Enterprise IT Watch Blog

Aug 18 2011   11:41AM GMT

Chrome Extensions: The next spear phishing vector?

Michael Morisy Michael Morisy Profile: Michael Morisy

The other day, a Chrome extension I’ve used from time to time, Awesome Screenshot, prompted me to “enable it” again because the mini-application needed increased permissions. It’s been the perfect solution for the simple, no-fuss screenshots I need to take from time to time for my job as a technology blogger, but I didn’t need it now and I didn’t have the time to figure out why on earth it needed its permissions increased. I clicked ignore and decided to take a look at it later, or more likely, just enable it when I needed it again.

Turns out, I had good reason to be wary.

The apps creators, likely in a bid to earn a little more passive revenue, updated the extension to manipulate Google search results to include Amazon listings in the top rankings, with affiliate links for the extension’s creators. The app was so sneaky about it, however, that some writers were duped into thinking that it was an official Amazon/Google partnership, while some sleuths over at Webmaster world worked to uncover the true story. As the duped writer notes, he was even testing the results in incognito mode with all extensions disabled, which I, too, imagined would have turned the ad injections off.

A user claiming to be the developer gave the following explanation on the extension’s homepage:

Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add the amazon search result in google search result page without info our users first. It’s such a bad decision.

This additional features was designed to scratch our own itch. Because when I search some shopping items in google, I always want to check them in amazon at the same time.

In the spirit of transparency, we should disclose that this feature does bring small amount of revenue to us, which enables us to continue to improve this product.

Since so many users don’t like it, we already updated a new version(3.2.1) to remove this feature.

The comments below that, however, indicate that the extension has lost a lot of credibility, at least among the users who could track down where the problem was coming from. The larger threat, however, is that users have an expectation that these extensions are safe, sandboxed and vetted. When even Chrome Incognito mode lets something this dangerous slip by, all the IT curmudgeons’ worst fears of rapidly updated browsers are suddenly validated. And while this extension’s damage was relatively trivial (a slightly degraded user experience), it provides an excellent road map for eager spear phishers and other targeted attackers who can now manipulate the closest things the Internet has to a holy Bible: Google search results.

We’re used to e-mail being fraudulent, but what if an employee Googled your bank, your CRM software, your travel system? And then clicked that link expecting (and seeing) a valid looking page?

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: