back to article The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google

The trustworthiness of Google's Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks. The legit Microsoft Authenticator generates one-time codes for multi-factor authentication, and lately gained password- …

  1. Headley_Grange Silver badge

    Epic

    Coming to an iPhone near you if Epic wins its case against Apple.

    1. lglethal Silver badge
      Facepalm

      Re: Epic

      Why? Were Google demanding a 30% cut of the Phishing profits?

      1. Def Silver badge

        Re: Epic

        No, but Epic's case partly revolves around the monopoly Apple have over their control of the Apple Store. If Apple were ultimately forced to allow third party stores access to their devices, that would remove Apple's control over what software is allowed on an iDevice which would, in turn, open the floodgates for rogue apps and vendors through alternative stores.

        1. lglethal Silver badge
          Stop

          Re: Epic

          So your objection is that people should not be able to, for better or worse, install whatever they want on their own devices?

          Hmm, so you wouldnt object to Microsoft telling you exactly what you can install on your Windows machine? Or Linus Torvalds being the gatekeeper for what programs you can install on your Linux box?

          By the way, I object strongly to what you've written. " If Apple were ultimately forced to allow third party stores access to their devices, that would remove Apple's control over what software is allowed on an iDevice..." The Device in question belongs to the Person who bought it. It is not Apple's Device to decide what can go on it...

          1. Def Silver badge

            Re: Epic

            No, I made no such objection.

            I was merely providing information as to why the Epic Vs Apple case might have repercussions beyond the 30% payment paid to Apple by developers.

            As for your strong objection, don't be intentionally stupid. I meant devices made by Apple and you know it.

          2. Headley_Grange Silver badge

            Re: Epic

            My objection is that other people shouldn't be able to install whatever they want on my devices.

            If app stores become an unregulated wild west then how do I know whether the metronome I've just bought for my phone isn't going to download malware, steal log in creds and spam all my contacts? I'm not daft enough to believe that Apple's store is perfect in its screening, but it's better than what will happen if there's no trusted gatekeeper.

            Sure, I could stick to the Apple store because I, rightly or wrongly, trust it, but devs will move away from it - the good ones because other stores are cheaper and the bad ones because they can get away with stuff and I'll end up having to use the cowboy stores cos the Apple store will be empty.

            It might be OK for IT-literate people who know what they're doing and can understand and manage the risks, but for normal users out there it could be a nightmare, especially for those who don't understand the risks and whose only point of contact for everything they do online is their smartphone.

            1. Strahd Ivarius Silver badge
              Facepalm

              Re: Epic

              You did note that the extension was provided through Google store, not an alternate one, did you?

              How long before the same kind of issue occurs on your phone of choice using the manufacturer-approved store?

              Oh wait, it happens every week or so that Apple removes dodgy apps from its "curated" store...

            2. Anonymous Coward
              Anonymous Coward

              Re: Epic

              > My objection is that other people shouldn't be able to install whatever they want on my devices.

              Sleep safe, because nobody is proposing that.

              > I'm not daft enough to believe that Apple's store is perfect in its screening, but it's better than what will happen if there's no trusted gatekeeper.

              Nobody's saying there will be no gatekeepers, only that you, as the customer and owner of the device, should be able to choose which gatekeeper or gatekeepers you trust.

              > Sure, I could stick to the Apple store because I, rightly or wrongly, trust it, but devs will move away from it

              Unless they already have a billion-dollar cash pile and a grudge (eg. Epic), devs will go where the audience is, and that means being available in all the popular stores - especially the one store that's guaranteed to be installed by default on every Apple device!

              > It might be OK for IT-literate people who know what they're doing and can understand and manage the risks, but for normal users out there it could be a nightmare

              Normal users are going to turn to a name they know and trust - Apple, Google, Microsoft, Steam, etc. So I expect alternate app stores from those kinds of well-known brands to take off if this market does get opened up.

              There will undoubtedly be some smaller, more niche stores, but they're not likely to pop up on any normal user's radar, nor need they.

              1. Headley_Grange Silver badge

                Re: Epic

                Nicely reasoned post, AC, but maybe I'm more of a pessimist than you are.

