Google

Google Pulls Two Chrome Extensions For Pushing Malware

After extensions Add to Feedly and Tweet This Page turned into malware, users have begun complaining about Google's lax security policies.

By Matt Picht | January 20, 2014

If you use Google's popular web browser Chrome, you may want to think twice before downloading your next extension. The company recently pulled two products from its extension store after they started pushing malware on their users.

The story starts with Amit Agarwal, a tech blogger who created the Add to Feedly extension to augment the popular RSS service. In a blog post, Agarwal says someone offered to buy his extension after it gained around 30,000 Chrome users. "It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal." (Via Digital Inspiration)

A few months after the purchase, Add to Feedly's new owners quietly updated the extension with adware. The once-useful add-on now injected malicious ads onto webpages, replacing links and confronting users with pop-ups. (Via OMG Chrome)

After Add to Feedly's woes went public, a writer for Ars Technica shared a similar experience he had with a different Chrome extension.

"About a month ago, I had a very simple Chrome extension called 'Tweet This Page' suddenly transform into an ad-injecting machine and start hijacking Google searches. ... The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect."

The Wall Street Journal notes in both cases malware purveyors took advantage of an existing extension's user base and Chrome's lax security standards. "Google doesn't review changes to the code of Chrome extensions, and Chrome allows extensions to be updated and pushed to users' computers automatically."

Google has since removed both applications from their store, but the practice of spreading malware through Chrome extensions is still a threat.

One developer for the Chrome extension Honey recently held an Ask Me Anything on Reddit, revealing the add-on had received numerous buy-out offers from malware companies and data collection firms. According to Google, Honey has about 300,000 users.

And Quartz points out Chrome's security team still mostly relies on user reviews to police their extension store. "Google looks like it's taking a more proactive role in enforcement, but it is still a long way from Apple's in-house regulatory commission, or even Firefox's less-rigorous editorial review."

Back in December, Google announced it will limit add-ons to a single function, getting rid of Trojan Horse extensions which deliver ads in addition to their normal use. The policy goes into full effect in June.

  TRENDING IN Tech NEWS
A Meteorology and Geophysics Agency (BMG) officer points to a screen graphic at the BMG office of a 6.5-magnitude earthquake that struck North Sulawesi province on January 21, 2007 on the island of Sulawesi, Indonesia.WATCHLIST
Getty Images / Dimas Ardian

A New App Wants To Collect Earthquake Data From Your Phone

Girls Who Code Graduation Salutation from GitHubWATCHLIST
GitHub

Gender Bias In Open-Source Coding May Be Tech's Latest Setback

Google search: Do I need to update flash player?WATCHLIST
 

Do I Need To Update Flash Player On My Computer?

IKO Creative prosthetic systemWATCHLIST
IKO

Kids Might Build Their Prostheses With Lego Bricks In The Future

Instagram's new video view count is shown alongside two iOS screenshots.WATCHLIST
Instagram

Tech Today: Instagram Views, Valentine's Day On Skype, Bricked Phones

Google might be working on a standalone headset that doesn't require a phone like Cardboard does.WATCHLIST
Getty Images / Justin Sullivan

Google Might Be Making A Stand-Alone VR Headset — But For Whom?

An AT&T store advertises 4G LTE dataWATCHLIST
Getty Images / Justin Sullivan

AT&T Joins Verizon In Trying To Bring You Super-Fast 5G Data

This is not what "cord-cutting" actually looks like.WATCHLIST
Newsy / Danny Matteson

We Learned The Hard Way: Cordcutting Isn't Easy

A Tesla vehicle's interior is shown with the console's display activated.WATCHLIST
https://www.teslamotors.com/

Tech Today: Tesla Summon Mode, Super-Fast Internet, LG Quick Cover

U.S. Transportation Secretary Anthony Foxx and Google Chairman Eric Schmidt get out of a Google self-driving car at the Google headquartersWATCHLIST
Getty Images / Justin Sullivan

Feds Say They're Willing To Call Google's Autonomous Car A 'Driver'

