Changes in Google Chrome extension ownership can expose thousands of users to aggressive advertising and possibly other threats, two extension developers have recently discovered.
At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers.
[ InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF guide today! | Learn how to protect your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware. The extension had over 30,000 users when it was sold.
A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November.
Skabichevsky accepted an offer to sell the simple extension for $500 because he didn't have time to improve it anymore.
"A woman named Amanda who contacted me said they wanted the extension 'for further development'," Skabichevsky said via email. It was weird because the extension's code is open sourced so anyone can work on it, "but I sold it anyway, thinking it would be better for the world. I was so wrong!"
Agarwal's story is similar. He sold his extension for a four-figure sum after being contacted by a woman.
"A month later, the new owners of the Feedly extension pushed an update to the Chrome store," he said Thursday in a blog post. "No, the update didn't bring any new features to the table nor contained any bug fixes. Instead, they incorporated advertising into the extension."
"These aren't regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links," Agarwal said. "In simple English, if the extension is activated in Chrome, it will inject adware into all web pages."
Converting a trusted and popular extension into an aggressive advertising tool is more efficient for adware pushers than creating an extension from scratch and building a large user base they can later target, because it brings a quicker and most likely bigger return on investment.
The "Add to Feedly" and "Tweet This Page" extensions have been removed from the Chrome Web Store this weekend, supposedly by Google. However, the company did not immediately respond to a request for comment.
It's not clear if any other extensions from the Chrome Web Store were resold and exhibit the same behavior.
According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites: the behavior needs to be clearly disclosed to the user, there needs to be clear attribution of the ads' source, the ads must not interfere with any native ads or functionality of the website and the ads must not mimic or impersonate native ads or content on the third-party site.