Level 8

Abusive add-ons aren’t just a Chrome and Firefox problem. Now it’s Edge’s turn

After discovering the redirections weren’t an isolated incident, participants in this Reddit discussion winnowed the list of suspects down to five. All of them are knockoffs of legitimate add-ons. That means that while the extensions bear the names of legitimate developers, they are, in fact, imposters with no relation.


Level 38
Content Creator
From that article:
In a statement, Microsoft officials wrote: “We’re investigating the reported extensions listed and will take action as needed to help protect customers.” The statement follows comments in this Reddit comment in which someone identifying herself as a community manager for Microsoft Edge said the company is in the process of investigating the extensions.

“The team just updated me to let me know that anyone seeing these injections should turn off their extensions and let me know if you continue to see them at that point,” the person using the handle MSFTMissy wrote. “Once I have any news from them, I will update this thread accordingly.”

The maker of the legitimate TunnelBear software and browser extensions told me that the add-on hosted in Microsoft's official Edge store is a fake. It said there's an extension in the Chrome Web Store that's also fraudulent.

“We are taking action to have these removed from both platforms and investigating the matter with both Google and Microsoft,” a TunnelBear representative said. “It is not uncommon for popular, trusted brands like TunnelBear to be spoofed by malicious actors.”

None of the remaining four legitimate developers of the real extensions responded to a request for comment. Readers should remember, however, that legitimate developers can't be held responsible when their apps or add-ons are spoofed.

Along with Android apps, browser extensions are one of the weak links in the online security chain. The problem is that anyone can submit them, and Google, Mozilla, and now Microsoft haven’t come up with a system that adequately vets the authenticity of the people submitting them or the safety of the code.

Search engine redirections are typically part of a scheme to generate fraudulent revenue by ginning up ad clicks, and that's what's likely happening here. While reports indicate that the add-ons do nothing more than hijack legitimate searches, the privileges they require provide the possibility of doing much worse. Usage rights include things like:

  • Reading and changing all your data on the websites you visit
  • Managing your apps, extensions, and themes
  • Changing your privacy-related settings
Anyone who has installed any of the above-mentioned Edge add-ons should remove them immediately. And the oft-repeated advice about browser extensions still applies here: (1) install extensions only when they provide true value or benefit and even then (2) take time to read reviews and check the developer for any signs an extension is fraudulent.
I had a conversation with Raymond Hill the maker of uBlock Origin on Twitter.
There is also a fake uBlock Adblock Plus extension on the store that has not taken down while being reported by him and Nik Rolls.


Level 38
Content Creator
This story on Ghacks:
Sites like Techdows published articles on the removal. According to the information, users of Edge opened support requests when they started to notice that searches were redirected when they used the Microsoft Edge browser.

It turned out that rogue extensions were responsible for that. All of these extensions were hosted on the official Microsoft Store; they used names of popular services and programs, e.g. NordVPN, Adguard VPN or The Great Suspender to lure users into installing the extensions.

Microsoft pulled the fake extensions from its web store and users who installed these in Edge will have them disabled on the next start of the browser automatically.

Raymone Hill, maker of the popular content blocker uBlock Origin, discovered another fake extension in the store that was based on an earlier version of uBlock Origin and manipulated website content to inject content on websites the user visited.

The two incidents suggest that users need to be very careful when installing extensions from the Microsoft Edge extensions store as Microsoft's protections are as weak as Google's protections on the Chrome Web Store.

In other words: there is always the chance that an extension is malicious in nature because of an insufficient vetting process. This leads to the following question: what can you do to protect yourself?

One of the best options is to analyze the code of the extension, but that is hardly something that all Edge users can do. Reviews and ratings help only so much, as they can be faked and sometimes, may not be available. You could look for reviews on trusted sites, or make sure that the company that supposedly created the extension has indeed created it by verifying that on the company site.

Now You: do you vet extensions before you install them?


Level 38
Content Creator
Opera and Brave users don't see this problem with rogue ad-blockers.
conclusion: for now the safest and most reliable is Brave.
Unfortunately, that is not completely true because Brave gets its extensions from the Chrome Store.

That leaves Opera as probably the safest one for extensions, but they are often a version behind.
I'm not sure how Opera handles the vetting of extensions and when they have removed for example Nano adblocker.
You can also install extensions from Chrome in Opera and then they are as vulnerable as all the other browsers.


Level 38
Content Creator
'The Great Suspender' extension is now flagged as malware, but Microsoft Edge has a built-in replacement:
What you need to know
  • Microsoft Edge now warns that "The Great Suspender" extension contains malware.
  • The Great Suspender was recently sold to a new owner.
  • Microsoft Edge has a similar feature that can be enabled through edge://flags.
'The Great Suspender' extension is now flagged as malware, but Microsoft Edge has a built-in replacement | Windows Central

Microsoft removes Scummy Extension ‘UBlock Adblock Plus’ from Edge Add-ons Store:
A few days back, Microsoft has removed some extensions from the Edge Add-ons store that hijacked the Search results. Yet another extension was gone. This time, it’s an adblocker named “UBlock Adblock Plus”. According to the UBlock Origin developer, the extension is based on an old version of UBO and it starts injecting iframe into all visited web pages after blocking 999 network requests.
Microsoft removes Scummy Extension 'UBlock Adblock Plus' from Edge Add-ons Store (techdows.com)


Level 66
Content Creator
Malware Hunter
According to a list shared by a Microsoft community manager, the 18 extensions can be grouped into two categories. The first one is for extensions that tried to pass as the official versions of various apps, even if those apps didn't have official versions for Edge. This included:
  • NordVPN
  • Adguard VPN
  • TunnelBear VPN
  • Ublock Adblock Plus
  • Greasemonkey
  • Wayback Machine
The second list contained extensions that were copied from authentic Chrome extensions, ported to Edge, and then had malicious code inserted. This included:
  • The Great Suspender
  • Floating Player - Picture-in-Picture Mode
  • Go Back With Backspace
  • friGate CDN - smooth access to websites
  • Full Page Screenshot
  • One Click URL Shortener
  • Guru Cleaner – cache and history cleaner
  • Grammar and Spelling Checker
  • Enable Right Click
  • FNAF
  • Night Shift Redux
  • Old Layout for Facebook


Level 38
Content Creator
Another one to add to the list:
The makers of Windscribe, a popular free and paid VPN providers, revealed yesterday that they have been a target as well. A fake Windscribe extension was uploaded to the Microsoft Store, and like all the others, accepted by Microsoft.
That was not our extensions, because MS review process is useless. Someone uploaded a modified version of the extension, and MS just approved it. We looked at it, it didn't seem to contain any actual malware at first glance, however we encourage you to change your Windscribe password.
Microsoft did flag the fake extension as malicious in the meantime. The extension is no longer available as a consequence, and users who have it installed should see it being disabled automatically in the browser. The real Windscribe extension that is created by the makers of the service is still in Microsoft's review queue. Affected users should consider changing passwords to the service, and maybe also to other services that they signed-in while using the extension.
Microsoft's review process did not catch the fake extensions that were released to the store in the past two weeks. It is not the first time that malicious extensions were made available in the store. If Microsoft does not change the review process, it is likely that it won't be the last time that users will install fake extensions from the official Edge extensions store.

It is recommended that users check with the maker of the product to see if a browser extension for Microsoft Edge is available before installing any extension from the Microsoft Store.