Malicious Chrome and Firefox Browser Extensions Follow

Overview

Zoom was notified by a security researcher that there were several predatory browser extensions that capture browsing activity, which was then sold to members of an online service. This is not a Zoom vulnerability, but rather a malicious browser extension unknowingly installed by Chrome users that would upload details of their browser history. Given the scale of Chrome and Firefox users, it is not surprising that some of the affected Chrome and Firefox users have hosted or joined Zoom meetings.

Given the prevalence of Chrome and Firefox, this had an extremely widespread impact across many other industries. Among the many websites observed were Zoom meeting URLs visited by users who had these browser extensions. From these URLs, it was possible to collect information, potentially including meeting URLs (including meeting IDs), page titles, referrers, visitors’ internet service provider (ISP), city, state, network domain, and timestamp of visit. 

Removing Malicious Chrome and Firefox Extensions and Securing Meetings

We recommend the following to our users:

  1. Immediately review all of your browser extensions for suspicious extensions and, in particular, remove the following: Hover Zoom, Speak It!, Super Zoom, SaveFrom.net Helper, Fairshare Unlock, and PanelMeasurement. (Note that none of these are affiliated with Zoom in any way, even the ones with Zoom in the name.)
    • To find and remove your Chrome extensions:
      1. Open Chrome.
      2. At the top right, click the More button (which looks like 3 dots or an up arrow), hover over More Tools, then click Extensions.

      3. Click Remove next to any unfamiliar or suspicious extension. 

    • To find and remove any Firefox extensions:
      1. Click Menu button at the top right (three lines), click Tools, click Add-ons and select Extensions or Themes.

      2. Click the name of the add-on you wish to remove.
      3. Click the Remove button.

  2. As a matter of caution, change your recurring meeting links and meeting passwords. 
  3. If you are concerned about unwelcome participants joining your meetings, we recommend using our waiting room feature.

Here is more information from this security researcher. https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/

Was this article helpful?