Fake Bitwarden password manager ads on Facebook spread a malicious Google Chrome extension that collects and steals sensitive user data from the browser.

Bitwarden is a popular password manager app with a “free” tier including end-to-end encryption, cross-platform support, MFA integration, and a user-friendly interface.

Its user base has continued to grow over the past two years, especially after competitor security vulnerabilities this has led many people to look for alternatives.

A new malvertising campaign impersonating Bitwarden has been spotted by Bitdefender Labswhich researchers report that the operation was launched on November 3, 2024.

Malicious Facebook Ads

Facebook’s ad campaign warns users that they are “using an outdated version of Bitwarden” and should immediately update the program to secure their passwords.

The link included in the ad is “chromewebstoredownload(.)com”, which claims to be Google’s official Chrome Web Store at “chromewebstore.google.com”.

The landing page also features a design very similar to the Chrome Web Store, including an “Add to Chrome” button.

However, instead of the extension automatically installing when you click the link, visitors are prompted to download a ZIP file from a Google Drive folder.

Although this should be a clear sign of danger, users unfamiliar with the Chrome Web Store can proceed with the installation manually, following the instructions on the web page.

Installation requires enabling “Developer Mode” on Chrome and manually loading the extension onto the program, so essentially, security controls are bypassed.

Once installed, the extension registers itself as “Bitwarden Password Manager” version 0.0.1 and gains permissions that allow it to intercept and manipulate user activities.

Its main functions are as follows:

• Collect Facebook cookies, including the “c_user” cookie containing the user ID.
• Collect IP and geolocation data using public APIs
• Collect Facebook user details, account information and billing data via Facebook Graph API
• Manipulates the browser DOM to display fake loading messages for legitimacy or deception purposes.
• Encodes sensitive data and passes it to a Google Script URL under the control of attackers.

To mitigate this risk, Bitwarden users are advised to ignore ads prompting for extension updates, as Chrome extensions are automatically updated when the provider releases a new version.

Extensions should only be installed through the official Google online store or by following the links from the official project website, in this case, bitwarden.com.

When installing a new extension, always check the requested permissions and treat overly aggressive requests involving access to cookies, network requests and website data with great suspicion.