It’s been just a day since we’ve told you about Copyfish, the extension that got hijacked and started pushing adware to users, and now we’ve got one more, with much more users. The Web Developer extension has over one million users and it was hijacked through the same method as Copyfish – phishing.
Chris Pederick, the dev of the Web Developer Extension, fell for a phishing attack, pretty similar to the developers of Copyfish. He lost access to his Google account that owned the extension and the attackers managed to quickly inject it with ads and push it to its over one million users. The users were lucky though, because the attacker could have done much more, like using it to steal passwords or data, though it seems like they just wanted some quick cash.
By the time I’m writing this, the Web Developer extension is back on its creator’s hands and the adware has been removed, but we have to wonder if it’s worth using extensions anymore, considering a small mistake could cause a lot of trouble for millions of people. There isn’t very much Google can do. The easiest thing I’m thinking is forcing two-factor authentication for extension developers. At least it would make it harder for attackers to use basic phishing techniques. One other problem is the auto-update feature, which automatically updates any extension you have installed. While it can be very useful most of the time, it can get you infected with malware in no-time.
Google Chrome is probably the most secure browser out there and security seems to be Google’s main focus, but it’s all in vain if a basic extension can bypass everything, when it falls on the wrong hands. They will hopefully do something about it in the future, though we don’t really know what. As I’ve said before, two-factor authentication should be mandatory for extension developers and it’s probably the easiest security feature to be implemented in a short time.
Another problem with extensions is that its developer might decide to monetize it one day by either injecting it with Adware/Malware themselves or selling it, and we’ve seen it happen multiple times. There have been a number of really popular extensions sold that quickly started pushing really annoying ads to its users. This has to be stopped too someway, at least by letting the user know something’s off.