                "..only that you, as the customer and owner of the device, should be able to choose which gatekeeper or gatekeepers you trust." I spent ages building up relationships with my local shopkeepers and grew to know and trust many of them. They're all gone now - replaced by Turkish barbers, nail shops and vape shops - and I have a "choice" between one of the big supermarkets or Amazon. If Amazon decides to take the supermarkets on properly in the UK then soon I'll have bugger all choice except Amazon. Amazon, as a gatekeeper, doesn't give a toss whether it sells me genuine stuff or Chinese knock off stuff, as long as it gets its cut.

                "Normal users are going to turn to a name they know and trust" See above. In my experience most people turn to the name that's the cheapest and most convenient, not the one that provides best quality. That's why the shops on the high street are disappearing.

                Like I say, I'm pessimistic about this, and let's hope I'm wrong, but why wouldn't app stores follow the same pattern?

                1. claimed

                  Re: Epic

                  The cheapest store will be the one that charges Devs the least... so most convenient, its going to be hard to make a one click process less convenient, so playing field effectively level.

                  People will use what's on their device (MS IE monopoly, Chrome, etc), or what their mates use.

                  The high Street is not the equivalent of the App Store. A better one would be Alibaba vs Amazon... both doing ok...

            3. Anonymous Coward
              Anonymous Coward

              Re: Epic

              Why would they move away, they just need to tack on 15-30%,depending on how successful it is to the apps the apple app store (if 0% where they are selling elsewhere). So they will then make the same amount, you just pay more for that security you want.

            4. CrackedNoggin

              Re: Epic

              We're getting somewhere - the 30% is (mostly) supposed to represent what it is worth to the app writer and the user to have a trusted means of verifying apps.

              Is it working though?

            5. RyokuMas
              Stop

              Re: Epic

              "If app stores become an unregulated wild west then how do I know whether the metronome I've just bought for my phone isn't going to download malware, steal log in creds and spam all my contacts?"

              Very simple. If the app store becomes unregulated and/or Google is reigned back in from their attempts to turn the Play store into their own walled garden, vendors would be able to offer the apps to download from their own websites.

              Not only would this shatter the monopoly status of the stores, it would also vastly reduce the problem of malware on mobile: if I want Fortnight, I'd download the app from the Epic website - any other site offering it, I know there's a chance it might be containing an unwanted passenger.

              And the irony of this is that in this new world of total market freedom, Google and Apple could still win by repurposing their stores as promotional sites - users would still use them to discover and rate/review apps, but instead of purchasing the app via the store, the user would be directed to the vendor's own website. By charging a "reasonable" fee to register each app on the store, Google and Apple could still make a considerable profit. However, the choice of whether or not to do this would lie with the app's vendor thus satisfying the legal requirement of "not a monopoly" - for example, the vendor could decide to promote their app solely on social media and not use the "app store".

              Breaking the current stranglehold is the best thing that could happen to the mobile app market IMHO.

    2. Dan 55 Silver badge

      Re: Epic

      Coming to an iPhone near you if Epic wins its case against Apple.

      Why would the outcome of that case (which appears to be mainly about the billing processor) affect Apple not allowing fake apps in their store?

    3. Anonymous Coward
      Anonymous Coward

      Re: Epic

      Is that really true? It's more about allowing another inbound revenue stream and how much of a slice Apple gets from it.

      Personally I'd very much like an alternative means of payment, because Apple put country restrictions on payment which seriously screws up people who live in a number of countries like me.

      As soon as you move, you have to "move" App Store as well, but there's zero clarity over the consequences. What happens to apps only available in that country? Will the other ones still get updates? Why the *&^$% can I not pay Apple from another country (read: give them more money!). It's a freaking mess, all because they started off with more interest in film and music rights than an understanding of life outside America. Morons.

    4. big_D Silver badge

      Re: Epic

      Apple has also had its fair share of slip-ups, letting malware etc. into their store over the years as well.

      None of these stores is 100% secure. You still have to be vigilant, when adding applications/apps/add-ons to your system, regardless of the source.

  2. Peter Prof Fox

    qui authenticators et authenticas reddat?

    An age old question.

  3. yas1
    FAIL

    You get what you pay for...

    so they say

  4. Dwarf

    Certificates

    Why not require that apps are signed by a certificate owned by the submitting party and make part of the checks before publishing a validation that the certificate is valid and lines up to the submitting party.

    Back in the old days, we used to download applications direct from the vendors website, hence we could check if we trusted the vendor ourselves.