FitbitWATCHLIST
Becky Stern / CC BY 2.0

Man On Reddit Uses Wife's Fitbit To Find Out She's Pregnant

Two customers check out a Tesla car in Miami.WATCHLIST
Getty Images / Joe Raedle

You Could Probably Afford Tesla's New Car If It Comes Out On Time

The VR headset is just one part of the expense equation.WATCHLIST
Oculus VR

You Can Buy A PC From Oculus For VR, Or You Could Just Build One

A photo of a downed airplane is shown in a tweet.WATCHLIST
Twitter

Tech Today: Twitter Timelines, Self-Driving Cars, Screen Protectors

Big data is playing an increasingly vital role in how candidates reach out to potential voters.WATCHLIST
 

How Candidates Get Data on Your Voting, Shopping and Facebook Habits

This is just another attempt by the tech company to help Twitter become a safer place for users, while making sure it's not trampling on freedom of expression.WATCHLIST
Getty Images / Bethany Clarke

Latest Twitter Tweak Creates Team To Cut Down On Online Abuse

The South Lawn of the White House is prepared for a barbeque hosted by U.S. President Barack Obama and first lady Michelle Obama on July 4, 2013, in Washington, DC.WATCHLIST
Getty Images / Ron Sachs

The White House Isn't Immune To The US' Internet Troubles

A shield is shown adorned with a padlock and green checkmark.WATCHLIST
Google

Google Will Give You Free Storage If You Check Your Online Security

India's new rules would make the Internet more closely resemble dumb pipes, without paid prioritization.WATCHLIST
Newsy / Evan Thomas

India Cracks Down Harder Than The FCC, Bans Special Data Pricing

Ford test drives an autonomous car in Michigan.WATCHLIST
Ford Motor Co.

Everything You Should Know About The Driverless Car You'll Own Someday

The CRAM (compressible robot with articulated mechanisms) from the PolyPEDAL Lab at UC Berkeley.WATCHLIST
University of California, Berkeley / PolyPEDAL Lab

Cockroach-Inspired Robot Can Squeeze Into Some Tight Spaces

A man using Google CardboardWATCHLIST
Getty Images / Justin Sullivan

Google Is Reportedly Making A New Smartphone-Powered VR Headset

You can do better than the usual list of common passwords.WATCHLIST
Newsy / Evan Thomas

How To Make Your Passwords Less Hackable

Twitter CEO Jack DorseyWATCHLIST
Getty Images / Bill Pugliano

RIP #RIPTwitter: Twitter CEO Says The Site's Feed Isn’t Changing

Twitter CEO Evan Williams is seen silhouetted against a screen as he shows off the newly revamped Twitter website on September 14, 2010 at Twitter headquarters in San Francisco, California.WATCHLIST
Getty Images / Justin Sullivan

Twitter Might Change Its Feed, And People Are Furious (Again)

Nintendo game character Mario stands next to the new gamer-themed car built by West Coast Customs on November 17, 2011 in Los Angeles, California.WATCHLIST
Getty Images / Kevork Djansezian

Nintendo Puts This Weird Sleep-Tracking Device On Hold

According to Cisco's projections, smartphones will be responsible for a majority of global network traffic by 2020.WATCHLIST
Newsy / Evan Thomas

When Smartphones Will Take Over The Planet

An illuminated sign is seen outside the University of Central Florida's Progress Energy welcome center.WATCHLIST
keone / CC BY SA 2.0

63K Social Security Numbers Stolen In University Hack In Florida

Apple CEO Tim Cook introduces the new iPhone 6s and 6s Plus during a Special Event at Bill Graham Civic Auditorium September 9, 2015 in San Francisco, California.WATCHLIST
Getty Images / Stephen Lam

Apple Just Lost A $626M Lawsuit To A 'Patent Troll'

Taylor Swift And Kim KardashianWATCHLIST
Getty Images / Mark Metcalfe / Kim Kardashian

T-Swift Takes A Note From Kim Kardashian; Mobile Game Is On The Way