X

Chrome extensions change hands, add malware

Adware vendors are purchasing Chrome extensions from their creators and using the software to push adware and malware to users.

Michelle Starr Science editor
Michelle Starr is CNET's science editor, and she hopes to get you as enthralled with the wonders of the universe as she is. When she's not daydreaming about flying through space, she's daydreaming about bats.
Michelle Starr
2 min read

Adware vendors are purchasing Chrome extensions from their creators and using the software to push adware and malware to users.

Angered Add to Feedly users. (Credit: Amit Agarwal)

Like apps on the iTunes store, Chrome extensions may be purchased from their creators. But there's a massive problems with this: Chrome extensions update automatically and silently, and Google can't vet every single update — even though such behaviour violates the company's terms of service.

This means that, even when you download an extension from a vendor you trust, there may come a time in the future when, unbeknownst to you, the software starts serving up adware.

Case in point are two extensions that Google has recently removed from its store after users started kicking up a stink, as Ars Technica reports. Add to Feedly, the first of these apps, was built in an hour by Amit Agarwal — so when an unknown buyer asked to purchase it for a four-figure sum, he decided to take the offer.

Along with the extension, though, came over 30,000 users. Nothing occurred for a month, but when the new owner decided to update the extension, users started angrily reporting that it now injected adware on to pages and redirected URLs.

Tweet this Page did something similar, hijacking Google searches.

Google's policies do state that ad insertion is allowed — so long as the extension clearly discloses these activities to the user. But when the extension does not follow this rule, Google, it seems, has no way of knowing that the software is violating this policy. These two extensions were not removed from the Chrome Webstore until Google had been alerted to their presence by a request for comment from The Wall Street Journal.

At this point, there is very little to nothing you can do to prevent this from occurring. However, now that Google knows that this is happening, hopefully the company will do something to prevent it very soon. Meanwhile, Ars Technica offers a few tips on how to protect yourself.