QuickLens Chrome extension steals crypto, shows ClickFix attack
Summary
The Chrome extension QuickLens - Search Screen with Google Lens has been removed from the Chrome Web Store due to a security breach that compromised user data and attempted to steal cryptocurrency from thousands of unsuspecting users.
Key Insights
What is a ClickFix attack?
A ClickFix attack involves displaying a fake software update prompt, such as a bogus Google Update, that tricks users into clicking a button to 'verify' or 'fix' an issue, leading them to execute malicious code on their computers.
Sources:
[1]
How did the QuickLens extension deliver its malicious payloads?
The extension used a '1x1 GIF pixel onload trick' to execute payloads on every page load and stripped Content Security Policy (CSP) headers from sites, allowing inline JavaScript to run even on protected pages.
Sources:
[1]