DuckDuckGo is one of the favorite search options of users who run away from Google and show themselves aware of the cause of privacy in the web.
So, to facilitate its use (and incidentally add functionalities such as blocking advertising tracking networks) its creators they also launched extensions for the main browsers: Firefox, Chrome and MS Edge.
The problem is that it has now been discovered that, over several months, DuckDuckGo Privacy Essentials has been putting at riskprecisely the privacy of its users. How is this?
Small vulnerability, huge (potential) consequences
That allows the attacker to access the browser history and to all sensitive information entered by the user (such as the data linked to your bank account), as well as altering the information displayed on the screen by the user.
The chances of an attacker gaining such a degree of access they are scarce, but the potential results are still catastrophic even if you are a user of secure browsing tools like SecureDrop or ProtonMail.
The good news in the present case is that this kind of attack can only be run by someone who controls the server http://staticcdn.duckduckgo.com.
That is, in principle, by the company itself DuckDuckGo. But it could also be taken advantage of by your hosting provider (nothing less than Microsoft, via Azure) or by any attacker take over said server (cybercriminals, government agencies, etc.).
According to Wladimir Palant, the creator of Adblock Plus, and the researcher who originally detected the vulnerability, this vulnerability has been operational for several months, and it has not been until these last days, with the release of the version 2021.3.8 extension for the big three browsers, when it has finally been solved.
So take a look at your extension manager to make sure it has already been updated correctly.