Another Chrome extension horror story: coinhive and domain registration
I'm not sure if things get worse by the day when it comes to the Chrome extensions system and Store, or if things have been bad all along and are publicized more frequently in these days.
All of these incidents had one thing in common: the anti-user updates all passed the Chrome Web Store's automatic vetting.
Google acknowledged the problem and stated in October 2017 that it planned to do something about it, but did not reveal what it had planned nor when it would launch the changes.
A report on Bleeping Computer highlights another malicious Chrome extension that passed the Chrome Store's initial verification checks for browser extensions.
The extension Ldi shipped with two anti-user functions. It included a crypto miner that would use the computer's resources to mine crypto currency for the creator of the extension. This is not the first incident of a Chrome extension shipping with a crypto miner, and it is likely that it won't be the last, at least not until Google improves the verification process.
Ldi went a step further than that though. It used Gmail addresses of Chrome users, provided that they were signed in to the computer, to register domain names on Freenom. It parsed the email from Gmail, created bogus contact information, checks Gmail for verification emails, and opens these links automatically to complete the verification process.
What that meant is that users who installed the Chrome extension may have had domain names registered under their Gmail account. Anything done with these domains is linked to that email address which could lead to law enforcement inquiry or the closing of the Gmail account in worst case.
Google's current verification system that it uses to verify Chrome extensions before they are made available on the company's Chrome Store is flawed as malicious or invasive extensions manage to sneak past it regularly.
This does not only affect new extensions that are uploaded to the Chrome Web Store, but also extensions that are updated. The hijacking incidents in July and August have shown that this is not limited to brand new extensions but may also happen to established extensions with tens of thousands of users.
This is made worse by Chrome's lack of preferences in regards to extension updates. Extensions are updated automatically, and there are no preferences to change the behavior.
My recommendation on how to deal with it is to be very careful when it comes to Chrome extensions, to permissions that they request, and to avoid being signed in to Gmail or other accounts in Chrome all the time as extensions may abuse this as well.