgdbcpicacolalkgjlcjkbbd",
"cifafogcmckphmnbeipgkpfbjphmajbc",
"clopbiaijcfolfmjebjinippgmdkkppj",
"cpgoblgcfemdmaolmfhpoifikehgbjbf",
"dcmjopnlojhkngkmagminjbiahokmfig",
"deiiiklocnibjflinkfmefpofgcfhdga",
"dipecofobdcjnpffbkmfkdbfmjfjfgmn",
"dopkmmcoegcjggfanajnindneifffpck",
"dopmojabcdlfbnppmjeaajclohofnbol",
"edcepmkpdojmciieeijebkodahjfliif",
"ekbecnhekcpbfgdchfjcfmnocdfpcanj",
"elflophcopcglipligoibfejllmndhmp",
"eogfeijdemimhpfhlpjoifeckijeejkc",
"fcobokliblbalmjmahdebcdalglnieii",
"fgafnjobnempajahhgebbbpkpegcdlbf",
"fgcomdacecoimaejookmlcfogngmfmli",
"fgmeppijnhhafacemgoocgelcflipnfd",
"fhanjgcjamaagccdkanegeefdpdkeban",
"flfkimeelfnpapcgmobfgfifhackkend",
"fmahbaepkpdimfcjpopjklankbbhdobk",
"foebfmkeamadbhjcdglihfijdaohomlm",
"fpngnlpmkfkhodklbljnncdcmkiopide",
"gdifegeihkihjbkkgdijkcpkjekoicbl",
"gfcmbgjehfhemioddkpcipehdfnjmief",
"gfdefkjpjdbiiclhimebabkmclmiiegk",
"ggijmaajgdkdijomfipnpdfijcnodpip",
"ghgjhnkjohlnmngbniijbkidigifekaa",
"gllihgnfnbpdmnppfjdlkciijkddfohn",
"gmmohhcojdhgbjjahhpkfhbapgcfgfne",
"gofhadkfcffpjdbonbladicjdbkpickk",
"hapicipmkalhnklammmfdblkngahelln",
"hijipblimhboccjcnnjnjelcdmceeafa",
"hmamdkecijcegebmhndhcihjjkndbjgk",
"hodfejbmfdhcgolcglcojkpfdjjdepji",
"hpfijbjnmddglpmogpaeofdbehkpball",
"ianfonfnhjeidghdegbkbbjgliiciiic",
"ibfjiddieiljjjccjemgnoopkpmpniej",
"inhdgbalcopmbpjfincjponejamhaeop",
"iondldgmpaoekbgabgconiajpbkebkin",
"ipagcbjbgailmjeaojmpiddflpbgjngl",
"jagbooldjnemiedoagckjomjegkopfno",
"jdheollkkpfglhohnpgkonecdealeebn",
"jfefcmidfkpncdkjkkghhmjkafanhiam",
"jfgkpeobcmjlocjpfgocelimhppdmigj",
"jghiljaagglmcdeopnjkfhcikjnddhhc",
"jgjakaebbliafihodjhpkpankimhckdf",
"jiiinmeiedloeiabcgkdcbbpfelmbaff",
"jkdngiblfdmfjhiahibnnhcjncehcgab",
"jkofpdjclecgjcfomkaajhhmmhnninia",
"kbdbmddhlgckaggdapibpihadohhelao",
"keceijnpfmmlnebgnkhojinbkopolaom",
"khhemdcdllgomlbleegjdpbeflgbomcj",
"kjdcopljcgiekkmjhinmcpioncofoclg",
"kjgaljeofmfgjfipajjeeflbknekghma",
"labpefoeghdmpbfijhnnejdmnjccgplc",
"lameokaalbmnhgapanlloeichlbjloak",
"lbeekfefglldjjenkaekhnogoplpmfin",
"lbhddhdfbcdcfbbbmimncbakkjobaedh",
"ldoiiiffclpggehajofeffljablcodif",
"lhjdepbplpkgmghgiphdjpnagpmhijbg",
"ljddilebjpmmomoppeemckhpilhmoaok",
