A concerning report from Koi Security reveals that a widely used color picker extension, known for its appearance as a legitimate tool with a verified badge, is actually hijacking browser sessions and tracking users’ online activities. The extension, developed by Geco, has amassed over 100,000 downloads and specific listings on both Microsoft Edge and Google Chrome.
Initial reviews of the Geco extension are predominantly positive, with an average score of 4.2 stars on the Chrome Web Store and upwards of 800 reviews. Yet, Koi Security’s analyst Idan Dardikman warns that this extension serves as a ‘carefully crafted Trojan horse.’ As part of a broader malicious campaign dubbed RedDirection, 18 similar extensions have been identified, collectively affecting over 2.3 million users across major web browsers.
Aside from the color picker, the rogue extensions offer a range of functionalities, including emoji keyboards and video speed controllers, while covertly surveilling users by capturing browsing activity. Users’ unique tracking IDs are sent to remote servers controlled by attackers, and their browsing sessions can be redirected at will. These updates often go unnoticed, with malware sometimes introduced during version upgrades of otherwise clean code.
This revelation ultimately raises serious questions about the security protocols of many browser extensions. Koi Security recommends immediate action for those who may have inadvertently installed any of the affected extensions. Users are urged to uninstall the extensions and monitor their online accounts for any strange activity as the extent of this security lapse continues to unfold.