Chrome extension CopyFish hijacked: remove now!

Martin Brinkmann
Jul 31, 2017
Google Chrome

The makers of the popular Chrome and Firefox extension Copyfish announced yesterday that the Chrome version of the extension was hijacked.

According to the posted information on the company blog, an attacker managed to steal the Google password of a team member using phishing on July 28th, 2017.

A team member received an email from “Google” saying that we need to update our Chrome extension (Copyfish) otherwise it would be removed from the store. “Click here to read more details” the email said. The click opened the “Google” password dialog, and the unlucky team member entered the password for our developer account.

The Chrome extension was updated to version 2.8.5 then the next day; something that the company did not realize directly. The attacker, who held the password and email address for the developer account, pushed a manipulated extension to the Chrome store.

copyifsh phishing chrome

Since Chrome extension update automatically without user interaction, the majority of users of the extension received the updated version. While it is possible to take precautions before installing Chrome extensions, there is no such option for extension updates.

Reports began to come in on July 30, 2017 that Copyfish for Chrome was displaying ads and spam on websites.

The team realized that something was wrong. A check of the Google Developer account revealed that the attackers did not only upload a malicious version of the extension, they moved the extension to their account as well.

This means that Copyfish has no access to the extension at this point in time. They cannot update it, and the attackers may push out another version of the extension to the userbase. Since Chrome extensions update automatically, it can only be prevented by removing the extension for Chrome for the time being.

Chrome users who have Copyfish installed right now are advised to remove the browser extension from the web browser until the situation is resolved.

This is done by loading chrome://extensions/ in the browser's address bar and activating the trash icon next to the extension.

The Firefox extension Copyfish is not affected, and there are several reasons for that. The most obvious one is that the attackers phished the Google account password and not necessarily the Mozilla account password. While it may be identical, it does not have to be.

More importantly from a user perspective is that Mozilla employees audit extension uploads manually while Google uses automation for that. It is far more difficult to place a malicious extension in Mozilla AMO than it is on Google's Chrome web store.

Phishing attacks, especially targeted ones, are still very successful. While the company could have better security processes, e.g. using two-factor authentication or a password manager to prevent having to enter account passwords manually, it is taking responsibility by explaining exactly what has happened and what users can do to resolve the issue.

It is interesting to note that Copyfish is not the first Chrome extension that got hacked successfully in recent time. Social Fixer, another popular extension, was hacked as well and the methodology the author describes on Facebook looks very similar to the one used to attack Copyfish.

Closing Words

Google's convenient but weak -- from a security point of view -- automatic updating of Google Chrome and Chrome extensions, and the company's refusal to spend resources on manual extension audits, is a serious flaw in a browser heralded for its security.

I guess it is less of a problem for users who don't use extensions, but if you do in Chrome, attacks like this will happen and there is nothing that you, as a user, can do about it if you use extensions.

If the maker of an extension gets phished or hacked, malicious extension updates may be pushed to your Chrome version and computer without you being able to do anything about that.

Now Read: Monitor extension updates in Chrome and Firefox

Chrome extension CopyFish hijacked: remove now!
Article Name
Chrome extension CopyFish hijacked: remove now!
The makers of the popular Chrome and Firefox extension Copyfish announced yesterday that the Chrome version of the extension was hijacked.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. kleinfelter said on September 8, 2017 at 12:38 am

    There is now an extension to disable auto-update of Chrome extensions.

    Disclaimer: I wrote it. At this instant, I’m its only user, so exercise caution.

    It requires a helper-app, which is installed separately. The helper app edits the extension manifests to disable (or re-enable) the update link.

    1. A41202813GMAIL said on September 8, 2017 at 8:09 am


      Since You Are A Developer, See If This Project Interests You:

      – FF Has An Extension Called FEBE, That Has Several Features, But The Feature I Am Most Interested In, Saves All Extensions Already Installed And The Output Comes As Individual .XPI Files,

      – Is It Possible To Make An Extension For CHROME Clones That Does Exactly The Same, But With The Output Being .CRX Or .NEX Files ?


  2. TelV said on August 3, 2017 at 1:24 pm

    This doesn’t bode well for Chrome WebExtensions becoming available in Firefox come version 57 unless Mozilla is going to apply the same manual checks for all of them including after every update.

