Illustration by Amanda Excell, Staff Illustrator
Two developers who sold their popular Chrome extensions were shocked to see them being misused for aggressive advertising. Changes in Google Chrome extensions can expose thousands of users to advertising and other possible threats.
Extensions are small bits of code that have the power to change a browser by adding or removing features, and they are mostly created by outside developers. Previous extension holders have sold their right to change and edit their Google Chrome extensions, and this is where problems have begun to surface. The issue first came up when a technology blogger and developer of the “Add to Feedly” extension, Amit Agarwal, reported that after selling his extension, it was turned into adware, software that can bombard users with ads as they attempt to use the Internet. The extension had over 30,000 users at the time of its sale.
The second developer, Roman Skabichevsky, confirmed on Monday that his Chrome extension, “Tweet This Page,” suffered a similar fate of being turned into adware. Skabichevsky sold it because he did not think it could be improved further, and according to Infoworld, a woman named Amanda offered to buy the extension so that it could be developed further. By selling it, Skabichevsky thought he was doing the extension justice by letting it go. Rather, his extension became a platform for adware and other malicious functions.
According to Wall Street Journal, Internet message boards were abuzz over the two newly owned extensions. People described that the extensions were “silently updated to include code that served undesirable ads.” Chrome Extensions are usually updated in the background unless their permission requirements change. The problem is that many extensions already have permission to modify content on Web pages viewed by the user. Additionally, converting a trusted and popular extension into an advertising machine is a much more efficient and easier method for adware pushers than creating something from scratch, which adds another incentive for criminals to buy extensions for their own personal gain.
Because of this incident, according to Threat Post, Google pulled the extensions from the Chrome Store due to their “violation of the quality guidelines established by the company.” Google had updated its policies in December to prevent software developers from putting advertising on more than one part of the page. The policy states that extensions must have a single purpose and users can not be forced to agree to additional functionality.
Although in comparison to some of the other extensions, both “Add to Feedly” and “Tweet This Page” had a small number of users, this situation could lead to more harmful consequences. Since this incident, the owners of more popular extensions have been offered significant amounts of money to incorporate ad code into their extensions, according to Wall Street Journal.
“They could do worse like creating spam tweets on behalf of the extension users, or steal information from opened web pages,” Skabichevsky said. “The extension was using my old Twitter API keys and I just reset them.”
However, according to Zoltan Balazs, the CTO of IT security research firm MRG Effitas, using extensions to distribute malware directly is unlikely due to the scans that Chrome performs. Thus, he believes that dropping traditional malware is not a real threat here because it happens so infrequently due to the security measures.
What users should be cautious of is performing form injection, cookie stealing, credit card information being stolen, and password stealing. Criminals tend to purchase extensions that wield a lot of power and contain a free pass on the security measures. Additionally, extension developers paid to inject adware within the code could do great harm, even if it is not spreading malware exactly. Although not many users were impacted by the extension incidents, these cases prove that Google, much like other browsers and companies, can become victim to criminals and malicious adware.