    Looks like we have taken yet another step backwards in the race to dumb down technology with the inevitable outcome that security gets worse as users get less visibility on the source and trustworthiness of the code they use as other, better routes get gradually taken away for <reasons>.

    1. Tomato Krill

      Re: Certificates

      The submitting party was called Extension- so in this case they could have signed the app with a certificate belonging to them and your check would have passed just fine, no?

      1. Lyndon Hills 1

        Re: Certificates

        Indeed. In the web world, the browser can check that the ssl certificate from a site does at least match the web site domain.

        Forcing an app (or extension) to be signed really just tells you the dev got a certificate. Without some method to validate that the certificate belongs to the purported publisher, it's not really very useful.

      2. Dwarf

        Re: Certificates

        @Tomato Krill

        Precisely, so their CN in the cert will not be microsoft.com and its then crystal clear that its not a Microsoft extension. This should be a mandatory step during validation, so well before the app is published into the app store for joe public to consume. I'm not talking about client side validation on the end device.

        Not sure why I'm standing up for Microsoft here, I'd better go for a lie down.

        1. Def Silver badge

          Re: Certificates

          You're missing the point.

          The certificate wouldn't say Microsoft, but unless all app submissions were checked by hand to ensure there were no mentions to any other application or software not released by the same developer it wouldn't be caught anyway. The certificate would match the developer (in this case Extension-) which would pass the automated checks.

          As it happens all apps submitted to the Play store must be signed anyway, but only with a auto-generated certificate from Android Studio (as far as I am aware) which clearly doesn't help.

          1. Dwarf

            Re: Certificates

            @def

            You're missing the point.

            The certificate wouldn't say Microsoft

            Like I said before, that's precisely the point the CN in the cert is not matching the submitter. something.microsoft.com != something.extension.whatever

            Its exactly the same logic as when you hit a website, if the cert doesn't match, then you get a cert error. The same logic could be used as part of the validation of apps submitted to make sure that they do come from the same source. You can't submit as acme, since you can't get a cert issued from them.

            Its irrelevant how it works today - since clearly that is broken - otherwise no story to report.

            Are you sure its not you who's missing the point :-)

            1. Anonymous Coward
              Anonymous Coward

              Re: Certificates

              I think that you may have missed the point. The developer isn't listed as Microsoft, it listed as extension. The name of the application has Microsoft in it.

              So the application would have been submitted as the developer that submitted it.

              They would have to check if the cert signing the application matches applications developed by that company.

              1. Dwarf

                Re: Certificates

                ... which isn't Microsoft, so a thing that claims to be Microsoft, but doesn't have a Microsoft cert clearly isn't genuine. It doesn't matter who else submits it.

    2. iron Silver badge

      Re: Certificates

      They do. Well for Android anyway, I have no idea how Chrome extensions work because I do not allow that ad display app on my network. Requiring signed apps doesn't prevent any of these things on Play so I doubt it would do much for the Chrome Extension Store or whatever they call it.

    3. bsimon

      Re: Certificates

      Certificates are no bulletproof solution.

      This thread remind me when many years ago Verisign issued a code signing certificate to some impostor that pretended to be Microsoft

      https://www.techrepublic.com/article/look-out-for-fraudulent-microsoft-digital-certificates/

      Also I've read some stories about shady CAs issuing SSL certificates for googlle sites to malicious third parties and government agencies.

    4. Terry 6 Silver badge

      Re: Certificates

      In this instance, it just shows a massive abdication of management that when an app is submitted as coming from one of the world's biggest and most directly influential tech companies there's still no one who cares enough to check whether it really does come from them.

  5. Shak

    websync, extensions, ease of use

    Considering that 2fa is supposed to be "inaccessible" to an extent, that customers choose these kind of extensions in the first place makes this firmly the responsibility of the user.

  6. Pascal Monett Silver badge

    "Google declined to comment [,,] about how this add-on slipped through the net"

    It slipped through because the net has links that are a mile wide.

    Let's be clear : Google is not there to curate the content of its Store, it's there to make money. Anything goes until someone complains. That's when Google reacts and goes fishing for a reason not to remove the app.

    In this case, it didn't find any, so it removed the app.

    But if you think Google is going to pre-emptively deprive itself of revenue when nobody has noticed anything, I have a bridge to sell you.

    1. Graham Cobb Silver badge

      Re: "Google declined to comment [,,] about how this add-on slipped through the net"

      I think you underestimate the power of bad publicity.

