Malicious extensions in the news again? No way! Well, yes, unfortunately, but you’re probably not surprised at all, and you’re certainly not happy about that at all. In February, Google removed more than 500 malicious extensions from the Chrome Web Store that were injectable ads in millions of Chrome browsing sessions. In June, Awake Security reported another 100 of 15,160 domains. Now, according to Avast after it was first found by CZ.NIC, there are still 15 that users should uninstall right now!
Based on their recent discoveries, a total of 28 extensions (15 in Chrome and 13 in Edge) that are mainly geared towards Facebook and Instagram use cases instead, it redirects users’ traffic to ads and phishing sites and collects their personal data, such as birth dates, email addresses, and active devices. Not only that, but they also collect browsing data and have the ability to download malware directly to a user’s device (but Chromebooks can’t get malware)!
Avast researchers said they believe extension developers have organized a campaign to divert user traffic for monetary gain, saying that “for every redirect to a third-party domain, cybercriminals would receive a payment.”
“Our hypothesis is that either the extensions were deliberately created with embedded malware, or the author waited for the extensions to become popular and then pushed an update containing the malware,” says Avast researcher Jan Rubin. “The author may also sell the original extensions to someone else after creating them, and then his client may have introduced the malware afterwards.”
It appears that Avast’s threat intelligence team began monitoring this threat in November, but I think it could have been active for years, as reflected in some of the extensions’ reviews. The craziest thing is that most of these extensions can still be downloaded, and since Avast informed Google about this issue, only a few of them have been removed from the Web Store, although each is said to be under investigation.
It’s not OK. Extensions have long been the weak link in Chrome browser armor – it’s just a real security vulnerability. To be fair, it is difficult, even almost impossible to control the experience in which there is so much input and influence from third parties, and the Chrome Web Store feels practically like the wild west. However, Google is doing a lot of things to change this, including creating an “approval seal” such as extensions that help mitigate privacy issues, which will be launched earlier this year, and even give you direct control over what data has access to an extension and on what websites.
There is no doubt that these issues may persist long after the new year, and there are certainly many things to do, so we’ll have to see what other creative solutions Google can come up with to discuss extensions in the presentation. I would vote that we simply get rid of them completely to solve the problem, but many extensions like Honey, Toby, Enhanced Stage, Cog, uBlock Origin and many others do a real good for Chrome users and deserve to exist. This means that, instead, Google will have to take a more cautious approach to the situation and separate the sheep from the goats, so to speak, and that will take time.
Let me point out here and now that if you have any of the following extensions installed on your computer, remove them right now! Under no circumstances install the extensions below – we only connect them so that we can fully verify their identity. You can view your extensions by typing
chrome://extensions in the URL bar or in the multipurpose box above.