Security News Chrome Extension With Over One Million Users Hijacked to Serve Adware

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 4, 2016
2,516
15,624
3,578
53
Germany / Poland
The developer of a very popular Google Chrome extension has regained access over his tool after an unknown hacker had managed to hijack his developer account and push a malicious version that contained adware.

The extension's name is Web Developer, a tool developed by Chris Pederick, Director of Engineering at Bleacher Report. The extension overlays a popup with various debug tools that developers can use when building or editing their websites.

Extension developer fell for a phishing email
According to Pederick, on August 2, he fell for a phishing email that allowed an unknown hacker to take over his Google developer account.

....
...
.....
The hacker used this access to insert malicious code inside the Web Developer extension and push out an update (v0.4.9) to the extension's one-million-strong userbase.

The update inserted ads inside sites users were visiting. The malicious update was live only a few hours, as Google engineers intervened and took down the extension.
Click to expand...


Developer releases clean version. Update to v0.5!
Late in the evening, on the same day, Google reactivated the extension after Pederick regained access over the developer account and released Web Developer version 0.5 that removed the adware code.

Pederick also runs Firefox and Opera versions of the same extensions. These were not affected.
Click to expand...
 
  • Like
Reactions: brambedkar59, ravi prakash saini, SHvFl and 3 others
shmu26 said:
This is the kind of thing that we users cannot easily protect ourselves against, and it's not just Google. If a dev gets compromised, the users can get malicious updates, and there doesn't seem to be a good way to protect against it.
Click to expand...
You don't have to have a million extensions and with just a few not being from google/ms etc the chances are so low that you should be fine. Most extensions don't need access to everything so you need to worry about those that do need it.
 
  • Like
Reactions: brambedkar59, shmu26 and ravi prakash saini
shmu26 said:
This is the kind of thing that we users cannot easily protect ourselves against, and it's not just Google. If a dev gets compromised, the users can get malicious updates, and there doesn't seem to be a good way to protect against it.
Click to expand...

What you actually need versus what you think you need after reading a couple IT security news reports are two completely different things. One is a rationale, carefully measured approach to install a sold baseline protection against most, but not all, potential attacks while the other is entirely a paranoid one that instills continual dissatisfaction with security softs because security softs 1) do not stop 100 % of all attacks 100 % of the time and 2) are not fully automated.
 
  • Like
Reactions: brambedkar59, SHvFl and shmu26
You must log in or register to reply here.

You may also like...