Have you notices that web adverts have become more intrusive, or that your Google search links have become hijacked? If so, How-To-Geek and Ars Technica this week both released articles that should seriously worry you.
Ars Technica discusses the way in which Chrome extensions automatically update themselves. This can be great as it ensures you have the latest version of the extension, but also means that even once safe extensions can be injected with malicious code. HTG points out that this can not only subject you to unwanted adverts and redirected links, but to having your every move tracked across the internet, and that data then being sold to third party companies.
Part of the problem is that adware companies are buying up popular Chrome add-ones, and then using them to infect browsers with ‘spammy links, pop-up ads, and intrusive affiliate code embeds’. A good example, first discovered by OMGChrome, is the ‘Add to Feedly extension’ (now removed from the Chrome Store), which had over 30,000 users, and which the developer sold when approached by ‘mysterious, un-Googleable’ buyer,
‘It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal,’ explains developer Amit Argerwal in his blog.
A month later Amit was horrified to discover that an automatic update to the extension had not added any new features or bug fixes, but had instead added ‘invisible ads that work the background and replace links on every website that you visit into affiliate links. In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.’
Unfortunately this kind of event is far from unique, and Google does little to stop it except state that add-ons should fully disclose the fact that they serve up adverts in their blurb, that the ads cannot interfere with any native ads (so they will be in addition to these ads), and that they don’t affect the functionality of the website.
Many add-on owners however do not follow even these rules, and even when they do, how many people regularly check their add-on description pages to ensure the latest update has not injected adware? Google has announced a change its Chrome extension policy which will help address this problem, but it will not be brought into effect until June this year.
As it stands, new permissions have to be approved by you, but as the adware permissions fall under category of ‘access your data on all web pages’, which is required by many legitimate aps in order to function, this is unlikely to ring any alarm bells, especially if the add-on is trusted because has always behaved well so far. The matter is made worse by the fact that few anti-virus programs detect add-ons as malware, making detection and diagnosis of a problem very difficult.
Fortunately, How-To-Geek has released a list of browser extensions that ‘are being sold and injected with adware.’ It also reports that even worse than adverting malware, is the fact that ‘your extensions are spying on you and selling your browsing history to shady corporations.’
As with adware, add-on owners can get away with this because they have disclosed it, to which HTG rightly observes that ‘when the developer of an extension goes out of their way to hide the fact that every single page you visit is being stored and sent to a corporation that pays them for that data while burying it in the settings as “anonymous usage statistics”, there is a problem.’
Although labelled as ‘anonymous usage statistics’, the reality is that as long as the extension is installed, you will be trackable across the internet, since you browser and browser history can be tied together.
Firefox users can turn off automatic updates for extensions they trust quite easily, by going to:
Firefox tab -> Add-ons -> Extension -> Options (of the desired Add-on) -> Automatic Updates
For Chrome users the task is more difficult, although HTG offers this advice,
‘Open the Extensions panel, find the ID of the extension, then head to %localappdata%\google\chrome\User Data\default\Extensions and find the folder that contains your extension. Change the update_url line in the manifest.json to replace clients2.google.com with localhost. Note: we haven’t been able to test this with an actual extension yet, but it should work.’
The HTG list also includes extensions which are known to track you, and which you should therefore check, and uninstall any you find any that you have installed.
Update 22 January 2014: You might also want to check out our article ‘ExtShield Chrome extension warns you about malware infected extensions‘.