Over 200,000 Roblox Players Installed a Chrome Extension with a Backdoor
Security researchers have warned that the browser extension SearchBlox, installed over 200,000 times, contains a backdoor capable of stealing Roblox account credentials and victimsβ funds on Rolimons, a Roblox trading platform. According to Bleeping Computer, the backdoor code was either intentionally added by the developer or appeared after a compromise. Both SearchBlox extensions in the Chrome Web Store (IDs: blddohgncmehcepnokognejaaahehncd and ccjalhebkdogpobnbdhfpincfeohonni) have been compromised. The extensions were advertised as tools to βfind the right player on Roblox servers at lightning speed,β but both contained malicious code.
Concerns about SearchBlox surfaced earlier this week. The RTC account, which shares unofficial Roblox news, posted on Twitter that SearchBlox was compromised and infected with a backdoor, strongly advising users to remove it and change their passwords. Journalists investigated by downloading both versions of SearchBlox and confirmed the presence of a backdoor in the content.js and button.js files. The malicious code sends Roblox user credentials to releasethen[.]site and activates when viewing a player profile on Rolimons.com.
Previous Incidents and Ongoing Investigation
This is not the first attack involving SearchBlox. In October of this year, Google already removed another version of the extension from the Chrome Web Store, where it had been available since June 28, 2022. It remains unclear whether the backdoor was added due to a compromise or intentionally by the developer. Some members of the Roblox community theorize (see discussions: 1, 2, 3, 4) that the developer is a user named Unstoppablelucent, whose inventory grew significantly overnight, while the Rolimons user ccfont was deleted due to suspicious trades.
What Should Affected Users Do?
- Immediately remove the SearchBlox extension if installed.
- Clear your browser cookies.
- Change your passwords for Roblox, Rolimons, and any other sites you accessed while using the extension.
Bleeping Computer has notified Google engineers about the issue. A Google spokesperson has confirmed that the extensions have been removed from the Chrome Web Store and will be automatically deleted from systems where they are installed.