"ljnfpiodfojmjfbiechgkbkhikfbknjc",
"lnedcnepmplnjmfdiclhbfhneconamoj",
"lnlkgfpceclfhomgocnnenmadlhanghf",
"loigeafmbglngofpkkddgobapkkcaena",
"lpajppfbbiafpmbeompbinpigbemekcg",
"majekhlfhmeeplofdolkddbecmgjgplm",
"mapafdeimlgplbahigmhneiibemhgcnc",
"mcfeaailfhmpdphgnheboncfiikfkenn",
"mgkjakldpclhkfadefnoncnjkiaffpkp",
"mhinpnedhapjlbgnhcifjdkklbeefbpa",
"mihiainclhehjnklijgpokdpldjmjdap",
"mmkakbkmcnchdopphcbphjioggaanmim",
"mopkkgobjofbkkgemcidkndbglkcfhjj",
"mpifmhgignilkmeckejgamolchmgfdom",
"nabmpeienmkmicpjckkgihobgleppbkc",
"nahhmpbckpgdidfnmfkfgiflpjijilce",
"ncepfbpjhkahgdemgmjmcgbgnfdinnhk",
"npaklgbiblcbpokaiddpmmbknncnbljb",
"npdfkclmbnoklkdebjfodpendkepbjek",
"nplenkhhmalidgamfdejkblbaihndkcm",
"oalfdomffplbcimjikgaklfamodahpmi",
"odnakbaioopckimfnkllgijmkikhfhhf",
"oklejhdbgggnfaggiidiaokelehcfjdp",
"omgeapkgiddakeoklcapboapbamdgmhp",
"oonbcpdabjcggcklopgbdagbfnkhbgbe",
"opahibnipmkjincplepgjiiinbfmppmh",
"pamchlfnkebmjbfbknoclehcpfclbhpl",
"pcfapghfanllmbdfiipeiihpkojekckk",
"pchfjdkempbhcjdifpfphmgdmnmadgce",
"pdpcpceofkopegffcdnffeenbfdldock",
"pgahbiaijngfmbbijfgmchcnkipajgha",
"pidohlmjfgjbafgfleommlolmbjdcpal",
"pilplloabdedfmialnfchjomjmpjcoej",
"pklmnoldkkoholegljdkibjjhmegpjep",
"pknkncdfjlncijifekldbjmeaiakdbof",
"plmgefkiicjfchonlmnbabfebpnpckkk",
"pnciakodcdnehobpfcjcnnlcpmjlpkac",
"ponodoigcmkglddlljanchegmkgkhmgb",
];
document
.querySelector("extensions-manager")
.shadowRoot.querySelector("cr-view-manager extensions-item-list")
.shadowRoot.querySelectorAll("extensions-item")
.forEach((item) => {
const name = item.shadowRoot.querySelector("#name").innerText;
if (malicious.includes(item.id)) {
console.log("❌", item.id, name);
} else {
console.log("✅", item.id, name);
}
});
------------以上是真正的执行代码-----------------
执行结果:显示正常
3.删除提示风险的插件
在 Linux 上可以使用以下指令校验是否中招:
cd /home/$USER/.config/chromium/Default/Extensions ls -a > list.txt wget awakesecurity.com/wp-content/upl…comm -12 <( sort list.txt ) <( sort GalComm-Malicious-Chrome-Extensions-Appendix-B.txt )
mac 下chrome扩展插件安装在什么位置?
地址栏输入chrome://version 回车用资源管理器打开"个人资料路径"栏的路径,该路径下的Extensions文件夹即默认的扩展安装路径.
如果真中招了,目前还没有太好的解决方案。建议暂停使用自己安装的 Chrome ,先换 Microsoft Edge 。