      I am sure that, as from tomorrow (ish) they will have created a list of words which, if they appear in the name of an app will trigger a manual check on whether the app is really being submitted by the correct entity. It will be a fairly short list to start with (as they don't want to make more work for themselves) but it will grow over time (I am wondering when "NHS" will be put on the list - my guess is about a year away).

      1. entfe001

        Re: "Google declined to comment [,,] about how this add-on slipped through the net"

        > I think you underestimate the power of bad publicity.

        And I think you overestimate that.

        While it might be true for a startup where bad publicity could scare away investors and the de-funding kill the failed initiative, Google (or Microsoft or Facebook or Amazon or...) are too big and have too much momentum for anything like this to actually matter.

        Next week no one will remember this.

        1. Persona Silver badge

          Re: "Google declined to comment [,,] about how this add-on slipped through the net"

          Next week no one will remember this.

          This week only one person in 1,000 in the developed word will have learnt about this.

        2. Graham Cobb Silver badge

          Re: "Google declined to comment [,,] about how this add-on slipped through the net"

          I was possibly too subtle. I didn't mean bad publicity for Google, I meant bad publicity for Microsoft. Google doesn't care about what you and I think. But it does care about what other major US corporations (and their lawyers and the governments in their pay) think.

          I am willing to bet that that list now exists and that "Microsoft" is already on it. I am sure there were a few quiet phone calls to make sure of that within 24 hours of this being exposed. If you don't believe this, show us that you can still publish a new Chrome extension with Microsoft or Facebook or Amazon in the name. The list exists.

          The only question is how big will Google let the list get and will they formalise it?

      2. Pascal Monett Silver badge
        Trollface

        Re: "I think you underestimate the power of bad publicity"

        I vaguely remember having heard that there is no such thing as bad publicity.

  7. JimboSmith Silver badge

    Oh for goodness sake you'd have thought that somebody would have taken a minute to check MSFT was the author.

    1. Dan 55 Silver badge

      Their fantastic algorithm has never heard of Microsoft.

    2. Anonymous Coward
      Anonymous Coward

      Maybe, maybe not. This isn't the monolithic Microsoft of old where everything is wrapped in TechNet, this is the new, hip Microsoft that uses git and works on FOSS and submits Linux patches. It could be that the hipster goons at Google, if they noticed anything at all, might have just though it was some happening new group at MS trying to make a name for themselves, and let it right on through.

  8. Anonymous Coward
    Joke

    You've got to hand it to them...

    > The add-on looked fairly convincing; it had Microsoft's logo, at least hundreds of downloads, and a three-star rating

    This is genius - so perfectly believable!

  9. steviebuk Silver badge

    Googles checks just don't exist

    I bet. To save every fucking penny they get "AI" to do the checks. This is evident with their fucking constant disregard for all the clear fucking scam adverts on YouTube of late.

    Over the past month, I've lost count of the amount of times I've seen the starscope monocular advert scam. And lets not forget the "I have this amazing fomula on how you can make £5k a day. Just sign up to this free course" which turns out to be one free course convincing you to pay lots of money for the other lessons. Which turn out to be nothing more than "Sell my courses and you'll get commission" none of them realise the guy/woman (don't see many women doing this scam but know they do, one from the apprentice did) who has this "Secret", the secret is flogging the bullshit courses.

  10. Blackjack Silver badge

    Yet another reason to not use Chrome. Hopefully Firefox stays alive because if it dies so does Seamonkey, Icecat and Iceraven.

    1. JBowler

      And firefox also supports Chrome extensions

      Including the one in question:

      https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities

      No mention there that they check extensions for misusing Microsoft's trademark.

      Now let's all join hands and find a web browser that is NOT based on webkit. At least if we fail we can circle round in our flowy skirts singing about world pieces.

      1. Blackjack Silver badge

        Re: And firefox also supports Chrome extensions

        Why would you use Chrome extensions on Firefox anyway? Firefox has their own extensions that get curated way more that the Chrome ones.

    2. JBowler

      And firefox also supports Chrome extensions...

      Including the one in question:

      https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities

      No mention there that they check extensions for misusing Microsoft's trademark.

      Now let's all join hands and find a web browser that is NOT based on webkit. At least if we fail we can circle round in our flowy skirts singing about world pieces.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon