Nearly 200 extensions have been removed from the Chrome Web Store by Google after research discovered they included malicious behaviour.
The majority of the extensions removed simply bombarded users with unwanted ads, but in the worst cases extensions were set up to gather sensitive personal data including bitcoins and bank logins.
UC Santa Barbara computer scientist Alexandros Kapravelos was one of the security experts who worked with Google to identify the rogue extensions. He had the following to say:
Many of these extensions have hidden extras that cause trouble for people who install them. It is a very hard problem to deal with. Even when we have a complete understanding of what the extension is doing, sometimes it is not clear if that behaviour is malicious or not.
The study conducted showed that around 5% of people accessing Google products each day were using malicious extensions. Some were easily identified, but others involved a lot of analysis to disentangle malicious behaviour from techniques used by legitimate extensions.
ScrapeSentry, a Swedish security firm, were also involved in the research and found examples of extensions gathering data in ways which left it open to being abused. An example they found was Webpage Screenshot, an extension which has been downloaded approximately 1.2 million times. Its code allowed it to capture copies of all browser traffic from the computer it was on. This data was then sent to a US server.
As Martin Zetterlund of ScrapeSentry pointed out, “What happens to the personal data and the motives for sending it to the US server is anyone’s guess, but we’d take an educated guess that it’s not going to be good news.”
A representative of Webpage Screenshot maintained that the data collected was used to understand who the extension’s users were and where they were located to help with development of the code and that there was no malicious intent, with users being able to opt out of sharing data.
The team at UC Santa Barbara who worked on this research are also looking into more automatic ways to identify these malicious extensions and notify Google.Source: BBC News