3 Million Chrome Users Infected via Extensions—Here We Go Again
28 browser extensions for Chrome and Edge were laced with malware, says an anti-virus vendor. And these are popular add-ons, promising to help users download undownloadable content from social platforms. 3 million users is not nothing.
Oh look, it’s this story again. Not the first time, and probably won’t be the last. Google needs to do a much better job of curating and monitoring these things.
Oh, what a tangled web we weave. In today’s SB Blogwatch, we check our extensions.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mandalorian bar-fight reality.
Have a Nice Latte and Stop Worrying
What’s the craic? Dan Goodin reports—“Up to 3 million devices infected by malware-laced Chrome and Edge add-ons”:
In all, researchers … said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify.
…
Over the past few years, third-party add-ons have become a widely used means for infecting people with malware. … Last year, a researcher uncovered Chrome and Firefox extensions that collected and published the browsing histories of an estimated 4 million people.
…
Google and Microsoft didn’t immediately respond to an email seeking comment. … Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.
Then Satsuki Then added—“3 million people are infected”: [You’re fired—Ed.]
The malware could redirect user traffic to ads or phishing sites. Malware is also able to steal personal data like birthdays, email addresses, and active devices.
…
Malicious code was discovered in the JavaScript-based extensions allowing them to download more malware onto a user’s computer. Users infected with these malicious extensions also report the extensions can redirect them to other websites.
…
The extension sends information about what users are clicking to the attacker’s control server. That server can send a command to redirect the victim from the real link to a hijacked URL before redirecting them to the website they wanted to visit. … Every time connections are redirected to a third-party domain, the criminals get paid.
Who discovered it? Edvard Rejthar is lost in translation—“Hledání škodlivého kódu mezi doplňky”:
I bring you a note from a malware hunt. … I identified some non-standard behavior … found out what add-on it came from, and discovered in the innocent-looking source code which lines are responsible for it.
…
The finger pointed to the Video Downloader for FaceBook extension, which has more than 200,000 users. … It uses a number of wrapping techniques, where individual commands are tokenized into hundreds of local variables, which always contain only a few letters of the command.
…
It can do absolutely anything that the extension owner pushes. It can wait for a browser vulnerability to appear that you have not yet patched and through which it gains access to your system.
…
Be careful who you trust and what you install on your computer and phone. … 200,000 users and an official platform do not guarantee that the application is secure.
And next, Avast researcher Jan Rubin picked up the ball and ran—“Third-party extensions … have infected millions”:
Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards. … We believe that these domains are not owned by the cybercriminals, but that the owners of these domains pay the cybercriminals for every redirection.
Those poor victims. But jrhmobile is a self-confessed victim blamer:
A lot of these folks had this coming. A big portion of these malware carriers are tools to get around copyright and platform protections for media content.
…
Some low-rent, but free-priced … product to pirate content off streaming sites. And now they’re shocked — SHOCKED — to find out that their co-conspirator for ripping off pirated content is ripping them off.
…
Who’da thought that installing free software for stealing internet content would actually steal from them too? Congratulations, dummies.
There’s a wider issue. So says Geek On The Hill:
Google, Microsoft, and Facebook are all in the data-mining business anyway. It’s not as if this malware is infecting something pristine.
That’s not to say it shouldn’t be aggressively dealt with, mind you. No need to add insult to injury. But realistically, the software the malware infects is already violative of users’ privacy, as is Win10 itself. I suspect that more data is mined by the combination of the Win10 OS and the uninfected browser than by the extensions.
How could we have known? Daniel told ya so:
A year or two ago we setup a policy at work to block Chrome extensions unless we put them on an allow list. We’re pretty reasonable, allow lastpass, ublock, etc. Whenever I see something about another vulnerable Chrome extension I’m happy we did it.
Here we go again. GeneralFailureDriveA is feeling a touch of déjà vu:
We suck at doing computers securely. … It would be useful to admit this. Yet, the usual parties will simply assure us they will do better, as they have every time before, and we will see the same article with different extension names, in 6 months, or 12 months.
…
The story does not change. Perhaps we ought reconsider our obsession with putting computers in everything?
Meanwhile, this Anonymous Coward just shrugs at the thought of privacy invasion:
Facebook and Google are doing it without a plugin. So what is all the fuss about?
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Yuko Honda (cc:by-sa)
