Chrome Web Store: How Google Let Malicious Extensions Steal Gmail Credentials and Telegram Sessions
Malicious activity is rampant within the Chrome Web Store, specifically detailing credential theft and session hijacking. Multiple campaigns target user data, with specific modules stealing Gmail content, drafts, and entire thread texts. Furthermore, evidence shows extensions designed to exfiltrate active Telegram Web sessions every 15 seconds.
Users are pointing fingers at Google for lax enforcement. 'spaghettiwestern' points out that Google waited until March 2026 to remove an extension that researchers had already publicized as malware months earlier. Another major concern is the sheer volume of fake AI extensions, which 'cm0002' notes use content scripts to vacuum up email data. 'beep' summarizes the threat vectors: OAuth2 credential theft and universal browser backdoor openings.
The consensus is that Google's oversight is dangerously negligent. The fault line exists between the platform's failure to police actively circulating threats and the sheer volume of attack surface presented by third-party app stores. The technical details prove systematic risk, not isolated bugs.
Key Points
Google was slow to remove malicious extensions.
'spaghettiwestern' noted Google waited months after documented threats to act on dangerous extensions.
AI-themed extensions are vectors for email theft.
'cm0002' identified a campaign using extensions like 'AI Sidebar' to steal Gmail content via content scripts.
Credential theft methods are varied and specific.
'beep' specified that attacks range from stealing Google account identity via OAuth2 to opening arbitrary browser URLs.
Session hijacking was demonstrated with precise frequency.
Technical vectors detailed include extensions exfiltrating Telegram Web sessions exactly every 15 seconds.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.