Google Auto-Update Weakness Exposed by Ad-Peddling Extensions

Google removed two Chrome extensions from the Chrome Store after both were recently bought by spammers who reconfigured the extensions to inject ads into websites visited by users.

Two Chrome extensions went from legitimate browsing ad-ons to adware-spewing nuisances in the blink of a legitimate transaction.

Google recently took action against the Add to Feedly and Tweet this Page extensions, removing both from the Chrome Store after they were sold to adware brokers and found to be injecting ads into pages visited by users. Big picture, the risk has been mitigated, but it also exposed a weakness in Google’s auto-update mechanism, which automatically inserted changes configured by the new owners of the respective extensions without a head’s up to users.

Amit Agarwal, a popular blogger in India, sold the Add to Feedly extension after receiving a four-figure offer, he said. The deal was too good to resist, especially considering the extension took him an hour to develop. Agarwal admits he did not know the buyer, nor why they would pay good money for a Chrome extension that had been downloaded more than 30,000 times when it was sold.

Agarwal said that within a month, the new owner had built in advertising and users were seeing ads injected onto random websites they visited.

“These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links,” Agarwal wrote on his website labnol.org. “In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.”

Google pulled the extensions from the Chrome store because they were in violation of the quality guidelines established by the company. Google’s policy states that extensions must have a single purpose and users should not be forced to agree to additional functionality, especially if it is unrelated to the extension.

“If two pieces of functionality are clearly separate, they should be put into two different extensions, and users should have the ability to install and uninstall them separately,” the policy states, adding that this goes for bundled toolbars as well; Google says those should be separate extensions.

The spammers’ actions are clever. Purchasing popular extensions such as Agarwal’s, which he said was developed in response to Google’s decision to shut down Google Reader, provides spammers and adware purveyors with an effective vehicle to peddle ads for profit. Couple that with the fact they can piggyback onto Google’s silent auto-update mechanism makes for an inviting vector to push not only spam but even malware.

“The extension does offer an option to opt-out of advertising (you are opted-in by default) or you can disable them on your own by blocking the superfish.com and www.superfish.com domains in your hosts file,” Agarwal said of his old extension. “But quietly sneaking ads doesn’t sound like the most ethical way to monetize a product.”

Suggested articles