Fake Chrome Extensions: Google Asleep at the Switch
Hey there. Umm … that “Microsoft Authenticator” extension you installed? The one with access to all your browsing, and that can redirect you anywhere when you least expect it? It’s actually malware, designed to phish for your passwords. (Nice blue couch, BTW.)
No, Microsoft didn’t write it. Yet it’s in the Google Chrome extensions store. Y’see, Google doesn’t really do any checks before it publishes browser extensions. Because of course it doesn’t.
Be careful out there. That’s always good advice. But shouldn’t we expect more of Google, given how much it crows about its AI chops?
And Firefox won’t save you, either. In today’s SB Blogwatch, we burn the whole thing down.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Atomic diagrams.
“Yay, I’ve been phished.”
What’s the craic? Martin Brinkmann reports—“Don’t download this Microsoft Authenticator extension”:
400 users”
Extension stores that rely on automatic … submission reviews are more prone to fake and malicious extensions being offered. … The name suggests that it is an official product by Microsoft, but it is not. One hint that something is off is that the company that is offering the extension is not Microsoft Corporation but “Extensions.” … The developer email … uses a Gmail address, and not an official Microsoft address.
…
In this case, it is pretty obvious that the extension is … fake. Still, more than 400 users have installed the extension already.
Oops. Katyanna Quach agrees—“The Microsoft Authenticator extension in the Chrome store wasn’t actually made by Microsoft. Oops.”:
Google declined to comment”
The trustworthiness of Google’s Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk. … When someone submitted a dodgy Chrome add-on called Microsoft Authenticator to the browser’s store, one would hope Google would have given it more than a cursory glance.
…
The legit Microsoft Authenticator [has] password-manager-like features. … The add-on’s code contained a suspicious URL that took the browser to a website hosted in Poland [and] tried to phish netizens by redirecting them to a fake login page and asking for account credentials.
…
Google declined to comment … how this add-on slipped through the net. The extension has now been pulled.
Who discovered it? cheph, who invokes Schoolman and Serra:
We are not the customer”
Google won’t remove it even though it has been reported multiple times. … Google doesn’t care.
…
Caring removes money from them … so better to shift the bull**** to their “users”—who are really the product being sold to advertisers—so who cares? Customer is always right, it’s just we are not the customer.
In a similar vein, Pascal Monett has a bridge to sell you:
I have a bridge to sell you”
Let’s be clear: Google is not there to curate the content of its Store, it’s there to make money. Anything goes until someone complains. That’s when Google reacts and goes fishing for a reason not to remove the app.
…
If you think Google is going to pre-emptively deprive itself of revenue when nobody has noticed anything, I have a bridge to sell you.
With a pseudonym like Google Sucks, I think we can guess the gist of this comment:
Much malware lurking”
This is what can happen when “stores” distribute completely unverified and untested software and also when they do not take sufficient steps to remove obviously fake reviews. … Google has a horrible history (and present) with all these significant problems.
…
It is reasonable to assume that there is much malware lurking in all of Google’s stores. But most of it won’t be this obvious.
Is it only a Google problem? pingec thinks not:
Firefox”
The problem of rogue addons applies to Firefox as well. I wish it were possible in Firefox to limit which addons can be loaded on a per-container basis. The extensions I want loaded on banking websites, social media and YouTube are completely different.
Oh no. Tip o’ the Jhat to JBowler: [You’re fired—Ed.]
Circle round”
Now let’s all join hands and find a web browser that is NOT based on WebKit. At least if we fail we can circle round in our flowy skirts singing about world pieces.
But who in their right mind would install such an extension? Anonymous reckons that’s the wrong question:
Nobody deserves to be phished”
We were all naïve when we started using computers and internet. If you start with the thought, ‘no criminal deserves to make a profit,’ it follows that nobody deserves to be phished.
Meanwhile, Peter Prof Fox asks the age-old question:
Qui authenticators et authenticas reddat?”
And Finally:
“The nitty-gritty reality of atoms”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Microsoft Corp. (via Unsplash)
