Facebook: beware of Unlimited Watching Chrome extension spam

Martin Brinkmann
Apr 4, 2013
Updated • May 4, 2013
Google Chrome extensions, Security

Depending on who you are connected to on Facebook, you may have been exposed to one of the recent spam attacks on the site. The attack disguises itself in form of a status update and includes a link to a media player site and names of other contacts. When you click on the link you are taken to a website that sports a media player, some banners and maybe some other page elements.

The media player is not working at all, and when you click on the play button in Google Chrome, you immediately get an extension installation dialog on the same page.  You probably know that installations are automatically blocked if they originate from third party sites. The extension in question is however listed on Chrome's Web Store and thus not blocked automatically.

If you are tech-savvy you probably clicked on the close button at the top or the cancel button as alarm bells surely started to ring loud and clear by then. The missing description of the extension as well as the missing reviews are two additional indicators that there may be something wrong with the extension.

unlimited watching facebook spam

If you ask yourself why you are on the site and why you'd want to install an extension that you know nothing about, then you probably come to the conclusion that it is better not to proceed at this point.

If you do proceed though and install the extension, you may receive many angry messages from friends on Facebook. The extension will spread the same message that you have received to all of your friends automatically, if you are logged in on Facebook after installation.

If you look in Chrome's web store, you will notice that three extensions exist with the Unlimited Watching name. They have been added in the last three days and use different publisher names and websites. It is however very likely that they are linked to the same individual or company.

The Chrome extension cannot be installed by normal means. You do need to close the web browser and open the profile folder of the browser instead:

  • Windows XP: C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default
  • Windows Vista and newer: C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default
  • Mac OS X: ~/Library/Application Support/Google/Chrome/Default
  • Linux: ~/.config/google-chrome/Default

Open the extensions folder and sort the folder by date so that you find the last extension that has been added to the browser. Either delete the folder outright or move it out of the extensions folder first to verify that it is the correct extension.

What you may also want to do is let your friends know what happened and why it happened, so that they do not make the same mistake that you did. (via Caschy)

What we can learn from the attack? Never trust links only because they have been posted by friends, make sure you know what an extension does before installing it, and do make sure the rights the extension requests match the extension's purpose.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Wayfarer said on April 4, 2013 at 9:07 pm

    …Or stay out of Facebook. Always was a sad way to spend a life – and increasingly it seems a dangerous one too…

  2. Paul B. said on April 4, 2013 at 2:43 pm

    The INet is an increasingly dangerous place. I like Opera’s approach. They’ve restricted extension installation to on-site only and keep a sharp eye over the ones they approve.

  3. Nico said on April 4, 2013 at 12:30 pm

    Another way is to kill the process via maj-escape on windows (in Chrome), stop the process of this extension, go on chrome://extensions/ and uninstall it !

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.