News

200,000 Roblox Players Installed Chrome Extension with Backdoor

The SearchBlox Chrome extension, installed over 200,000 times, contains a backdoor that can steal credentials from Roblox, as well as victims’ funds on Rolimons (Roblox’s trading platform), researchers have warned.

Let me remind you that we also wrote that Chrome Extensions May Be Tracking the User on the Internet, and also that Hackers Influenced Valve’s Online Games Using Vulnerabilities in the Steam Platform.

The Bleeping Computer reports that the backdoor code was clearly introduced into the extension intentionally (by the developer), or appeared there after being compromised.

According to journalists, both SearchBlox extensions in the Chrome Web Store are compromised (their identifiers are blddohgncmehcepnokognejaaahehncd and ccjalhebkdogpobnbdhfpincfeohonni).

In the ad, both extensions promised to help “find the right player on the Roblox servers at lightning speed”, and both contain a backdoor.

Users raised their suspicions about SearchBlox earlier this week. The RTC account that publishes unofficial Roblox news has tweeted that SearchBlox has been compromised and infected with a backdoor, strongly advising users to remove it and change their passwords.

The journalists decided to check this information, they downloaded both versions of SearchBlox and indeed found a backdoor in the content.js and button.js files. According to the publication, the malicious code transmits the logged data of Roblox users to the releasethen[.]site address. In addition, the malicious code is activated when viewing a player’s profile on Rolimons.com, the Roblox trading platform.

According to the publication, this is not the first SearchBlox attack on users: in October of this year, Google already removed another version of the extension from the Chrome Web Store, where it had been distributed since June 28, 2022.

It is not yet clear whether the backdoor was introduced into the extension as a result of a compromise, or whether it was intentionally added by the developer himself. Roblox community members have a theory (1, 2, 3, 4) that the developer of the extensions is Unstoppablelucent, whose inventory increased noticeably overnight, while the user Rolimons ccfont was deleted due to suspicious transactions.

The publication warns that all SearchBlox users should immediately remove the malware, clear cookies, and change passwords for Roblox, Rolimons, and other sites they may have accessed while using the extension.

Bleeping Computer notified Google engineers of the discovery, and a company spokesperson has now confirmed that the extensions have been removed from the Chrome Web Store and will be automatically removed from systems where they are installed.

By the way, hackers love the Roblox game, there was even a case when WannaFriendMe Ransomware Operators Are Selling the Key for the Internal Currency of the Roblox Game.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

24 hours ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

24 hours ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

24 hours ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

24 hours ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

24 hours ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

24 hours ago