Chrome extensions are becoming a reason not to use Chrome

August 14, 2017

A couple of weeks ago, a reasonably popular Chrome extension was stolen and infested with adware. If you're familiar with Google, you know what happened next: nothing. As people sent up frantic smoke signals and attempted to recover or at least de-adware a popular extension, Google was its usual black hole self. Eventually, sufficient publicity appears to have gotten Google to do something, and they even did the right thing.

In the process of reading about this, I discovered a couple of things. First, this is apparently a reasonably common happening, either through attacks or just through buying a sufficiently popular extension and then quietly loading it down with adware and counting on Google to be Google. Second and more alarming, this has happened to an extension that I actually had installed, although I didn't have it enabled any more. Long ago, I installed 'User-Agent Switcher for Google Chrome' because it seemed vaguely like something I'd want to have around. Now, well, it's apparently a compromised extension. One that works quite hard to hide its actions, no less. I've said bad things about how Chrome extensions mutate themselves to add adware before, but at least back then this was being done by the extension authors themselves and they seemed to have relatively modest commercial goals. The extension compromises that happen now are active malware, and according to the news about the User-Agent switcher extension, you can't even file any sort of report to get Google's attention.

I'm not going to blame Google too much for making Chrome so popular that its extensions have become an attractive target for malware attackers. I am going to blame Google for everything else they do and don't do to contribute to the problem; the silent, forced extension auto-updates, the cultural view that a certain amount of malware is okay, the clearly ineffective review process for extensions (if there is any at all), and being a black hole when really bad stuff starts to happen. Google runs Chrome extensions with the same care and indifference that they handle abuse on everything else they do.

These days I only use Chrome to run Javascript, because it does that better than Firefox on Linux. But I do use some extensions there, and they're apparently all potential time bombs. I'm sure the author of uBlock Origin is taking precautions, but are they taking enough of them? There are likely plenty of attackers that would love to gain control over such a popular and powerful extension.

(The smarter attackers will target less visible extensions that still have a decent installed base. A uBlock Origin compromise would be so big a thing that it probably would get Google to act reasonably promptly. As the example of User-Agent Switcher shows, if you compromise a less-popular thing you can apparently stay active for quite some time.)


Comments on this page:

By Aneurin Price at 2017-08-14 18:04:45:

Note that there is a 'User-Agent Switcher for Google Chrome' extension by Google, which may well be the one you had installed.

Whether the other 'User-Agent Switcher for Google Chrome' was ever legit sounds pretty questionable given how it seems to have been deliberately designed to misrepresent itself.

I'm not certain there exist any sufficiently strong arguments to convince me that allowing multiple extensions with exactly the same name in the Chrome Web Store is a sensible idea. Google be Google I guess.

Written on 14 August 2017.
« Sorting out slice mutability in Go
How to get per-user fair share scheduling on Ubuntu 16.04 (with systemd) »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Aug 14 00:35:57 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.