>>> Beware of browser extensions stealing your credentials / cookies / logins / sessions !!!

Recently I had to regain control over some client website .. Turns off this one was hacked, and delivered several malwares, client was unhappy because he couldn't practise google Adwords anymore .. Then website was cleaned, took a long time, but result is here .. then google adwords kept on telling us there was a problem within the website, having links to malicious pages .. The better way was to intercept any dom node creations having src or href tags and evaluate the domains here .. either localhost and trusted .. either untrusted And here we go .. Here is what I've discovered Turns out lots of "SCRIPT,IMG,IFRAME" tags are created within this one, except they are all originating from browser malware extensions, filling website with other advertising / or getting your cookie ( especially your current sessionId => which allows the attacker to be logged as you are and access all your profile subdata and so ) Detection of it, is mainly due to the fact some of these developpers override the current javascript window.onerror behaviour .. As it turns some of the googletagmanager outer script throws an error at cookieValue() is not a defined function, then it opens xhr connections to distant weirdly spelled domains / host ( which are all anonymized ) and also put your current session Id in payload .. Investigations underways ..