Backdoored Chrome extension installed by 200,000 Roblox players


google chrome

Chrome browser extension 'SearchBlox' installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials and assets.

BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise.

Chrome extension targets Roblox players

The 'SearchBlox' extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed.

There are two search results for 'SearchBlox' on Chrome. These extensions claim to let you "search Roblox servers for a desired player... blazingly fast" but both contained the backdoor.

The IDs of these unsafe extensions are:

  • blddohgncmehcepnokognejaaahehncd

  • ccjalhebkdogpobnbdhfpincfeohonni

Malicious SearchBlox extension on Chrome
Malicious SearchBlox extension on Chrome (BleepingComputer)

Early morning hours of Wednesday, suspicions arose among the Roblox community members of SearchBlox containing malware.

"Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - if you have it, your account may be at risk," tweeted RTC, an unofficial Roblox news and community account.

"Please change your passwords if you have it - and credentials, so that way your account is secure again."

We downloaded the Chrome extension for analysis and for the first extension (blddohgncmehcepnokognejaaahehncd) downloaded by over 200,000 users, the backdoor exists on line 3 of the 'content.js' file:

Backdoor within Chrome extension SearchBlox
Backdoor within Chrome extension 'SearchBlox' (BleepingComputer)

For the second extension (ccjalhebkdogpobnbdhfpincfeohonni) with just 959 downloads, the backdoor resided within the 'button.js' file.

The offending URL in either case is:


As if the URL structure 'image.png/image.txt' itself wasn't already interesting, the page contains HTML code that pretends to display an image using the '<img>' tag, but instead loads obfuscated JavaScript that is further encoded as HTML character entities (using the '&' and '#' symbols):

suspicious HTML JS code
Page pretends to contain HTML attempting to display an image (BleepingComputer) 

The code when decoded yields obfuscated code which further appears to be exfiltrating Roblox credentials to another domain:

Another offending domain collecting roblox credentials
Another suspicious domain in use by the extension (BleepingComputer)

Of note is the fact that both '' and '' were registered this month and share a common web host, Hostinger.

The code also appears to survey a player's profile on, a Roblox trading platform.

'SearchBlox' a repeat offender

Unfortunately, it doesn't seem like the first time a malicious 'SearchBlox' extension has targeted Roblox users either.

In October, Google reportedly took down another 'SearchBlox' sitting on the Chrome Web Store since at least Jun 28th, 2022.

As to whether the backdoor was injected in the extension after compromise by a threat actor or introduced intentionally by the developer is something that's yet to be authoritatively determined.

There is some speculation among Roblox community members [1, 2, 3, 4] who have noticed the inventory of user 'Unstoppablelucent', purportedly the extension's developer, multiply overnight whereas Roblox user 'ccfont' has been terminated today over suspicious inventory trades.

Both the extension as well as the offending URLs have a clean VirusTotal reputation at the time of writing, making detection of these malicious extensions a whole lot harder.

Suffice to say, anyone who has installed 'SearchBlox' should remove the extension immediately, clear their cookies and change their passwords for Roblox, and other websites they may have logged into while the extension was in use.

BleepingComputer notified Google of the malicious extensions prior to publishing. A Google spokesperson later confirmed that these extensions were taken down and will automatically be removed from systems where these were installed.

"The identified malicious extensions are no longer available on the Chrome Web Store," Google told BleepingComputer.

"The extensions are blocklisted and will be automatically removed from any user machine that previously downloaded them."


Nov 23, 2022 12:24 PM ET: Added statement from Google received hours after publication.

Nov 26, 2022 11:36 PM ET: Removed references to Rolimons that are not applicable.

Source link