Fake Chrome Extensions: Google asleep on the Switch
Hi. Uh… that “Microsoft Authenticator” extension that you installed? The one who has access to all your browsing, and who can redirect you anywhere when you least expect it? It is actually malware, designed to phish your passwords. (Beautiful blue sofa, BTW.)
No, Microsoft didn’t write it. Still, it’s in the Google Chrome extensions store. You see, Google doesn’t really do any checking before releasing browser extensions. Because of course This is not the case.
Be careful there. This is always good advice. But shouldn’t we expect more from Google, given how much it sings about its AI chops?
And Firefox won’t save you either. In today’s SB Blogwatch, we’re burning it all down.
Your humble blogger has curated these blog posts for your entertainment. Without forgetting: atomic diagrams.
“Yeah, I got phished.”
What is the craic? Martin Brinkmann reports: “Do not download this Microsoft Authenticator extension”:
400 users »
Extension stores that rely on automatic submission reviews are more prone to offering bogus and malicious extensions. … The name suggests that this is an official Microsoft product, but it is not. One clue that something is wrong is that the company offering the extension is not Microsoft Corporation but “Extensions”. … Developer email… uses a Gmail address, not an official Microsoft address.
In this case, it is quite obvious that the extension is … wrong. Yet over 400 users have already installed the extension.
Oops. Katyanna Quach agrees: “The Microsoft Authenticator extension in the Chrome Store was not actually created by Microsoft. Oops.”:
Google declined to comment “
The reliability of Google’s Chrome Store has been called into question again after an extension billing itself as Microsoft Authenticator was released by the software souk. … When someone submitted a questionable Chrome add-on called Microsoft Authenticator to the browser store, one would have hoped that Google would have given them more than just a glance.
The legitimate Microsoft authenticator [has] password manager type features. … The add-on code contained a suspicious URL that directed the browser to a website hosted in Poland [and] attempted to phish internet users by redirecting them to a fake login page and asking them for account credentials.
Google declined to comment … how this add-on crept across the net. The extension has now been withdrawn.
Who discovered it? cheph, who summons Schoolman and Serra:
We are not the customer ”
Google won’t remove it even if it has been flagged multiple times. … Google doesn’t care.
Worrying takes money away from them… so it’s best to transfer the **** bull to their “users” – who are really the product being sold to advertisers – so who cares? The customer is always right, it’s just that we are not the customer.
In the same spirit, Pascal Monett has a bridge to sell you:
I have a bridge to sell you ”
Let’s be clear: Google is not there to manage the content of its Store, it is there to make money. Anything goes until someone complains. That’s when Google reacts and goes fishing for a reason not to delete the app.
If you think Google is going to preemptively deprive itself of revenue when no one has noticed, I have a bridge to sell you.
With a pseudonym like Google Sucks, I think we can guess the gist of this comment:
Lots of malware are hiding ”
This can happen when “stores” distribute totally unverified and untested software and also when they do not take enough action to remove clearly bogus reviews. … Google has a horrible (and present) history with all of these significant issues.
It is safe to assume that there is a lot of malware lurking in all of Google’s stores. But most of it won’t be so obvious.
Is this just a Google problem? pingec does not think:
The problem of untrusted addons also applies to Firefox. I would have liked it to be possible in Firefox to limit the addons that can be loaded per container. The extensions I want to load on banking websites, social media, and YouTube are completely different.
Oh no. Tip from Jhat to JBowler: [You’re fired—Ed.]
Round circle “
Now let’s put our hands together and find a web browser that is NOT WebKit based. At least if we fail, we can walk around in our flowing skirts singing pieces of the world.
But who in their right mind would install such an extension? Anonymous thinks this is the wrong question:
No one deserves to be phished ”
We were all naïve when we first started using computers and the Internet. If you start with the thought, “No criminal deserves to make a profit” it follows that no one deserves to be phished.
Meanwhile, Peter Prof Fox asks the age-old question:
Who authenticators and authentic reddat? “
“The concrete reality of atoms”
Previously in And finally
Have you read Blogwatch SB by Richi Jennings. Richi curates the best blog posts, the best forums, and the weirdest websites… so you don’t have to. Hateful messages can be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image Sauce: Microsoft Corp. (via Unsplash)