Skip to content ↓ | Skip to navigation ↓

According to security researchers, a popular Google Chrome extension with 1.2 million downloads has been collecting users’ browsing information with the purpose of selling the data to third parties.

Christian Mariolini, a researcher with the computer security firm Sentor, first discovered the spyware in the Webpage Screenshot extension back in March of this year.

“We monitor our customers’ networks for signs of hacking. A few weeks ago, we found a strange pattern in the traffic of several companies. After talking with them, we found this plug-in which was installed on the computers that was behaving strangely,” he said.

Mariolini went on to explain that the extension contains hidden code that saves information about users’ browsing history and sends it to a server based in the United States.

However, the IP address of the server is registered to a private individual who lives in Israel.

The Webpage Screenshot extension stores a variety of potentially sensitive information. This includes IP addresses, data from URLs visited and pages viewed, profile properties, and usage details.

Heimdal Security, a security firm launched in 2011 by the CSIS Security Group, has also detected the spyware and analyzed how the hidden code operates.

According to blog post published on Heimdal’s website, the hidden code does not activate until one week after Webpage Screenshot is downloaded from the Google Chrome Web Store, which allows the extension to evade Google’s security checks.

It is at this time that the extension begins collecting user information and sending it to IP address, which is located in Serverbeach, New York, USA.

News of the spyware capabilities of Webpage Screenshot follows Google’s announcement to more thoroughly monitor ad-injecting applications that are often found in Chrome extensions. Towards this end, Google researchers removed 200 extensions from the Google Chrome Web Store after discovering they were serving up malware to users.

As of this writing, the Webpage Screenshot has been removed from Google’s store.

Tripwire University
  • ddearborn


    The utter hypocrisy and the degree to which the “justice system” has been compromised is brilliantly highlighted on this webpage published on 3/28/16. The Israeli “hacker” remains free and apparently immune to prosecution from the safety of Israel. On the other hand, under the “LATEST SECURITY NEWS” banner on the right side of this webpage we read that 5 Iranian “Hackers” were just indicted. It also leaves little doubt as to exactly who benefits from this skewed justice and who does not.