Chrome extensions are becoming a reason not to use Chrome
A couple of weeks ago, a reasonably popular Chrome extension was stolen and infested with adware. If you're familiar with Google, you know what happened next: nothing. As people sent up frantic smoke signals and attempted to recover or at least de-adware a popular extension, Google was its usual black hole self. Eventually, sufficient publicity appears to have gotten Google to do something, and they even did the right thing.
In the process of reading about this, I discovered a couple of things. First, this is apparently a reasonably common happening, either through attacks or just through buying a sufficiently popular extension and then quietly loading it down with adware and counting on Google to be Google. Second and more alarming, this has happened to an extension that I actually had installed, although I didn't have it enabled any more. Long ago, I installed 'User-Agent Switcher for Google Chrome' because it seemed vaguely like something I'd want to have around. Now, well, it's apparently a compromised extension. One that works quite hard to hide its actions, no less. I've said bad things about how Chrome extensions mutate themselves to add adware before, but at least back then this was being done by the extension authors themselves and they seemed to have relatively modest commercial goals. The extension compromises that happen now are active malware, and according to the news about the User-Agent switcher extension, you can't even file any sort of report to get Google's attention.
I'm not going to blame Google too much for making Chrome so popular that its extensions have become an attractive target for malware attackers. I am going to blame Google for everything else they do and don't do to contribute to the problem; the silent, forced extension auto-updates, the cultural view that a certain amount of malware is okay, the clearly ineffective review process for extensions (if there is any at all), and being a black hole when really bad stuff starts to happen. Google runs Chrome extensions with the same care and indifference that they handle abuse on everything else they do.
(The smarter attackers will target less visible extensions that still have a decent installed base. A uBlock Origin compromise would be so big a thing that it probably would get Google to act reasonably promptly. As the example of User-Agent Switcher shows, if you compromise a less-popular thing you can apparently stay active for quite some time.)
Comments on this page:Written on 14 August 2017.