More than 500 Chrome extensions have been removed by Google, after they were caught stealing the data of almost 2 million users.
The Chrome extensions in question stole users' browsing data through shady advertising mechanisms. The extensions would track browsing behavior and then use it to redirect users to a series of host websites in order to generate advertising revenue for the developers. Some of the adverts were for large companies, including Macy's, Dell, and Best Buy, while others redirected users to malware-laden sites.
What's more, almost all of the websites that users were redirected to were hosted on Amazon's AWS servers.
How did the Chrome Extensions Work?
Once a user had inadvertently installed one of the malicious extensions, it would have access to data that Chrome extensions shouldn't be able to reach. It would then exchange the user's data — which included site usage, time, idle activity, tracking, and browser activity and statistics — to work out whether they should be redirected to a host site. If users were redirected to host sites, they may have been shown ads for legitimate companies including Macy’s, Dell, or Best Buy – or, they may have been redirected to malware or phishing sites.
Of course, the internet is covered in adverts. However, this app practice was considered malicious, when caught by Google. That's because of the way it invades a user's privacy and redirects them to sites that weren't intending to visit. In fact, users sometimes didn't see the ads at all – they were hidden, tricking them into thinking that they hadn't been subjected to ‘malvertising.'
“What differentiates it as malvertising and ad fraud, rather than legitimate advertising,” according to security researchers, “is the large volume of ad content shown, the fact that the user does not see many, if not the majority, of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing.”
Why aren't Google, Amazon, and Other Companies Doing More?
Google has been trying to improve vetting on its worryingly easy-to-exploit Chrome Web Store. However, rather than reviewing the code of currently available Chrome extensions to prevent bad behavior, the search giant has limited what Chrome extensions can actually do. But again, there are some Chrome extensions being used and distributed on the Web Store that were created before these changes. Potentially, this means that there are still further malicious extensions out there.
Amazon, meanwhile, has been under fire for a long time about its AWS service. Some 40% of the internet runs on AWS servers, meaning that Amazon has enormous influence over the internet. Its services power controversial tech tools, too, including databases for ICE and the Department of Homeland Security, which has led to employee protests. Despite the protests, however, Amazon has been relaxed over policing who uses its services.
How to Spot a Shady Chrome Extension
Given that Google isn't policing the entire Web Store, it's likely that there will still be some suspicious apps out there.
The best way to avoid installing a shady Chrome extension is by checking out the developer. Each extension will list the developer under the name. Find out what further information you can, at this point. Do they have positive reviews? Or no reviews at all? Have they developed any other apps? If the developer's own website looks suspect, it might be worth avoiding the extension.
You can also check what level of access each extension will require when you go to install it.
If it looks like the extension is requesting too many permissions, don't install it.