Security News Chrome Extension With Over One Million Users Hijacked to Serve Adware

LASER_oneXM · Aug 3, 2017

The developer of a very popular Google Chrome extension has regained access over his tool after an unknown hacker had managed to hijack his developer account and push a malicious version that contained adware.

The extension's name is Web Developer, a tool developed by Chris Pederick, Director of Engineering at Bleacher Report. The extension overlays a popup with various debug tools that developers can use when building or editing their websites.

Extension developer fell for a phishing email
According to Pederick, on August 2, he fell for a phishing email that allowed an unknown hacker to take over his Google developer account.

....
...
.....
The hacker used this access to insert malicious code inside the Web Developer extension and push out an update (v0.4.9) to the extension's one-million-strong userbase.

The update inserted ads inside sites users were visiting. The malicious update was live only a few hours, as Google engineers intervened and took down the extension.

Developer releases clean version. Update to v0.5!
Late in the evening, on the same day, Google reactivated the extension after Pederick regained access over the developer account and released Web Developer version 0.5 that removed the adware code.

Pederick also runs Firefox and Opera versions of the same extensions. These were not affected.

ispx · Aug 3, 2017

google.

Deleted member 178 · Aug 3, 2017

As i said many times, being a dev doesn't make you a security guru

shmu26 · Aug 4, 2017

This is the kind of thing that we users cannot easily protect ourselves against, and it's not just Google. If a dev gets compromised, the users can get malicious updates, and there doesn't seem to be a good way to protect against it.

SHvFl · Aug 4, 2017

shmu26 said:
This is the kind of thing that we users cannot easily protect ourselves against, and it's not just Google. If a dev gets compromised, the users can get malicious updates, and there doesn't seem to be a good way to protect against it.

You don't have to have a million extensions and with just a few not being from google/ms etc the chances are so low that you should be fine. Most extensions don't need access to everything so you need to worry about those that do need it.

509322 · Aug 4, 2017

shmu26 said:
This is the kind of thing that we users cannot easily protect ourselves against, and it's not just Google. If a dev gets compromised, the users can get malicious updates, and there doesn't seem to be a good way to protect against it.

What you actually need versus what you think you need after reading a couple IT security news reports are two completely different things. One is a rationale, carefully measured approach to install a sold baseline protection against most, but not all, potential attacks while the other is entirely a paranoid one that instills continual dissatisfaction with security softs because security softs 1) do not stop 100 % of all attacks 100 % of the time and 2) are not fully automated.

Node · Aug 6, 2017

Eek, that isn't good.

Search

Security News Chrome Extension With Over One Million Users Hijacked to Serve Adware

LASER_oneXM

Level 37

ispx

Level 13

Deleted member 178

shmu26

Level 85

SHvFl

Level 35

509322

Node

Level 3

Similar threads