back to article Chrome web dev plugin with 1m+ users hijacked, crams ads into browsers

A popular Chrome extension was hijacked earlier today to inject ads into browsers, and potentially run malicious JavaScript, after the plugin's creator was hacked. Chris Pederick, maker of the Web Developer for Chrome extension, is urging anyone who uses his programming tool to update to version 0.5 or later. That's because …

  1. Anonymous Coward
    Anonymous Coward

    Plugins are privilaged code so potentially dangerous

    The way google promotes plugins is irresponsible. Just look how many of the damn things are in their "web store".

    The first results are an emoji keyboard, and a fidget spinner, which shows people have no concept of reducing their attack surface, and I can only imagine their browsers look like IE6 with a dozen toolbars.

    1. Anonymous Coward
      Anonymous Coward

      Re: IE6

      How could you!!! Chrome makes the web BETTER!!!! IT DOES!!!!!

  2. Anonymous Coward
    Anonymous Coward

    Signing Sigh

    Android apps are signed by their creators. Android will only allow an upgrade if the updated APK is signed by the same person.

    That simple check would have prevented this. They might have had access to his Google account, but wouldn't have been able to push an update without his private key.

    1. CrazyOldCatMan Silver badge

      Re: Signing Sigh

      Android will only allow an upgrade if the updated APK is signed by the same person

      Unfortunately, the phishing attack got all his google dev credentials, including signing key.

      1. Anonymous Coward
        Anonymous Coward

        Re: Signing Sigh

        "Unfortunately, the phishing attack got all his google dev credentials, including signing key."

        The private key should never have left his development environment. That is why it is called a private key. If he uploaded it to the same Google account used to publish the plugins, then he deserves pain.

      2. patrickstar

        Re: Signing Sigh

        I don't know how it works for Chrome Extensions, but atleast for the Apple App Store (and I think for Google Play as well, but I'm senile) you can generate a new key and have it signed with just the normal account login.

        Some of these things are even worse - they generate the keys server-side and send you the private key!

        Great security in either case...

  3. Anonymous Coward
    Anonymous Coward

    So he gets himself phished but he thinks it's not his fault?

    1. Anonymous Coward
      Anonymous Coward

      He's Human. We all like to think we're smart enough that it won't happen to us, tell me you've never made a stupid mistake and won't ever again.

      Kudos to him for being honest about it.

      1. Anonymous Coward
        Anonymous Coward

        Yup, but divorced her

    2. Richard 12 Silver badge

      "I stupidly fell for a phishing attack"

      That sounds like a mea culpa to me.

      What else would you have him say?

  4. Anonymous Coward

    I used to do a bunch of Chrome plugins

    But it turns into a massive resource hog quickly.

  5. John Brown (no body) Silver badge

    update to version 0.5

    So it's still Beta then? I might take a look when the proper v1.0 comes out, although I'm minded to wait for v1.1 so at least the most obvious bugs might be squashed.

    1. John Brown (no body) Silver badge

      Re: update to version 0.5

      Sense of humour by-pass? Sheesh, sometimes one simply HAS to use the joke icon.

  6. Anonymous Coward
    Anonymous Coward

    I saw this happening today whilst at work, not the best sort of ads to appear.

    Begs to differ why the author didn't have 2FA enabled on his account.

    1. Prst. V.Jeltz Silver badge

      I'm not sure that is the correct use of the "beg to differ" phrase :p

    2. Anonymous Coward
      Anonymous Coward

      Begs to differ why the author didn't have 2FA enabled on his account.

      He did. That's why all this happened.

  7. bombastic bob Silver badge

    track down the perps!

    did anyone chase down where the ad revenue was headed to locate the perpetrator?

    just wonderin...

    1. Lysenko

      Re: track down the perps!

      I often wonder why these clowns tip off the victim by actually displaying the ads. Why not just pull them down into dev/null? There's no way an ad server can tell if there was a screen draw and it can't distinguish if XMLHttpRequest was triggered by a mouse click or a timer.

      1. patrickstar

        Re: track down the perps!

        Most ad fraud certainly doesn't. Typically they spawn a browser on a separate desktop or such to do their dirty deeds.

        I don't know much about the Chrome extension architecture, but I suspect the reason they are visible in this case was that as an extension it doesn't have the tools needed to properly simulate user behavior. Ad slingers use a lot of JS/tracking/other stuff to try to weed out fakers.

        1. Prst. V.Jeltz Silver badge

          Re: track down the perps!

          Seems to me there 2 types of scam they could be running

          1) "our website got you clicks on your ads - give us money" - which is scamming the advertisers , and would work better not showing the user

          2) "We will get your ads seen - give us money" - working with the dodgy advertisers, in which case the dodgy advertisers would check wether the ads were appearing visible or not.

  8. Anonymous Coward
    Anonymous Coward

    Wish I could ban chrome home sign-in's at work

    The amount of crap that comes with some people's profile is crazy. I can tell when one senior dev starts his PC as Chrome starts looking for his TV on the network.

    One day we will look back at these plugins and wonder what we were smoking.

    and yes like the AC above I do know it's just not cool to question Google products.

  9. Alan J. Wylie

    Copyfish too

    Our Copyfish extension was stolen and adware-infested

    Exactly the same. Phishing attack, credentials compromised, "Copyfish was updated to V2.8.5", "started to insert ads/spam into websites"

  10. Craigie


    Did the dev not have 2FA enabled? Google should make it requirement that any account that can publish extensions or apps to their ecosystem must have 2FA enabled.

    1. Peter 26

      Re: 2FA?

      Seem sensible and something they can implement straight away.

  11. Anonymous South African Coward Silver badge

    ’Twas brillig, and the slithy toves

    Did gyre and gimble in the wabe;

    All mimsy were the borogoves,

    And the mome raths outgrabe.

    “Beware the Jabberwock, my son!

    The jaws that bite, the claws that catch!

    Beware the Jubjub bird, and shun

    The frumious Phish!”

  12. DJV Silver badge

    Ah, so that's what caused it!

    I saw a JavaScript pop-up in Chrome saying that a site had "detected a virus" and then went to a page recommending something called "Advance System Care". The site displaying the original pop-up had been my own home intranet home page so I went immediately into lockdown mode running all sorts of anti-virus/malware scans. Nothing was found. I suspected a Chrome infiltration as Firefox hadn't reacted in the same manner.

    Rebooting and clearing Chrome didn't repeat the popup so I suspect the reboot caused the update to 0.5.

    1. adamlstr

      Re: Ah, so that's what caused it!


      I also hit lockdown mode pretty hard! After seeing it too on my own intra pages I panicked.

  13. Shaha Alam

    "I stupidly fell for a phishing attack on my Google account"

    it happens, lad, it happens.

    IT systems should never expect users to be infallible. quite the opposite. user's lose keys, forget birth dates, run out of phone battery, get pick pocketed. any security process needs to compensate for the every day personal misfortunes and mistakes. that means key revocation processes, priority lines for reporting losses, alternative ways of accessing services, 'lite' services that can be offered where the full-fat version would require a higher level of clearance. etc.

    people arent computers. we should stop building processes that behave as if they are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like