A popular browser extension, once celebrated for its utility, has transformed into a security threat, highlighting the risks of remote code execution. This shift occurred after a change in ownership, putting thousands of users at risk of covert script injections and the removal of critical security headers.
The Transformation of QuickLens
The QuickLens extension, initially a legitimate tool for using Google Lens directly from the browser, has undergone a stark transformation. Initially lauded for its features like screen capture and Amazon product lookup, QuickLens amassed 7,000 active users and earned a Featured badge from Google. However, following its listing on ExtensionHub on October 11th, 2025, its ownership changed hands, leading to its misuse.
On February 1st, 2026, the extension’s control passed to an unverified entity operating under the domain supportdoodlebuggle.top. This change coincided with a move of the privacy policy to kowqlak.lat. By February 17th, version 5.8 was released, integrating a command-and-control platform, unbeknownst to users.
Security Breaches and User Exposure
The update to QuickLens introduced significant changes, including a new C2 server at api.extensionanalyticspro.top. Users received prompts to accept new permissions, often without scrutiny. The changes included permissions like declarativeNetRequestWithHostAccess and webRequest, alongside a new rules.json file, which stripped essential security headers from HTTP responses, such as Content-Security-Policy and X-Frame-Options.
This removal of security measures left users vulnerable to threats like clickjacking and cross-site scripting. The exploit further involved a technique known as the pixel trick, where the extension executed JavaScript code delivered by the C2 server, circumventing usual security protocols.
Implications and Protective Measures
The malicious code injected by QuickLens remained hidden, executing only when the browser processed specific image elements. This tactic evaded detection by static code analysis, making the attack hard to identify. The code could access session tokens and user data, sending it to external servers while maintaining the facade of a functional Google Lens tool.
To safeguard against such threats, organizations should enforce strict policies on browser extensions, monitoring for unexpected permission changes. Users are advised to regularly review installed extensions and treat any unsolicited permission updates with suspicion. Extensions with new ownership should undergo thorough scrutiny before continued use.
The QuickLens incident serves as a reminder of the potential risks associated with browser extensions. Vigilance and proactive security measures are crucial in protecting against such covert cyber threats.
