Users of Google’s Chrome web browser could be in for a lot of grief due to one of the features that makes it so popular: its extensions.
Extensions add functionality to the browser and, like Chrome itself, are automatically updated to ensure users always have the latest version. But what happens when good extensions go bad?
Amit Agarwal, developer of the “Add to Feedly” extension … got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first … update, which injected adware on all webpages and started redirecting links. Chrome’s extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer’s intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension’s user base.
Remember, because Chrome is “One browser for your computer, phone and tablet”, once one device is infected, it propagates to all the others!
The “Add to Feedly” affair is not an isolated incident. It’s been reported that another simple Chrome extension called “Tweet This Page” (subsequently removed from Chrome’s Web Store) suddenly became an ad-injecting, search-hijacking monster.
What’s even more worrying is that normal removal techniques don’t work. Virus scanners don’t spot ’em, and even wiping your computer and reinstalling the OS from scratch won’t help as the extensions are synced from your Google account. When you sign-in, they’re just downloaded all over again.
The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices. Even when you have it narrowed down to Chrome, since nothing detects a malicious Chrome extension, the best course of action is to meticulously check the latest reviews of every extension and hope that someone else has figured out where the ads are coming from.
Extensions can even be “side-loaded” — bundled in with another piece of software — so that users aren’t even aware they’ve been added.
Google have announced a new policy aimed at reducing or preventing extension hijacking, but it doesn’t come into force until June.