Google is too slow at clearing crap from the Chrome extension store
Malware is something computer users -- and even mobile and tablet owners -- are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.
Since the beginning of 2015 -- just over three months -- Google has already received over 100,000 complaints from Chrome users about "ad injectors" hidden in extensions. Security researchers have also discovered that a popular extension -- Webpage Screenshot -- includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this from happening, but security still needs to be tightened up.
The effects of ad injectors can be varied. It might mean that you see more ads as you browse the web, or it could be that you see ads with a particular origin. But, as in the case of Webpage Screenshot, the payload could be more serious. Security researchers at ScrapeSentry detected a strange pattern in traffic, investigated Webpage Screenshot and detected the malicious code. Google recently announced that it had killed 192 malicious extensions, but it’s clear that not enough is being done to stop malicious code getting there in the first place.
Cristian Mariolini, a security analyst at ScrapeSentry, says:
The repercussions of this could be quite major for the individuals who have downloaded the extension. What happens to the personal data and the motives for wanting it sent it to the US server is anyone’s guess, but ScrapeSentry would take an educated guess it’s not going to be good news. And of course, if it’s not stopped, the plugin may, at any given time, be updated with new malicious functionality as well. We would hope Google will look into this security breach with some urgency.
ScrapSentry's research shows that the extension could be used to send any information that can be seen in a browser tab back to an IP address located in the US.
Google is quick to point out that malicious ad injectors are not specific to Chrome -- they can also be found in Firefox and Internet Explorer. The company says: "We don’t ban injectors altogether -- if they want to, people can still choose to install injectors that clearly disclose what they do -- but injectors that sneak ads into a user’s browser would certainly violate our policies".
On May 1, Google will publish a report based on research carried out with the University of California Berkeley which goes into more detail and aims "to increase awareness about ad injectors". ScrapeSentry's findings, however, show that there is a need for greater awareness right now, not in a month's time. It's great that Google is taking steps to clear out the crap, but more needs to be done, and faster.