Adware Vendors Buying Chrome Extensions, Injecting Ads

An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"

I had a couple offers

[rsilvergun]

to my Firefox extension [mozilla.org] and they were all kinda shady. Extension development is kinda niche to begin with, so I figured they were planning something like this. I'm just surprised it took so long for people to notice.

I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.

Re:Disconnect the Updates

[thegarbz]

Otherwise, Chrome is dead in the water.

I wonder how you come to this conclusion. We live in a world where users don't want to be interrupted with mindless things like updating software. Combined with Microsoft's militant approach to harassing users if their computers aren't configured to auto update, and the general consensus that many user facing apps now auto update and the trend is moving towards doing it silently I don't see this affecting Chrome's user base one bit.

Re:Great

[Agent ME]

If you set your browser to remember your passwords, then anyone that uses your browser (including a virus) can get your passwords. That's exactly how the feature is supposed to work.

Re:We're all really screwed if...

[KPU]

They already have. The option to allow ads from people that have paid AdBlock is checked by default. https://easylist-downloads.adblockplus.org/exceptionrules.txt [adblockplus.org]

Re: And That, Ladies and Gentlemen ...

[Anonymous Coward]

On the contrary, according to Ars an extension called "Add to Feedly" had ~30,000 before being sold. It now reports 32,354 according to the Chrome Web Store. It's just really hard to detect the culprit, apparently.

Re:Is Firefox safer?

[BZ]

You may want to read https://addons.mozilla.org/en-US/developers/docs/policies/reviews [mozilla.org] for Mozilla's policy for hosted addons. It says "will", but that page is also two years old. Those policies are in place now. The short of it is:

1. All addons hosted by Mozilla get reviewed.
2. Open source is not required, but source disclosure to Mozilla is.
3. Any update to the addon triggers a new review cycle.

Google is to blame...

[bayankaran]

Have you ever tried to disable Chrome / Chromium auto-update? I had to find the 'task' and make sure it does not run, there is no other way to block. This is beyond the capability of a majority of users. It seems Google wants the auto-update to run no matter what.
Other than 'feature bloat' - and may be closing few security issues - there are no great advantages to a newer browser anymore, at least on the desktops.

Re:Great

[mgiuca]

Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).

Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.

The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions [chromium.org] to prevent this sort of thing from happening.

Re:Great

[asmkm22]

Done. Issue 335979

Re:Google is to blame...

[Njovich]

Did you try searching for how to disable Chrome auto-update?

Set the value of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\AutoUpdateCheckPeriodMinutes to the REG_DWORD value of "0"

That's it. A single register value change. Now, I get what you are saying, it's not a GUI option, they don't want average users to disable it, which gives me mixed feelings as well. Many users probably have never heard of regedit. However, for someone posting on /. it shouldn't be that hard.