8 New Malicious Firefox Extensions Steal OAuth Tokens, Passwords, and Spy on Users

Security researchers from the Socket Threat Research Team have uncovered a sophisticated network of eight malicious Firefox browser extensions that actively steal OAuth tokens, passwords, and spy on users through deceptive tactics.

The discovery reveals a coordinated campaign that exploits popular gaming titles and utility applications to compromise user security across the Firefox ecosystem.

Major Gaming Extension Fraud Network Discovered

The investigation initially began with a single malicious extension called “Shell Shockers” but quickly expanded to reveal an entire network of fake gaming extensions operated by threat actor mre1903.

This cybercriminal, active since June 2018, has systematically created fraudulent extensions that masquerade as popular games, including Little Alchemy 2, 1v1.LOL, Krunker io Game, Five Nights at Freddy’s, and Bubble Spinner.

These malicious extensions exploit user trust by impersonating beloved games with millions of players worldwide.

However, instead of providing actual gaming functionality, they immediately redirect users to gambling websites and fake Apple virus alert scam pages upon installation.

The threat actor’s approach demonstrates a coordinated campaign designed to maximize reach while evading detection through distributed deployment across multiple popular game titles.

Beyond simple redirect scams, researchers identified several extensions employing sophisticated attack techniques. CalSyncMaster, masquerading as a legitimate Google Calendar synchronization tool, represents the most serious threat in the analysis.

This extension implements advanced OAuth credential theft operations, stealing Google Authentication tokens that provide ongoing access to sensitive personal and business data.

The malicious code specifically targets Google Calendar APIs, requesting read-only permissions that allow attackers persistent visibility into users’ meeting schedules, travel plans, business activities, and contact information.

Security experts warn that the extension’s architecture allows for easy scope escalation, potentially enabling event manipulation or data deletion through simple updates.

The VPN Grab A Proxy Free extension, marketed as a privacy-focused VPN service, secretly tracks users by injecting invisible tracking iframes and routing all web traffic through attacker-controlled proxies.

This configuration enables comprehensive surveillance of user activities, including the potential interception of login credentials, personal information, and private communications.

Meanwhile, the GimmeGimme extension targets European shopping sites like bol.com and coolblue.nl, promising wishlist functionality while secretly redirecting shopping sessions through affiliate tracking links.

Users unknowingly generate revenue for attackers while being denied the promised features, representing a clear violation of user trust and transparency.

Growing Browser Extension Threat Landscape

The discoveries highlight a broader trend in cybersecurity threats. Browser extensions have become increasingly favored attack vectors due to their trusted status, extensive permissions, and ability to execute within browsers’ security contexts.

The progression from simple redirect scams to OAuth credential theft demonstrates how quickly these threats evolve and scale.

Security experts recommend that users regularly audit installed browser extensions, removing any that request permissions exceeding their stated functionality.

Organizations should implement extension allow-lists in corporate environments and monitor network traffic for unexpected proxy configurations or suspicious external communications.

The Socket Threat Research Team emphasizes that these threats require constant vigilance from both individual users and organizations.

The combination of social engineering tactics with technical sophistication makes these extensions particularly effective against unsuspecting users who trust familiar game names and utility promises.

Users should immediately review their installed Firefox extensions and remove any that match the identified malicious applications to protect their personal data and authentication credentials.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now