Chrome extensions can be incredibly helpful tools for work or entertainment on the web, but like any online store with access to millions of users, it is also a ripe target for hackers. There are plenty of examples of malicious extensions being used to steal user data and more.
The latest discovery was made by AdGuard (opens in new tab), which originally was digging into a series of fake ad blockers and ultimately found a network of over 295 extensions in the Chrome Web Store that had been installed by up to 80 million users (via The Register).
- Best Chrome extensions for productivity in 2020
- Google Chrome vs. Microsoft Edge: Which browser is best?
- Work and school from home essentials: Laptops, monitors, furniture and more
Given the size of the Chrome Web Store and the market share for Google Chrome, those figures probably shouldn't be shocking, but it's the frequency with which we are seeing these kinds of problems surface that is a bit troubling.
This network of extensions included a variety of different types. Ad blockers were simply how AdGuard discovered the network, but it also included games, downloaders, themes, and wallpapers.
The extensions used three distinct methods, according to the team at AdGuard, including stenography and ads injection, cookie stuffing, and dangerous spam.
The first involves seemingly innocuous extensions that are remotely triggered later and inject ad images with malware on pages you are viewing without your knowledge. The second method, the most sparingly used with only six of the extensions relying on it, is the least damaging. It sets cookies for users then funnels affiliate payments back to the owner of the extension. The final category has yet to be activated but contains a tag that would allow the owner to upload new code without the users' awareness.
What is Google doing to fix this problem?
Google monitors and attempts to keep the Chrome Web Store free from such extensions and has increased these efforts recently with a Chrome Extensions Developer Advocate that ensures other extension developers (like AdGuard) have an easy resource to reach out to when they identify issues like those outlined here.
An upcoming migration to Manifest v3 should help to mitigate some of these problems as it will limit some of the abusive tactics used by malicious extensions, although it also implements some controversial changes to the webRequest API that will diminish the capabilities of ad blockers in particular.
How to avoid malicious Chrome extensions
The best way to protect yourself against these kind of malicious extensions is to ensure that the developer is known and trusted. Do a little research before installing the extension and ensure that when you install it either via the trusted developers site or via the Chrome Web Store that it is indeed the legitimate app and not a spoofed version.