If you use Google's popular web browser Chrome, you may want to think twice before downloading your next extension. The company recently pulled two products from its extension store after they started pushing malware on their users.
The story starts with Amit Agarwal, a tech blogger who created the Add to Feedly extension to augment the popular RSS service. In a blog post, Agarwal says someone offered to buy his extension after it gained around 30,000 Chrome users. "It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal." (Via Digital Inspiration)
A few months after the purchase, Add to Feedly's new owners quietly updated the extension with adware. The once-useful add-on now injected malicious ads onto webpages, replacing links and confronting users with pop-ups. (Via OMG Chrome)
After Add to Feedly's woes went public, a writer for Ars Technica shared a similar experience he had with a different Chrome extension.
"About a month ago, I had a very simple Chrome extension called 'Tweet This Page' suddenly transform into an ad-injecting machine and start hijacking Google searches. ... The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect."
The Wall Street Journal notes in both cases malware purveyors took advantage of an existing extension's user base and Chrome's lax security standards. "Google doesn't review changes to the code of Chrome extensions, and Chrome allows extensions to be updated and pushed to users' computers automatically."
Google has since removed both applications from their store, but the practice of spreading malware through Chrome extensions is still a threat.
One developer for the Chrome extension Honey recently held an Ask Me Anything on Reddit, revealing the add-on had received numerous buy-out offers from malware companies and data collection firms. According to Google, Honey has about 300,000 users.
And Quartz points out Chrome's security team still mostly relies on user reviews to police their extension store. "Google looks like it's taking a more proactive role in enforcement, but it is still a long way from Apple's in-house regulatory commission, or even Firefox's less-rigorous editorial review."
Back in December, Google announced it will limit add-ons to a single function, getting rid of Trojan Horse extensions which deliver ads in addition to their normal use. The policy goes into full effect in June.