Two separate campaigns have been stealing credentials and browsing history for months.
See full article...
See full article...
Dozens of backdoored Chrome extensions discovered on 2.6 million devices
- Thread starter JournalBot
- Start date
"Anyone who ran one of these compromised extensions should carefully consider changing passwords and other authentication credentials."
I've been using Bookmark Favicon Changer for years. Do I need to change all of my passwords for all of my accounts? I use 1password so it wouldn't be too bad, but I have about 250.
I've been using Bookmark Favicon Changer for years. Do I need to change all of my passwords for all of my accounts? I use 1password so it wouldn't be too bad, but I have about 250.
Upvote
3
(3
/
0)
Upvote
5
(5
/
0)
When people say "I have to use Chrome because I need it for work", are there really no other Chromium-based browsers that will do the job?
Upvote
0
(8
/
-8)
Wake up call for 2025. This is a nice reminder that I'm not compartmentalizing my browsing enough and relying far too hard on code from (waves hands around) literal strangers making browser extensions for no reason at all except maybe goodwill towards other humans. I shouldn't be trusting random extensions to start with and one of these hit is an extension I use on Firefox.
Now I have a ton of passwords to rotate, just in case this problem hit Firefox too and nobody has discovered it yet.
Now I have a ton of passwords to rotate, just in case this problem hit Firefox too and nobody has discovered it yet.
Upvote
10
(11
/
-1)
Let's not put words in others' mouths. This is absolutely also the fault of the bad actors doing the phishing. I'll be first in line to request that we find those folks and throw 'em in chains. I also readily admit that there are lots of other ways that are reasonable to get your credentials stolen. MITM attacks, unnoticed physical theft of security data or information (e.g. pickpocketing or over the shoulder snooping, or remote scanning via bluetooth or NFC devices), threats of force where you're forced to make a complex decision about personal safety, or even actually clever, well-written spear phishing attempts. But this is like all the other articles Dan writes up about security breaches: somebody somewhere who really ought to know better fell for a rather basic phishing attempt.
This is someone whose job is to manage an app in the google play store. And not just any app; a security app. But there were at least three different paradigms of basic IT security not followed here:
- random suspicious email from a random suspicious domain was not verified in the dev console
- weirdly formatted email that took you to a weird page not matching what it purported to be
- asking you to login with credentials that should have already been active if coming from another Google service
As another user mentioned, using a password manager would have also be a good clue/security practice here when it didn't fill in the credentials for this site. I don't blame the developer for not being perfect, but I do blame them for not passing muster on things he was almost certainly hired in the first place to pass muster on. I also blame the company for touting themselves as a security company and not enforcing some pretty basic security practices here (no code reviews before uploading? no mandating separate accounts for code repositories? Not mandating MFA for accounts with this level of access to their app deployment infrastructure? There's a lot we don't know that might make the company look even worse.)
So, yeah, I blame everyone involved who didn't do what they should have done, not 'the victim'.
Upvote
17
(18
/
-1)
People who "have to use Chrome for work" generally don't have permission to use something else... or they would. Their browsers and OS permissions are likely managed by some other group or department. As a developer I have local admin rights on my developer machine for example, so I can download and install Chrome if I want. However, I'm not a domain admin, so I can't do anything about a domain-wide security rule that runs every day to uninstall Chrome if it is found on any computers it scans. I have to get a separate rule created for my computer to be whitelisted/excluded from the previous rule. If that starts to sound like a headache, you're right, it is, and that's why lots of companies don't even bother with such exceptions. They just mandate a specific browser. Which, it turns out, is also easier for support purposes, too, so it's kind of a win-win.
And that's not even getting into the territory where you have to access some web service that literally doesn't work outside of said browser! (those scenarios drive me up the wall)
Last edited:
Upvote
23
(23
/
0)
This person was on the list to ostensibly receive such notices from google and who had the capabilities to apply this kind of change with their credentials. So... the company's already on the hook for poor security practices (especially for a security company), but giving that kind of access to an intern would pretty much be a death knell for their company.
Upvote
6
(6
/
0)
I think I'm going to use two separate browser instances. One with extensions for less secure stuff and one without for stuff I don't want compromised.
Upvote
3
(3
/
0)
Does launching a "Private Browser Window" count. I usually do that for transactions, and I have my plugins disable in the private browser window. Though I generally only run UBO, ScriptSafe, and BlockTube.
