"Web Developer" Chrome Extension Infected with Adware

12 points by dperfect ↗ HN
The "Web Developer" extension (ID bfbameneiokkgbdmiekhjnmfkcnldhhm) has started injecting ads into websites. It looks like Google has since removed it from the their listings, but unfortunately that doesn't help people who already have it installed[1].

You may want to check to see if you have it installed so you can remove it.

[1] Seriously, why doesn't Google at least notify users who have extensions with reported abuse installed?

11 comments

[ 3.0 ms ] story [ 34.8 ms ] thread
I remember that quite some time ago, the Live HTTP Headers extension did this as well
Dammit! Just been hit with this. I've disabled it. But in the 2 hours it was running, it had a lot of permissions. Any damage it could have done?

This has shaken my faith in browser extensions, and I (IMHO) an example of why we need iOS style sandboxing.

And how would "iOS style sandboxing" prevent a browser extension from specifically injecting ads onto a webpage? If an extension cannot access and modify webpages, there's no point in having them in the first place.

At least adding ads is visible to the user. I once noticed a screen capture extension I had was sending every URL I viewed to about 7 different tracking services behind the scenes...

I was more referring to browser extensions punching out of the browser sandbox. I'm not a browser extensions developer, but can extensions read/write to your file system for instance, given enough permissions? If I was the hacker, what would be the maximum damage I could do with this particular extension? I guess I'm just a bit worried that's all :-)
Chrome extensions are "sandboxed" in the sense that only the extension code has access to the special APIs behind special permissions. If they just inject some ads onto a page, they won't have access to the extension APIs (they do naturally have access to everything on the page itself, which is why it's still a bad thing).

It would take a reasonable amount of stupidity to manage to download untrusted code and run it in a context that has access to the extension APIs if all you wanted to do is inject ads onto webpages. But no amount of sandboxing is going to stop that, if you give the code the permissions it wants. That's why one should always evaluate both the trustworthiness and competence of the developer before granting them scary permissions.

I ran into the same thing this morning.

Any click to dom element or opening new tabs was popping up alerts/confirmations and/or attempting redirects.

Only reason I noticed it was web developer extension was weird console-logs that I had never seen coming from the extension.

Disabled and all the popups have disappeared.

Who's up for making an open source extension which tracks compromised extensions and warns the user if they have any?

How this could also be protected against similar phishing attacks would be an interesting problem to solve too.

I had the extension disabled, so I'm guessing I should be OK, right? Or can Chrome extensions still run stuff even after the user disabled them?