Tutman

Level 7
Verified

Abusive add-ons aren’t just a Chrome and Firefox problem. Now it’s Edge’s turn

After discovering the redirections weren’t an isolated incident, participants in this Reddit discussion winnowed the list of suspects down to five. All of them are knockoffs of legitimate add-ons. That means that while the extensions bear the names of legitimate developers, they are, in fact, imposters with no relation.
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
From that article:
In a statement, Microsoft officials wrote: “We’re investigating the reported extensions listed and will take action as needed to help protect customers.” The statement follows comments in this Reddit comment in which someone identifying herself as a community manager for Microsoft Edge said the company is in the process of investigating the extensions.

“The team just updated me to let me know that anyone seeing these injections should turn off their extensions and let me know if you continue to see them at that point,” the person using the handle MSFTMissy wrote. “Once I have any news from them, I will update this thread accordingly.”

The maker of the legitimate TunnelBear software and browser extensions told me that the add-on hosted in Microsoft's official Edge store is a fake. It said there's an extension in the Chrome Web Store that's also fraudulent.

“We are taking action to have these removed from both platforms and investigating the matter with both Google and Microsoft,” a TunnelBear representative said. “It is not uncommon for popular, trusted brands like TunnelBear to be spoofed by malicious actors.”

None of the remaining four legitimate developers of the real extensions responded to a request for comment. Readers should remember, however, that legitimate developers can't be held responsible when their apps or add-ons are spoofed.

Along with Android apps, browser extensions are one of the weak links in the online security chain. The problem is that anyone can submit them, and Google, Mozilla, and now Microsoft haven’t come up with a system that adequately vets the authenticity of the people submitting them or the safety of the code.

Search engine redirections are typically part of a scheme to generate fraudulent revenue by ginning up ad clicks, and that's what's likely happening here. While reports indicate that the add-ons do nothing more than hijack legitimate searches, the privileges they require provide the possibility of doing much worse. Usage rights include things like:

  • Reading and changing all your data on the websites you visit
  • Managing your apps, extensions, and themes
  • Changing your privacy-related settings
Anyone who has installed any of the above-mentioned Edge add-ons should remove them immediately. And the oft-repeated advice about browser extensions still applies here: (1) install extensions only when they provide true value or benefit and even then (2) take time to read reviews and check the developer for any signs an extension is fraudulent.
I had a conversation with Raymond Hill the maker of uBlock Origin on Twitter.
There is also a fake uBlock Adblock Plus extension on the store that has not taken down while being reported by him and Nik Rolls.
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
This story on Ghacks:
Sites like Techdows published articles on the removal. According to the information, users of Edge opened support requests when they started to notice that searches were redirected when they used the Microsoft Edge browser.

It turned out that rogue extensions were responsible for that. All of these extensions were hosted on the official Microsoft Store; they used names of popular services and programs, e.g. NordVPN, Adguard VPN or The Great Suspender to lure users into installing the extensions.

Microsoft pulled the fake extensions from its web store and users who installed these in Edge will have them disabled on the next start of the browser automatically.

Raymone Hill, maker of the popular content blocker uBlock Origin, discovered another fake extension in the store that was based on an earlier version of uBlock Origin and manipulated website content to inject content on websites the user visited.

The two incidents suggest that users need to be very careful when installing extensions from the Microsoft Edge extensions store as Microsoft's protections are as weak as Google's protections on the Chrome Web Store.

In other words: there is always the chance that an extension is malicious in nature because of an insufficient vetting process. This leads to the following question: what can you do to protect yourself?

One of the best options is to analyze the code of the extension, but that is hardly something that all Edge users can do. Reviews and ratings help only so much, as they can be faked and sometimes, may not be available. You could look for reviews on trusted sites, or make sure that the company that supposedly created the extension has indeed created it by verifying that on the company site.

Now You: do you vet extensions before you install them?
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
Opera and Brave users don't see this problem with rogue ad-blockers.
conclusion: for now the safest and most reliable is Brave.
Unfortunately, that is not completely true because Brave gets its extensions from the Chrome Store.

That leaves Opera as probably the safest one for extensions, but they are often a version behind.
I'm not sure how Opera handles the vetting of extensions and when they have removed for example Nano adblocker.
You can also install extensions from Chrome in Opera and then they are as vulnerable as all the other browsers.
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
'The Great Suspender' extension is now flagged as malware, but Microsoft Edge has a built-in replacement:
What you need to know
  • Microsoft Edge now warns that "The Great Suspender" extension contains malware.
  • The Great Suspender was recently sold to a new owner.
  • Microsoft Edge has a similar feature that can be enabled through edge://flags.
'The Great Suspender' extension is now flagged as malware, but Microsoft Edge has a built-in replacement | Windows Central

Microsoft removes Scummy Extension ‘UBlock Adblock Plus’ from Edge Add-ons Store:
A few days back, Microsoft has removed some extensions from the Edge Add-ons store that hijacked the Search results. Yet another extension was gone. This time, it’s an adblocker named “UBlock Adblock Plus”. According to the UBlock Origin developer, the extension is based on an old version of UBO and it starts injecting iframe into all visited web pages after blocking 999 network requests.
Microsoft removes Scummy Extension 'UBlock Adblock Plus' from Edge Add-ons Store (techdows.com)
 
Top