Ron Amadeo from Ars Technica recently wrote an article about adware vendors buying Chrome extensions in order to place malicious, ad-injected updates.
Google Chrome has automatic updates in order to make sure that the users always running on the latest updates. Obviously, Google Chrome is updated directly by Google. However, this update process consequently includes Chrome’s extensions. Chrome extensions are updated by the extension owners, and it is up to the user to determine if the extension owner is trustworthy or not.
When users download an extension, they are giving the extension owner permission to push new code out to their browser at anytime.
What has inevitably happened is that adware vendors are buying the extensions, and therefore the users, from extension authors. These vendors are pushing adware out to every user of the extension, which can make for a dangerous browsing experience.
One Google extension author gave his personal account of this in his blog post entitled, “I Sold a Chrome Extension but it was a bad decision.”
Amit Agarwal created a Feedly extension for Chrome in less than an hour and sold it unknowingly to an Adware vendor for a 4-figure offer. The extension had 30,000+ users on Chrome at the time of sale. The new owners pushed an update to the Chrome store, which injected adware and affiliate links into the users’ browsing experience. While this extension has been removed due to the publicity that Agarwal’s remorseful confession made, this is a very common event in Chrome extensions.
Injected ads are allowed in Chrome extensions, however Google’s policy states that it must be clearly disclosed to the user which app the ads are coming from. They are not allowed to interfere with native ads or website functionality.
The biggest problem here is not the auto-updates themselves; it is an issue of a user’s trust. An extension could change ownership without the user ever being informed that their trust had just been sold to a malicious malware company.
The only thing users can do now to protect themselves is to stay informed of new updates or stop using extensions entirely. Keeping informed of new updates will require yet another extension that will notify the user when other extensions get updated.
Chrome does require the user’s approval when extensions add new permissions. The permission that allows ad-injecting is called “Access your data on all web pages.” While many legitimate extensions already use this permission, be aware that adware buyers could purchase an extension that already has this permission.
Google is not explicitly responsible for unwanted adware in the extensions, but they do plan on changing their extension policy in June 2014. This new policy will require extensions to serve only a single purpose that is narrow and easy-to-understand. Each Chrome Extension will only be allowed a single visible UI “Surface” in Chrome.