The other day, a Chrome extension I’ve used from time to time, Awesome Screenshot, prompted me to “enable it” again because the mini-application needed increased permissions. It’s been the perfect solution for the simple, no-fuss screenshots I need to take from time to time for my job as a technology blogger, but I didn’t need it now and I didn’t have the time to figure out why on earth it needed its permissions increased. I clicked ignore and decided to take a look at it later, or more likely, just enable it when I needed it again.

Turns out, I had good reason to be wary.

The apps creators, likely in a bid to earn a little more passive revenue, updated the extension to manipulate Google search results to include Amazon listings in the top rankings, with affiliate links for the extension’s creators. The app was so sneaky about it, however, that some writers were duped into thinking that it was an official Amazon/Google partnership, while some sleuths over at Webmaster world worked to uncover the true story. As the duped writer notes, he was even testing the results in incognito mode with all extensions disabled, which I, too, imagined would have turned the ad injections off.

A user claiming to be the developer gave the following explanation on the extension’s homepage:

Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add the amazon search result in google search result page without info our users first. It’s such a bad decision.

This additional features was designed to scratch our own itch. Because when I search some shopping items in google, I always want to check them in amazon at the same time.

In the spirit of transparency, we should disclose that this feature does bring small amount of revenue to us, which enables us to continue to improve this product.

Since so many users don’t like it, we already updated a new version(3.2.1) to remove this feature.

The comments below that, however, indicate that the extension has lost a lot of credibility, at least among the users who could track down where the problem was coming from. The larger threat, however, is that users have an expectation that these extensions are safe, sandboxed and vetted. When even Chrome Incognito mode lets something this dangerous slip by, all the IT curmudgeons’ worst fears of rapidly updated browsers are suddenly validated. And while this extension’s damage was relatively trivial (a slightly degraded user experience), it provides an excellent road map for eager spear phishers and other targeted attackers who can now manipulate the closest things the Internet has to a holy Bible: Google search results.

We’re used to e-mail being fraudulent, but what if an employee Googled your bank, your CRM software, your travel system? And then clicked that link expecting (and seeing) a valid looking page?

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

Currently, most media reports cite a Microsoft Internet Explorer security flaw as the attack vector for the high-profile security breach, as widely touted by anti-virus maven McAfee. In an e-mailed statement, Schulman had a different theory.

“First, why are Google employees using IE and not Google’s own browser, Chrome?  This doesn’t make sense,” explained Shulman.

“Second, to execute an attack this sophisticated, it likely occurred as a result of spear phishing Google employees to gain access to Google users credentials.  A hacker would have to jump through many hoops inside an internal network. This requires network—not browser—vulnerabilities so that the attacker can communicate with malware inside Google’s internal network,” explained Shulman.

“Unfortunately, blaming Microsoft is all too easy and it’s leading to a panic.  France and Germany are now recommending that its citizens not use Internet Explorer given its role in the recent Google hacking incident,” he said citing today’s decision by the leading European governments.  “Could this be a clever way to boost Google Chrome downloads?”

While it’s perfectly fine to question McAfee’s speculation that it’s an Internet Explorer security hole, Microsoft has come close to confirming it in its own Security Advisory 979352 (emphasis mine):

Microsoft thanks the following companies for working with us and for providing details of the attack:

• Google Inc. and MANDIANT
• Adobe
• McAfee

Er, erm. Eh.

At least Imperva’s take makes a good story. I e-mailed Rob Rachwald with Imperva, who e-mailed me Schulman’s statement originally, for clarification.