Massive browser hijacking campaign infects 2.3M Chrome, Edge users A Chrome and Edge extension with more than 100,000 downloads that displays Google's verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also hijacks every browser session, tracks activities across websites, and backdoors victims' web browsers, according to Koi Security researchers …
There have been stories floating around about existing extensions and apps that were acquired, or bought, by malware makers who then ran the updates with malware inserts.
It is not clear from the story that these aps were initially developed with the intention to convert them to Trojan Horses later. They could equally well have been bona fide apps that were taken over by the bad guys.
I don't use any plugins or extensions personally. But this to me seems like Google and Microsoft have been seriously caught with their pants down. Instead of a one-time verified badge, they need a 'last verified date' badge. Even use traffic light colours: green <= 6 months ago.
If we are constantly told to change passwords regularly, Google needs to regularly verify its store contents.
Looking at that list of extensions, I would hardly call them "trusted". Half seem to be for restriction evasion and at least one of the others is clearly fraudulent.
This isn't new. Who else remembers Sourceforge turning from a valuable resource into a lake of trojan adware?
But yeah, call it open-source malware, project takeover or simple schmuckery in the stores, very little of what's out there is reliable.
I think this is what happened with the ES File Explorer app. I don't tend to update my apps if they're working for me, and asides from the apps from my bank which are necessary, an app that *forces* an update by refusing to work tends to get uninstalled instead.
Consequently I am using one of the last good versions of ES; and I have noticed along the way other apps that have changed owners to random sounding weird names that seem a bit sus.
Aye, or Instant Eyedropper as I used to use before PowerToys existed. It's crackers that you'd have it as a browser extension and give it access to various gubbins from the browser process(es). Makes you wonder if there's people installing browser extensions to tell them e.g. how much free disk space they have.
It's crackers that you'd have it as a browser extension
Why is it crackers?
If you can answer without referencing anything vaguely technical that you know due to working in IT then it is crackers.
But in reality for most people the browser is the thing they use to do stuff, it's 'add ons' are prominent. If I'm a regular computer user why wouldn't that be my first port of call for a widget to do a thing? I don't really understand computers, or the distinction around applications, I just have a tool I use as I was instructed. Do I care that a button over here launches a standalone app, or do I care that I can now do the thing I wanted to do?
When I was in my 20s I used to chuckle at people who used CD ROM trays as cup holders, as they were stupid. Then I learnt to drive and found yet another set of cup holders in my car that I'd not noticed after 6 months (seriously... how many do people need?!?) it suddenly didn't seem such a stupid assumption after all. Most people knew CDs as music devices. Computers back then to most people didn't play music, they went 'beep'. So actually, a little slide out drawer didn't seem so out of place as a holder of temporary things.
Your little story falls down on one major aspect. The "dumb users" don't want to know the specific colours, so have no need for such functionality.
If they're the slightly more attuned dumb users (such the coloured pencil department) they'll be using different software (e.g. photoshop) that includes this functionality natively.
Web developers will likely have the dev tools window open, etc...
As users, we need to demand browser makers and extensions marketplaces run by Google and Microsoft do more. They need to share responsibility here. If they can't offer it free, they need to offer a paid subscription level, where they can offer validated extensions.
At both the office and at the Large Educational Institution where I do some adjunct instruction, both Microsoft’s and Google’s stores are blocked, for security reasons, and getting to Apple’s store can be tedious, same reason. If you need something from Microsoft or Google’s stores, contact IT and they will evaluate it, test it, verify it, and, if it passes, let you have it. To get something from Apple merely means jumping through a lot of hoops. And updates are NOT automatically passed on. IT around here has long considered all those stores to be security risks. Especially the auto-update features, for precisely the reasons shown in the article.
>But in addition to providing these legitimate functions, they secretly surveil users' web browsing activity, capturing URLs, sending this info to a remote attacker-controlled server along with the victim's unique tracking ID, and even redirecting people's browsers if instructed,
Sounds like it was made by Google and Microsoft. Isnt that their day job?
Indeed, but the add-on repos for these other browsers could equally well have malware add-ons uploaded to them as well (and there certainly have been some known examples in the past of specific add-ons going rogue and not being discovered for a while).
(Also, Opera these days is just yet another Chromium clone, and is now owned by a Chinese company and has a bit of a bad smell about it. Vivaldi, set up by some of the original Opera team, is perhaps its more appropriate current successor, although Vivaldi is also (sadly) mostly just yet another Chromium clone itself…)
Browsers are probably one of the most critical pieces of software ever. They are networked super-applications, with capabilities that rival those of an OS. They have to execute code from random sources on purpose, and do so in a secure way. And we trust them with the most intimate and critical details of our lives.
Ain't no way in hell I'm gonna exacerbate the risks involved in that by also running 3rd party code, that automatically eats changes done by god-knows-who, and has essentially privileged access to the Browser, on top of that.
Yes, that costs me functionality. Boohoo. There is always a trade-off between comfort and security. I chose the latter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