Upvote
6
(6
/
0)
It's not hard to use reputable extensions, every time I see one of these articles it's full of extensions that seem obviously shady. Like Ublock Origin is reputable, so is Privacy Badger, both make the Internet a better place.
Upvote
14
(15
/
-1)
Yes, but there's still sessions and history I'd prefer to maintain. It looks like profiles on Chrome have separate extensions so that's maybe a simple approach. On Firefox, containers seem to share extensions. I may just use Firefox DE for all the extensions and vanilla Firefox for secure needs.
Upvote
2
(2
/
0)
The problem comes when an extension starts out reputable but is bought by someone shady, like happened with AdBlock.
Upvote
28
(28
/
0)
IT really need to take a look at how good quality manufacturing handle humans.
The short summary is: Humans makes mistakes. Do not allow them to.
What this in practice means is that a person is never trusted to do anything important correctly. The "correct" way to do something should always be the only way to do it, and if not possible there needs to be a machine to check the work. A person plugs two cables in? Colour coding is insufficient, they must be incompatible and/or have lengths that makes it completely impossible to swap them. Anything else is accepting swapping them will happen
For these problems that means that there is only one way to "solve" phishing: Hardware keys or passkeys. User training, relying on "experience" or any other "fix" is a bandaid to lower the risk for low risk accounts. When the consequence is catastrophic it simply should be unacceptable with anything but methods that are unphishable.
Upvote
12
(14
/
-2)
People complaining about Honey here...
It was very obvious from the start, just from the description of what it was supposed to be doing, that the behaviors people are so 'surprised' about now were its very obvious business model. If you give an extension control over your 'online deals' and all your browsing, especially when that extension is from f@#$ing Paypal, of course it's going to redirect all the referrals, not give you the best deals, give all your browsing info to Paypal, and sell you to shady sites/creators as the product. It even says all this (vaguely) in the EULA, which of course nobody read. How was anyone surprised about any of this this in 2024? Especially when the extension is named 'Honey'(pot), just to rub your face in how much of a dumbass you are if you install it.
Apparently the people most surprised were the greedy channel / site operators who were happy to get Honey money up front and promote the f@$# out of this obviously shady scam to their stupid subscribers, but then were outraged when the scam didn't work out quite how they were expecting ( 'wait, we're getting scammed too!?!1'). As if LTT promoting them wasn't an obvious enough sign of scam, LTT dropping them was basically nuclear scam alert.
Well hopefully this was all a learning experience for some people.
It was very obvious from the start, just from the description of what it was supposed to be doing, that the behaviors people are so 'surprised' about now were its very obvious business model. If you give an extension control over your 'online deals' and all your browsing, especially when that extension is from f@#$ing Paypal, of course it's going to redirect all the referrals, not give you the best deals, give all your browsing info to Paypal, and sell you to shady sites/creators as the product. It even says all this (vaguely) in the EULA, which of course nobody read. How was anyone surprised about any of this this in 2024? Especially when the extension is named 'Honey'(pot), just to rub your face in how much of a dumbass you are if you install it.
Apparently the people most surprised were the greedy channel / site operators who were happy to get Honey money up front and promote the f@$# out of this obviously shady scam to their stupid subscribers, but then were outraged when the scam didn't work out quite how they were expecting ( 'wait, we're getting scammed too!?!1'). As if LTT promoting them wasn't an obvious enough sign of scam, LTT dropping them was basically nuclear scam alert.
Well hopefully this was all a learning experience for some people.
Upvote
8
(14
/
-6)
Upvote
12
(13
/
-1)
If you guys would use sponsor block, you would not even see these stupid honey in video ads .
Upvote
-7
(2
/
-9)
Ooof. I use Proxy SwitchyOmega extensively, it's a well written proxy switching extension with a great deal of configuration options available... But luckily I've been using V2, not V3, so I wasn't hit.
Upvote
1
(1
/
0)
^ that. That’s how it works in the background. It shouldn't, but it does.
Upvote
0
(1
/
-1)
Wait, I thought the new chrome plugging system was meant to fix security issues like this and rumours it was all just about ensuring advertisement revenue for Google were false 
Upvote
10
(12
/
-2)
Google should need to tell users about their mistakes (allowing the apps into their store). They'd know if we installed it (or would if I did).
Upvote
1
(2
/
-1)
BobbyBobberson
Ars Scholae Palatinae
When an extension says:
"...can read all data on all websites..."
maybe people should be a little weary of trusting it?
"...can read all data on all websites..."
maybe people should be a little weary of trusting it?
