Most Internet users do not expect that extensions that they install from official repositories can contain malicious code, either directly upon installation, or later on when they are updated.
Usually, that code is used for monetization purposes and not for the distribution of malware or other malicious activities.
News made the rounds recently that companies that are in the trade approach extension developers to acquire their extensions. If the developer agrees, ownership of the extension changes for hundreds if not thousands of Dollars.
Some time later, the very same extension is updated by the new owner with new code that may track users when they browse the Internet, inject ads on web pages, or add so-called affiliate links to pages.
This happens automatically, usually, and without notification. Since it is unlikely that many users of the extension would agree to being tracked or the extension to display ads or plant affiliate links on websites, it is usually the case that these new monetization options are opt-out, meaning they are turned on by default.
I have described previously how you can protect yourself from these extensions in Firefox and Chrome.
The new Chrome Protector extension for Google Chrome has been created as a response of the recent news. It currently checks the installed extensions and will inform you if a malicious extension has been found.
How that is done? Currently by a blacklist.It is regularly updated based on user reports, the author's on research, and alerts posted on Reddit.
The author seems to have plans though to expand on this later on in development, and this is where it could get interesting. For instance, one option could be to monitor extension ratings and verify extensions if ratings drop in a short amount of time.
While that means that the extension is not protecting you from new malicious extensions in real-time, it could reduce the time it takes before you are aware that something is not right.
While it may make sense for some to install the extension and keep it installed, it may make sense for others to install it only once or occasionally, at least for the time being.
If the author of the extension could add features to it that would improve its usability, like monitoring store rating changes, comments, extension updates and "known" developers, it could very well become a must-have extension for Chrome users who use many extensions.
For now, it is a nice concept extension that may have its uses for some users.
Update: The extension has been renamed to ExtShield - Stops Malicious Extensions. We have updated the link so that it points to the correct page on the Chrome Web Store now. An update will be released soon according to the author which warns users when they try to install one of over 100 adware, spyware or malware extensions that are currently available in the web store.
Update 2: The latest version of Shield for Chrome -- yes another name change -- can now also monitor website behavior, and blocks the Chrome bug that allows sites to listen in on conversations.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.