If you go to tap on your favorite Google Chrome extension and it no longer works like it used to, this could be why.
This week, Google has removed over 500 Chrome extensions due to concerns that they were redirecting users to malicious sites and ad content without users being aware.
The issue was identified by Cisco’s Duo security team – as explained by Duo:
“Browser extensions have been known as a weak point for individual security and privacy due to their potential for misuse under the general guise of helpful applications. In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”
In other words, users were being inadvertently re-directed to ads, in order for the developers behind the extensions to take a cut of that traffic. In interviews with impacted users, most reported being unaware of any obvious impacts on their browsing experience.
Millions of users are likely impacted by these removals. According to Duo, their initial investigation showed that almost 2 million users had downloaded the extensions it identified, but Google’s subsequent action based on information from Duo significantly expanded on this scope. It’s not clear exactly how many people have installed these extensions, but as noted, if you try out an extension and it no longer works, this could be why.
It’s not the first time Google Chrome extensions have been used for such purpose. As reported by ZDNet, typically, this type of fraud involves injecting ads within a browsing session, but the developers try to hide such in order to avoid detection. In a more concerning attack, back in 2018, groups used Chrome extensions to steal login credentials, mine cryptocurrencies, and engage in click fraud, roping in more than 100,000 users.
Given this, it’s worth double-checking that your extensions come from reputable sources, and avoiding spammy looking listings and tools.
Duo has published a full list of the extensions it identified in its investigation, while Google has removed the extensions from its web store, and deactivated them in browsers. Google has also marked the extensions as ‘malicious’ to stop people trying to re-add them through other means.
Follow Andrew Hutchinson on Twitter