Upvote
12
(13
/
-1)
Upvote
-11
(1
/
-12)
Reading the comments here, I find interesting how many focus on the extensions or the browser, ignoring that the source of it all was the phishing email.
Public Service Message:
Do not click on any links inside an unsolicited email.
Simply do not.
I don't care how official the message looks, if it comes from grandma (specially if it comes from any parents/grandparents), or some prince or another.
DON'T.
On the utility of extensions... Yes, there are many that seem useless to most people, but may cover some niche use or another. Others, they do help with security, trackers, or annoyances, like ad blockers do. Just don't jump on the first one you see, check the permissions they use, limit your consumption, etc.
As for manifest V3... Google took more than it gave back to maintain their business model. That's that.
Public Service Message:
Do not click on any links inside an unsolicited email.
Simply do not.
I don't care how official the message looks, if it comes from grandma (specially if it comes from any parents/grandparents), or some prince or another.
DON'T.
On the utility of extensions... Yes, there are many that seem useless to most people, but may cover some niche use or another. Others, they do help with security, trackers, or annoyances, like ad blockers do. Just don't jump on the first one you see, check the permissions they use, limit your consumption, etc.
As for manifest V3... Google took more than it gave back to maintain their business model. That's that.
Upvote
3
(6
/
-3)
Upvote
-6
(0
/
-6)
Upvote
0
(0
/
0)
That used to be part of my workflow and slowly but surely I stopped taking it seriously, with everything creeping back into one browser jammed full of nonsense. I don't want my household to learn a very painful lesson, so I'll have a busy day tomorrow
Upvote
6
(6
/
0)
Hold down the Ctrl key and scroll your mouse wheel to resize any webpage. No problems here. Of course I also use a 48" UHD screen for my monitor.....
Upvote
-11
(0
/
-11)
Talk about missing the point. I don't need or want the text bigger. My eyes are perfectly fine thanks. I want the text column wider. Zooming the entire webpage does not solve that.Hold down the Ctrl key and scroll your mouse wheel to resize any webpage. No problems here. Of course I also use a 48" UHD screen for my monitor.....
Upvote
9
(12
/
-3)
I said nothing about making anything bigger.....You want to make the spreadsheet fit your screen, then you would zoom out to make the sheet smaller. Obviously if you are trying to read that on a phone you wouldn't have a Ctrl key or a mouse wheel so I was only talking to anyone who is trying read the sheet on a PC. If you want to make individual columns wider that's a different matter and my comment could have been easily ignored as not being relevant to you. Regardless your snark was completely uncalled for. Happy New Year.
Upvote
-13
(0
/
-13)
You are still missing the point. You offered a solution to no one.
That just zooms the whole page in/out. It does NOT fix the scrolling in the table people are complaining about.
Since you didn't pay attention to the actual problem, when you offered your non-solution, don't get offended when it's pointed out that you solved nothing.
Upvote
14
(14
/
0)
True, I'd rather have a feature that captures my screen every second, and send it to the cloud to be analyzed.
Upvote
5
(5
/
0)
Grifters and other predatory realists profit from insightful understanding of their target demographics. ~130 million Americans can barely read and most won't be reading Ars, but most can operate a phone.
Be glad you chose to know better but not everyone is curious enough to enjoy technology.
Upvote
4
(4
/
0)
use this tool to scan if you install 33 malicious Chrome extensions
https://github.com/h1xy/Chrome-Extension-Scan
https://github.com/h1xy/Chrome-Extension-Scan
Upvote
-15
(0
/
-15)
That would be a hilarious place to add a malicious extension.
Thankfully I don't need an extension to read a list of extensions to know I don't use any of them.
Upvote
11
(12
/
-1)
FYI, Ars gives subscribers a setting to make the text column wider (by taking up the margins that normally show ads to nonsubscribers), and it's enough to display the full table width in this case.
Upvote
8
(8
/
0)
Valid point, but the New York Times, Forbes, BBC, AOL, Spotify, etc have all served malicious ads. Likewise, password reuse and phishing are extremely common attack vectors both mitigated to some extent by a reputable password manager. Keeping one's attack surface small and using just one or two extensions can still be a net security gain.
Upvote
6
(6
/
0)
Or uBlock, for that matter, when gorhill briefly retired, then came back with uBlock Origin when uBlock's new maintainer started cashing in.
Upvote
10
(10
/
0)
maybe it's a mandatory part of Return To Office boss spying?? /seriously
Upvote
1
(1
/
0)