Cluster of 295 Chrome Extensions Caught Hijacking Google and Bing Search Results

An anonymous reader writes: More than 80 million Chrome users have installed one of 295 Chrome extensions that have been identified to hijack and insert ads inside Google and Bing search results. The malicious extensions were discovered by AdGuard, a company that provides ad-blocking solutions, while the company's staff was looking into a series of fake ad-blocking extensions that were available on the official Chrome Web Store. AdGuard says that most of the extensions (245 out of the 295 extensions) were simplistic utilities that had no other function than to apply a custom background for Chrome's "new tab" page. In addition to the 295 cluster, AdGuard also found a large number of copycat extensions that cloned popular add-ons to capitalize on their brands, and then load malicious code that performed ad fraud or cookie stuffing. ZDNet has the full list of 295 Chrome extensions embedded in their article.

bad practices on the Chrome Web Store

[fustakrakich]

This sounds more intentional than "accidental"

uBlock and NoScript... What else do you need?

Re:

[fustakrakich]

I have a second question to add, Do adults actually download that shit??

What will Google actually DO?

[Canberra1]

Will All these extensions removed overnight? Blacklist the people who made the store declarations? Build an anti-hijacking option that also has the option to return fake results (See OS Copperhead). It is in Googles interest, as those who make the valuable searches then get direct pitches BYPASSING Google along the way. No more poor-mans Bing. Time to crush the offenders.

Re:

[omnichad]

According to the article, they got marked as malware and disabled but not uninstalled in the end user's browser. Oh, you mean keeping crap out of the store to begin with? Probably nothing.

Blacklist the people who made the store declarations?

I'm pretty sure that they consider a Google Account to be an identity. Internal outsourcing. So all someone has to do is have another Google account ready. I don't think that's hard. Amazon even has a CAPTCHA-filling service (Mechanical Turk) for creating fake accounts.

Re:

[K. S. Kyosuke]

uBlock and NoScript... What else do you need?

Zotero, perhaps?

Re:bad practices on the Chrome Web Store

[bobstreo]

This sounds more intentional than "accidental"

uBlock and NoScript... What else do you need?

I'd toss in Privacy Badger too.

Re:bad practices on the Chrome Web Store

[Kisai]

If you look at the list, clearly they are garbage extensions, all using the same spammy title.

Ghostery works great and is more selective (scalpel, not shotgun) about dealing with ads. uBlock/Adblock+ are rubbish in their own ways as well. The main key problem in blocking ads is that they tend to completely blow apart websites "responsive" designs and sometimes that results in collapsing html elements making the site unreadable. OR, sometimes, like with news sites, it's the only way to make them readable at all, as the ads outnumber the content.

My suggestion, the HOSTS file should be your number one option for blocking crap. Block Taboola, Block any ad widgets like it that show you gross things, or stale articles. They will never improve and keep showing you stuff that is disturbing so just block them.

Re:

[fustakrakich]

My suggestion, the HOSTS file should be your number one option for blocking crap.

Yeah, I hear a lot about that....

Re:

[Anonymous Coward]

blowing apart "responsive" designs is the entire point.

If more people would refuse to use maliciously designed web sites, then there would be less maliciously designed web sites, because all of those of that ilk would go bankrupt and disappear from the face of the Internet.

Re:

[Anonymous Coward]

Psst...

No one is going to wade through your turd forest to get to your actual comment.

Like everything in your life, even your posts are a race to the bottom!

I thought Google was the Ultimate

[oldgraybeard]

high tech arbiters of what is good and wholesome on this planet. How could they ever error?

From the names

[ClueHammer]

They are seemly targeting children a petrol heads.

Google doesn't care

[Required Snark]

It's clear from the discovery that Google has zero interest in protecting Chrome users. There are 256 related extensions, they are all simple, and they all hijack results. How hard can this be to find? AdGuard found them and Google didn't. The only possible conclusion is that Google only cares about the data they collect and if someone else rips off their users, so what.

Re:Google doesn't care

[h33t l4x0r]

Protecting them from their own bad choices? Those users get a warning that says "This extension requires access to tons of stupid and dangerous shit. Install anyway?". When they click Yes, the rest is on them.

Re:

[Required Snark]

So how's that fascist thing working out for you?

Re:

[jbmartin6]

The warning doesn't say that. What it does say is something more like "Here is a browser widget *Google* is providing you that does some vague technical stuff." Regular people probably don't understand the implications of that stuff, but since it is provided through Google they won't be overly suspicious.

Re:

[jbmartin6]

perhaps unfairly, In concluded this when I learned that extensions can update themselves from any arbitrary URL. Why even bother having the "store" at that point?

On many Linux distros

[hcs_$reboot]

The extensions are in ~/.config/google-chrome/Default/Extensions
Thus you can do a `grep` from the list of dirs here in the list of extensions given on the site in TFS
cd ~/.config/google-chrome/Default/Extensions
for d in *; do grep $d ~/badextlist.txt;done
If nothing comes out of that, you're ok.

Re:

[omnichad]

I'm actually surprised that ZDNet listed the extension ID list in the article. That's way too technical for them and their readers, but great nonetheless.

Re:

[hcs_$reboot]

They probably copy-pasted the list, including the IDs, since they have no clue of what that is.

Sad that Google already has the metadata to block

[Armantamzarian]

It's sad that Google already has the metadata to allow users to make educated guesses about the authenticity of each extension. Each extension needs to declare up front what permissions it needs to run. Google can simply list these permissions up front and even generate a score system for easier understanding. This won't even require developers to update their extensions and can be done in the UI only.

basically anything with 'wallpaper' in the title

[tommeke100]

295 looks like a huge list, but it's pretty much a re-package of the same thing in different wallpaper themes (I think maybe 5 didn't include wallpaper in the extension name). Don't install wallpaper extensions is the message here.

Re:

[Jahta]

This is a general theme. Every time malware in extensions comes up, it is almost always in gimmicky extensions. Always ask yourself "do I really need this?".

The days of free money is over.

[jellomizer]

Google, Facebook, Apple... Made their money by algorithms collecting content from people then selling them back to the people who would like to view it.

Now this is becoming a greater problem and these companies are faced with the fact that such products that they sell will need to be reviewed for quality and safety. This will cost them money. However this isn't new. A retail store has to stand behind the quality and safety of its products it sells no matter the manufacturer. When there is a Recall, the r

So, just like Google and Bing then

[Rosco P. Coltrane]

identified to hijack and insert ads inside Google and Bing search results.

That's why it's sneaky and it went undetected for a while: what's to distinguish a metric shitton of annoying pointless Google ads from a metric shitton of annoying pointless non-Google ads eh?