News

A Popular Chrome Extension Could be Leaking your Personal Information

2015-06-05

A mysterious Chrome re-direct to the website searchhelper.com seems to be the result of a relatively popular extension – and it could be covertly stealing users’ private browsing data. The Baidu Antivirus Security team has confirmed that the Chrome extension crxMouse Chrome Gestures is the culprit, and it is a potential threat that should be taken seriously by all Chrome users.


Analysis by Baidu Antivirus security experts found that when the crxMouse Chrome Gestures extension is installed, it requests enough permissions to allow it to entirely control a user's Chrome browser.

Figure 1. The crxMouse Chrome Gestures extension requests many permissions.


Because it has enough permissions, crxMouse Chrome Gestures can intercept a user's information on every site that they access, and after encrypting it, covertly send this private browsing data to the searchelper.com server.

Figure 2. Private browsing data covertly captured by crxMouse Chrome Gestures.

Figure 3. Private browsing data covertly captured by crxMouse Chrome Gestures (continued).


The uploaded data is encrypted multiple times using a base-64 type encryption. After decryption, it was found that user’ information on the websites that they accessed was being collected by the searchelper.com server.

Figure 3. User browsing information is collected by the searchhelper.com server.


The crxMouse Chrome Gestures extension is a popular mouse gesture extension for Chrome. Although the Baidu Antivirus security team cannot confirm the original source of this particular attack, or whether or not it affects all releases of crxMouse Chrome Gestures, it is still advised that Chrome users exercise caution when using this extension. In the absence of an effective antivirus program, users may opt to disable or uninstall the extension. 


Chrome users may also follow the steps below to prevent their personal information from being collected:


1. In the Chrome address bar, enter "chrome://version" and find Profile Path;


2. Open Profile Path in Windows Explorer. Then, go to the directory below and delete files like tr.js

\Extensions\jlgkpaicikihijadgifklkbpdajbkhjo\2.8.1_0\js


3. To prevent the extension from being automatically updated, you can try to edit the update_url in the file below. Replace it with a URL that cannot be accessed, such as 127.0.0.1

Extensions\jlgkpaicikihijadgifklkbpdajbkhjo\2.8.1_0\manifest.json


Finally, the Baidu Antivirus Security Center would like to remind all Chrome users that Chrome has a wide range of extensions to help you do different things. However, no one can guarantee that all of these extensions will not be used to steal private data. If you are concerned about your personal information, please exercise caution when using any 3rd party extensions for Chrome or other web browsers.


Download Baidu Antivirus – the best free antivirus – here: Download