In December 2020, Czech researchers at cz.nic discovered a series of Chrome and Edge browser extensions which were able to communicate with malicious web hosts, and potentially transmit confidential data from users’ computers. It seems likely these may have been active since 2017/18.
They alerted Google and Microsoft, who removed the malicious extensions from their respective Extension Stores by 18 December 2020. However, by that time around 3 million downloads were had been made and were out there sitting in people’s browsers.
Details have appeared more widely online recently, and below is a list of Extensions listed as at 10 February 2021. Many of them are presented as tools to assist in uploading and downloading video and other media content to Social Media platforms such as Facebook, Instagram and Vimeo – although there are also extensions which link to News and other sites.
Please check your browsers for any extensions listed and remove them immediately. The Extension ID uniquely identifies the extension, where different extensions may have been given the same name by their authors.
Known malicious Chrome Extensions
To locate the Extension ID in Chrome:
- Go to ‘Settings’, ‘Extensions’ via the three-dots menu at the top right of Chrome, which will display all Extensions you have installed.
- Click the ‘Details’ button for an Extension and look at the URL in the address bar.
- It will show something like:
chrome://extensions/?id=cfhdojbkjhnklbpkdaibdccddilifddb
where the character string after ?id= is the Extension ID. The example illustrated is for the legitimate ‘Adblock Plus’ and is fine!
| Chrome Extension Name | Extension ID |
|---|---|
| Direct Message for Instagram | mdpgppkombninhkfhaggckdmencplhmg |
| DM for Instagram | fgaapohcdolaiaijobecfleiohcfhdfb |
| Invisible mode for Instagram Direct Message | iibnodnghffmdcebaglfgnfkgemcbchf |
| Downloader for Instagram | olkpikmlhoaojbbmmpejnimiglejmboe |
| App Phone for Instagram | bhfoemlllidnfefgkeaeocnageepbael |
| Stories for Instagram | nilbfjdbacfdodpbdondbbkmoigehodg |
| Universal Video Downloader | eikbfklcjampfnmclhjeifbmfkpkfpbn |
| Video Downloader for FaceBook™ | pfnmibjifkhhblmdmaocfohebdpfppkf |
| Vimeo™ Video Downloader | cgpbghdbejagejmciefmekcklikpoeel |
| Zoomer for Instagram and FaceBook | klejifgmmnkgejbhgmpgajemhlnijlib |
| VK UnBlock. Works fast. | ceoldlgkhdbnnmojajjgfapagjccblib |
| Odnoklassniki UnBlock. Works quickly. | mnafnfdagggclnaggnjajohakfbppaih |
| Upload photo to Instagram™ | oknpgmaeedlbdichgaghebhiknmghffa |
| Spotify Music Downloader | pcaaejaejpolbbchlmbdjfiggojefllp |
| The New York Times News | lmcajpniijhhhpcnhleibgiehhicjlnk |
| FORBES | lgjogljbnbfjcaigalbhiagkboajmkkj |
| Скачать фото и видео из Instagram | akdbogfpgohikflhccclloneidjkogog |
Known malicious Edge Extensions
To locate the Extension ID in Edge:
- Go to ‘Extensions’ via the three-dots menu at the top right of Edge, which will display all Extensions you have installed.
- Click the ‘Details’ button for an Extension and look at the URL in the address bar.
- It will show something like:
edge://extensions/?id=cfhdojbkjhnklbpkdaibdccddilifddb
where the character string after ?id= is the Extension ID. The example illustrated is, as above, for the legitimate ‘Adblock Plus’ and is fine!
| Edge Extension Name | Extension ID |
|---|---|
| Direct Message for Instagram™ | lnocaphbapmclliacmbbggnfnjojbjgf |
| Instagram Download Video & Image | bhcpgfhiobcpokfpdahijhnipenkplji |
| App Phone for Instagram | dambkkeeabmnhelekdekfmabnckghdih |
| Universal Video Downloader | dgjmdlifhbljhmgkjbojeejmeeplapej |
| Video Downloader for FaceBook™ | emechknidkghbpiodihlodkhnljplpjm |
| Vimeo™ Video Downloader | hajlccgbgjdcjaommiffaphjdndpjcio |
| Volume Controller | dljdbmkffjijepjnkonndbdiakjfdcic |
| Stories for Instagram | cjmpdadldchjmljhkigoeejegmghaabp |
| Upload photo to Instagram™ | jlkfgpiicpnlbmmmpkpdjkkdolgomhmb |
| Pretty Kitty, The Cat Pet | njdkgjbjmdceaibhngelkkloceihelle |
| Video Downloader for YouTube | phoehhafolaebdpimmbmlofmeibdkckp |
| SoundCloud Music Downloader | pccfaccnfkjmdlkollpiaialndbieibj |
| Instagram App with Direct Message DM | fbhbpnjkpcdmcgcpfilooccjgemlkinn |
| Downloader for Instagram | aemaecahdckfllfldhgimjhdgiaahean |
Good luck in checking and clearing out anything nasty that you find!