Google just can’t seem to shake the problem of malicious Chrome extensions that find their way past its security checks and onto its Web Store.
The latest example should have been easy to spot as it was masquerading as the popular Adblock Plus adblocker, the legitimate version of which has been downloaded over 100 million times.
Or perhaps not: borrowing an almost identical name to the genuine extension (the capitalised B in “block” being a small difference), only users who studied the application pane and string of negative user reviews might have twigged that something wasn’t right.
By the time it was reported by anonymous Twitter user @SwiftOnSecurity on October 9, the fake extension had been on the Chrome Store for weeks during which it had been downloaded 37,000 times.
Judging from comments, users who installed the fake AdBlock Plus extension ended up with unwanted advertising pushed to them in browser tabs.
The incident left @SwiftOnSecurity unimpressed:
I’m being mean to Google because there’s no way their Chrome team is happy with this extension vetting/moderation situation.
Google said its Chrome Extensions Security team removed the extension “within minutes” of being told, deleting it from machines that had installed it and suspending the account of the developer involved.
Which still leaves the uncomfortable fact that a rogue extension impersonating a well-known piece of software was there at all.
How did it evade detection?
The extension has been taken down so it’s difficult to know for sure but @SwiftOnSecurity suggested the answer might lie in some form of homograph Punycode spoofing in which one or more Cyrillic characters were used in place of Roman letters.
You can read Naked Security’s detailed account of how this this technique works but what matters is that Google’s automated security might not have detected it.
It’s not as if the problem of extensions masquerading as the real McCoy is even that new or innovative with ad blocking extensions having been a target for this type of attack in the past.
Google claims it is aware of the problem, mentioning plans to improve its checking:
This app was able to slip through the cracks, but we’ve identified the reason and are addressing it.
More broadly, we wanted to acknowledge that we know the issue spans beyond this single app. We can’t go into details publicly about solutions we are currently considering, but we wanted to let the community know that we are working on it…
Critics will counter that Google has been tightening its checking regime for years and yet rogues keep popping up.
Three years ago, Google enforced a rule that all extension be hosted on its Web Store, after which rogues dropped in number. And yet problems are still reported, including recent incidents in which genuine extensions were hijacked.
Extensions can also change ownership, after which they suddenly turn bad, as happened to Particle for YouTube.
We wish we could say that bogus extensions are easy to spot but they’re not.
The best advice is to install as few extensions as you need and study each one very carefully before installing it, no matter how familiar it seems. Search for extensions by name rather than browsing but be aware that fakes can be returned near the top of results, so read negative comments carefully. Unhappy users will often complain if they experience something alarming (although reviewers have been known to get it spectacularly wrong).
Remember that a browser extension is just another piece of software – don’t let your guard down just because it’s listed on the Google Web Store.