Chrome Extensions Warning — Millions of Users Infected

Perhaps as many as 87 million victims—maybe more.

Google is under fire yet again for the lax way it manages the Chrome Web Store. Researchers have discovered 34 malicious extensions that secretly do more than they’re supposed to.

And Google’s been ignoring reports since 2021. In today’s SB Blogwatch, we ask: What price SecOps?

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Why is blue bigger than red?

Malware Déjà Vu

What’s the craic? Bill Toulas worries about these “Malicious Chrome extensions with 75M installs”:

Manual action is required
Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. … The malicious behavior … came in obfuscated code. … The potential for abuse ranges from inserting ads into webpages to stealing sensitive information.

There are numerous user reports and reviews on the Web Store indicating that the extensions were performing redirections and search result hijacking … sometimes even serving malicious links. … Users should note that the removal of the extensions from the Chrome Web Store does not automatically deactivate or uninstall them from their browsers, so manual action is required to eliminate the risk.

Horse’s mouth? Wladimir Palant, almost—“Malicious extensions in Chrome Web Store”:

87 million users
Despite reporting the issue to Google via two different channels, the … PDF Toolbox extension … remains online. … And I found more extensions in Chrome Web Store which are using … the same malicious code.

So now we are at 34 malicious extensions and 87 million users. … The most popular of these extensions are Autoskip for YouTube, Crystal Ad block and Brisk VPN. … It would seem that at least back in 2021 (yes, almost two years ago) the monetization approach of this extension was redirecting search pages.

Additionally, Luis Corrons and Jan Vojtěšek joined the battle—“Unmasking malicious extensions”:

Obfuscated code of malicious origin
A respected figure in the cybersecurity community, Wladimir Palant, discovered malicious code in the PDF Toolbox extension. His findings … prompted us to delve deeper into the issue. … We found that 32 malicious extensions with a whopping 75 million combined installs were available on the Chrome Web Store.

The extensions themselves … appear harmless at first glance. However, hidden within their code lies obfuscated code of malicious origin. [This] is a reminder that individuals must use caution when installing extensions – even those available on official platforms like the Chrome Web Store.

None of which surprises tjpnz:

I get a cold sweat whenever I use Chrome Web Store. How do I know that what I’m downloading is legitimate and not malware that’s been made to look like another well known extension? The download counts are … just a number—and who’s to know that it hasn’t been manipulated by bots?

[I doubt] Google could implement a meaningful review process. They claim to do that for ads, yet it’s not unusual to see ads in search for software that’s obviously malware.

What can we learn? stormcrash suggests this:

Google has hidden behind the shield of automation for far too long. … Automations that both fail to detect harmful or malicious apps/content and often brutally punish normal users arbitrarily with almost no recourse.

And if you’re responsible for security policy, don’t overlook extensions. Here’s cm2012:

I once worked with a company with insane security rules. 2FA every time you log into any program on your computer. I had to get fingerprinted to get a company laptop. No installation privileges. it goes on and on.

Chrome extensions? No limitations at all, not even checked, add whatever you want.

However, Adapheon blames the victims:

While Google’s security is utter ****, there’s also just the point to not download random bull****. New cursors and download managers? What is this, 2001?

And even if it’s clean today, an extension might be dirty tomorrow. As Grom_PE reminds us:

I don’t get how one is supposed to stay secure with the current way extensions work: … At any point of time, it may automatically update with malicious code after the author has agreed to transfer control to someone else for an enticing sum of money.

Meanwhile, DoktorYes sounds slightly sarcastic:

Don’t worry, AI will solve this problem! Add in some blockchain for good measure.

And Finally:

Fun with 3D printers

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Dynamic Wang (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi