Malicious extension steals user data by abusing the Chrome sync feature

Chrome sync is a browser feature that automatically synchronizes user's bookmarks, history, passwords, and other settings after they log in with their Google account. Hackers disguised the fake extension as the Forcepoint Endpoint Chrome Extension for Windows and installed directly from Chrome (bypassing the Chrome Web Store installation channel) after enabling Developer mode. After the installation, the extension drops a background script designed to check for oauth_token keys in Chrome’s storage which would then get automatically synced to the user's Google cloud storage. Then threat actor would be able to access the sensitive information by simply logging into the same Google account on another system running the Chrome browser. Read more...