  3. A41202813GMAIL said on August 1, 2017 at 1:58 pm

    A – CHROME Does Not Allow Installation Of Third Party Extensions – The Reason I Moved To OPERA15+,

    B – The CHROME Web Store Must Be Rid Of MalWare Extensions, Because I Found 2 Of Them Myself, And Now This Article Shows Another One,

    C – Most MalWare Extensions Try To Block The Access To The Extensions Manager ( To Prevent Users From UnInstalling Them ), And That Is Why I Found Those 2, Because When I Install A New Extension, The First Thing I Do Is To Review All The Options And Settings Regarding Said Extension.


  4. MdN said on August 1, 2017 at 1:28 pm

    Slightly off topic, Web of “Trust” got caught selling user data and users can be identified by it. Uninstall that too (if you’re actually using it).

  5. olbaze said on July 31, 2017 at 5:30 pm

    I have to ask the obvious: If this email was legitimate, would it REALLY have used a link? Google has their own system already.

  6. Lia said on July 31, 2017 at 5:01 pm

    Getting phished in 2017 LOL

  7. chesscanoe said on July 31, 2017 at 3:01 pm

    I suspect this type of problem happens in part because some users install and leave installed every extension they might think they like. This can result in significantly increasing the odds of a problem. A user should ask themselves “Do I really need this extension, even if it works as advertised?” The goal should be the lowest number of extensions you can tolerate. The goal should not be to regard extensions as collectibles.

    1. Clairvaux said on July 31, 2017 at 5:06 pm

      Yes, this is sensible advice, however it’s not going to fly. I’ve also read security researchers saying : uninstall unused programs from your computer, anything extra increases your attack surface.

      But very few people are going to do that, and you can’t blame them. There are so many things to harden on a computer, before you prune out unused software…

      By the way, it seems to me that this incident is also a reason why Web Extensions in Firefox are a good thing… even if the problem is not exactly the same. Add-ons represent a frightfully easy avenue for compromise.

  8. asd said on July 31, 2017 at 1:36 pm

    Looks like the security of Chrome Store matches nicely that of Android Play Store–next to none…

  9. Xibula said on July 31, 2017 at 11:04 am

    i rather have the good, the bad and the ugly addons all up to date
    than to have only the good ones outdate like you have in firefox

    isnt outdate extensions source of malware too?

    1. Rob said on July 31, 2017 at 5:45 pm

      If the extension works and does its function it doesn’t necessarily have to be up-to-date. Also, in most cases, outdated extensions aren’t sources of malware.
      There’s nothing wrong with at least giving us an option to turn off automatic extension updates (for extra security and privacy) rather than forcing them onto us.

    2. Daryl said on July 31, 2017 at 1:14 pm

      Yeah no, nice try but that doesn’t make sense.

      “Please force update my add-ons without decent security checks and silently introduce whatever whenever, it’s clearly better than doing proper security checks and allowing users be in control if they so desire”

      Rule #1 of tech security: Never trust user input. An add-on update is input like web content is, if you have tight security on one but weak security on the other, the overall security of the product or service is at stake.

  10. Yuliya said on July 31, 2017 at 10:21 am

    Is that the actual e-mail? If so, I don’t think Google needs to use Should have been a big red flag.

  11. Anonymous said on July 31, 2017 at 8:09 am

    *hysterically runs to my chrome browser* oh wait…

    1. HK-Rapper said on July 31, 2017 at 10:48 am

      I know right?
      Also the devs are rather gullible and naive for opening a link thinking Google would use that. It is a service offered by a third party.

  12. phils said on July 31, 2017 at 7:50 am

    This is true to the Google Play Store too. That’s why Mozilla and Apple are superior.
    Literally you can do anything to the extension and app without supervision from Google even though we need to pay for the Play Store Account and Chrome Web Store account. Mozilla can provide free checking from volunteers and Apple hired staffs to do the checking while Google do literally nothing. Makes you wonder where did all the money we paid go?

    You can see that many clones of fake extension and apps there, no wonder why malwares are common in Play Store and Chrome Web Store.

    >>Mozilla employees audit extension uploads manually while Google uses automation for that.
    It’s volunteers not employees, they’re not paid

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.