Today, the owner of the rather popular Web Developer toolbar noticed it had been hijacked and replaced with a malicious version. He disabled it, but the malicious version (diff) had been in the wild for at least an hour already.
From the Twitter account you have linked, the author says:
I don’t know for sure yet, but it looks like it may have just been adware being injected. I’m still looking into the possible impact.
You have also asked whatever you should sign out of sessions, revoke keys and change passwords. While I do not have access to the malicious code, and am unable to tell what the code did, I feel pretty confident to suggest that you should end all sessions (to prevent session hijacks), and to change your passwords.
I would say that it is much easier to change passwords than later have to deal with your accounts hacked.
They basically replaced advertisements and gathered Cloudflare credentials.
Proof Point has an article with a thorough analysis about what happened.
An extension such as Web Developer has access to pretty much everything that is happening in the browser. It can read all the site content, it can intercept traffic, sniff keystrokes, or whatever you can imagine. Here is a pretty good write-up.
What it actually did will need further analysis. The owner should be able to give some details, but it is really hard to completely assess the scope of this. Here is why: the extension had the ability to inject ads and according to a tweet it also injected some JS content that changed over time.
What should I do to keep further ill-effects at bay?
Well, this is hard to answer. Given the possible scope, the safest bet is to change any password, API keys you used when the rogue extension was active. Signing in and out is also a good idea as your session could have been compromised as well. Basically, anything that appeared in your browser while the extension was active could have been relayed somewhere else.
Without analysing the malicious version of the extension, it's impossible to say what it did. However, as an extension, it wouldn't have most of the limitations which apply to scripts on web pages: for example, the same origin policy wouldn't apply, meaning that any data you've entered on any page whilst the extension was active on your system could have been grabbed and sent to the attacker.
Chrome provides a bunch of other APIs to extensions which allow for access to other data within the browser: https://developer.chrome.com/extensions/declare_permissions These include access to cookies (both for sites which are visited while the extension is active, and those stored for other sites), access to the privacy controls for the browser, access to DNS settings for the browser, and access to the geolocation data, without requiring a prompt. I'm not sure which of these the web developer extension used, but given the target usage for it, it's likely that it could at the very least access cookie data.
Given that, any sites where you have an active session, even if you didn't visit them while the malicious extension was active, could have been compromised. Any passwords you entered while the extension was active could have been compromised. Any data you entered in other fields (chat windows, search boxes, file uploads) could have been compromised. Any data shown to you by a website could have been compromised. And that's just from the minimal set of permissions that the extension would need to work!
If more permissions were given (whether the legitimate extension required them, or if the malicious version prompted for and was given them), the possibilities get worse. It could turn off safe browsing mode, so you don't get warnings on malicious websites which Google has detected, for one.
It all depends on what permissions the extension had...
