Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adware Vendors Buying Chrome Extensions, Injecting Ads

Posted by Soulskill on from the advertising-will-destroy-everything-good-in-the-world dept.

An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"

9 of 194 comments (clear)

  1. And That, Ladies and Gentlemen ... by Anonymous Coward · · Score: 5, Interesting

    And that, ladies and gentlemen, is how the free market works.

    The reputation of these plugins is worth money. The down side is that once the malware infected extensions are reported to Google, Google will kill them off in the browsers. They wont live long enough to make their money back. The adsheisters will quickly see their reputation vanish and their install base dwindle.

    1. Re:And That, Ladies and Gentlemen ... by CodeBuster · · Score: 5, Insightful

      Doesn't Google share at least part of the blame here for not allowing users to opt-out of automatic updates once an extension is installed? As the article points out, it's precisely this ability to automatically "push update" thousands or tens of thousands of users without recourse, combined with lax enforcement by Google of update rules, that makes this situation attractive to the advertisers. Why not instead allow users to decide what the update policy will be on their device, as in Firefox?

  2. Great by asmkm22 · · Score: 5, Interesting

    What makes this really bad is that it's difficult to permanently remove Chrome extensions sometimes. If I delete it, it will just show back up in a few minutes, probably because it's saved somewhere in my central account. Now with this out there...

    1. Re:Great by mgiuca · · Score: 5, Informative

      Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).

      Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.

      The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions to prevent this sort of thing from happening.

  3. Re:Autoupdate by rueger · · Score: 5, Insightful

    The whole notion of automatic updates just doesn't make any sense.

    Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.

    For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.

    Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.

    --
    Three Squirrels
  4. I had a couple offers by rsilvergun · · Score: 5, Informative

    to my Firefox extension and they were all kinda shady. Extension development is kinda niche to begin with, so I figured they were planning something like this. I'm just surprised it took so long for people to notice.

    I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  5. Re:We're all really screwed if... by KPU · · Score: 5, Informative

    They already have. The option to allow ads from people that have paid AdBlock is checked by default. https://easylist-downloads.adblockplus.org/exceptionrules.txt

  6. Re:Is Firefox safer? by BZ · · Score: 5, Informative
    You may want to read https://addons.mozilla.org/en-US/developers/docs/policies/reviews for Mozilla's policy for hosted addons. It says "will", but that page is also two years old. Those policies are in place now. The short of it is:
    1. All addons hosted by Mozilla get reviewed.
    2. Open source is not required, but source disclosure to Mozilla is.
    3. Any update to the addon triggers a new review cycle.
  7. Re:Autoupdate by thegarbz · · Score: 5, Insightful

    So you sit down and check on the health of your machine, you go through logs reading on what is vulnerable, and then you manually apply security patches.

    How is this relevant in a discussion about what is best for a normal user again?

    The normal user can barely be trusted to check in their car for a scheduled service let alone go through security updates one at a time. Like it or not the number of security threats caused by malicious updates is infinitesimal compared to the number of security threats caused by bugs which haven't been patched.