Millions of Chrome users now have a way to guard against the threat of extension subversion, that is, if they don’t mind installing yet another browser extension.
Matt Frisbie, a software developer and programming book author, has released a Chrome add-on called Under New Management to alert users when installed extensions have changed owners.
In the GitHub repo for Under New Management, Frisbie explains why this may be useful. Basically: Extensions can be developed for entirely innocent, useful purposes, but when they are sold or hand over to others, those new owners can – and have – sneakily adjusted the code so that it turns against the user, stealing their info or injecting ads. This kind of hijacking can affect millions of netizens at a time.
“Extension developers are constantly getting offers to buy their extensions,” Frisbie says. “In nearly every case, the people buying these extensions want to rip off the existing users.
The users of these extensions have no idea an installed extension has changed hands, and may now be compromised
“The users of these extensions have no idea an installed extension has changed hands, and may now be compromised.
“Under New Management gives users notice of the change of ownership, giving them a chance to make an informed decision about the software they’re using.”
As we reported last August, those who develop Chrome extensions that become popular often receive solicitations to sell their code or to partner with a third-party in order for the new owner or partner to insert dubious, scammy, or malicious code in the extension.
The idea is that the browser extension, which has been altered to collect or steal data, or to present ads or to execute some other monetizable function like cryptomining, can be updated automatically without alarming those who have installed it — perhaps without being caught by Google’s automated scanning.
Google’s focus has been on detecting malicious code and in that respect Frisbie believes Google has been successful. “Their automatic package analysis tools are sophisticated at detecting malicious extensions,” Frisbie explained in an email to The Register. “A primary goal of the Manifest v3 push was to disable the more problematic attack vectors (eg, remote code execution). All indications are that these efforts have been largely successful.”
Malicious Chrome extensions are bad. But what about nice ones that can be hijacked? This new tool spots them
“When an acquisition goes through, and the new publisher tries to abuse the existing user base, the Chrome team usually is able to detect if the new publisher sends out a malicious update, but this is the only line of defense,” he said. “What’s more, this doesn’t account for cases where the new update isn’t necessarily malicious, but might export and abuse a user’s data, inject ads, or use it in a way that they did not intend when they installed the extension.”
One such request cited by a Chrome extension developer on the Chrome Extensions mailing list sought the modification of the user’s search provider in order to capture all the search terms the user enters into the browser’s omnibox.
Schemes of this sort are common elsewhere and have been seen by those developing software packages distributed through package registries. Web publishers also get solicitations to replace broken links with a functioning link to some other website seeking the search ranking benefit of association with an authoritative source.
But these sorts of offers are particularly pernicious when they involve code due to the amount of sensitive data that extensions may be able to see. And they can affect a lot of people: Chrome is used by something like 2-3 billion people worldwide. While the majority of that usage nowadays occurs on mobile devices – where, on iOS devices at least, Chrome extensions aren’t currently an option – many desktop and Android-based Chrome users have extensions installed. The last time Google offered an official number was in 2010, when a third of Chrome users were said to have at least one extension installed.
Frisbie said that he’s a Google Developer Expert on Browser Extensions and thus has access to the Chrome team and has been working with them to shape the Chrome Extensions platform.
Changes of ownership are particularly problematic for browser extensions, Frisbie explained, because of a confluence of factors: they’re more powerful than most people realize; they’re difficult to monetize; the Chrome Web Store doesn’t disclose a lot of details about extension developers; extensions tend to be installed for a long time and get automatic updates; and transferring ownership is easy and done without meaningful oversight.
“This combination of factors brought the ecosystem to where it is today,” he said. “Extensions with lots of users get lots of acquisition offers, usually from individuals who can’t be easily identified and don’t disclose what their intentions are.
The Chrome team is entertaining changes that would allow for this sort of detection
“If the user was notified of a change of ownership, they could potentially avoid all this.”
Frisbie said he’s building an extension promotion platform called ExBoost to improve the extension ecosystem and make it safer. Under New Management relies on an ExBoost API server to handle the checking of developer information due to Cross Origin Resource Sharing rules limiting access to data related to extension domains.
Thanks for Frisbie’s work, Google may be open to implementing an official API to detect ownership changes. “I’m pleased to say that, as a result of the attention this has received, the Chrome team is already entertaining changes to the web extensions API that would allow for this sort of detection,” he said.
Google’s Chrome team, we’re told, is aware of Frisbie’s extension and thinks it’s interesting, and has encouraged him to discuss it with members of the W3C’s WebExtensions Community Group. ®