Another Chrome extension horror story: coinhive and domain registration

Martin Brinkmann
Oct 15, 2017
Google Chrome, Google Chrome extensions

I'm not sure if things get worse by the day when it comes to the Chrome extensions system and Store, or if things have been bad all along and are publicized more frequently in these days.

Several popular Chrome extensions were hijacked back in July and August 2017, and then updated to push ads and spam to user devices.

The first Chrome extension with an integrated Crypto Miner was launched in September 2017, and the popular Chrome extension Steam Inventory Helper started to monitor user activity.

All of these incidents had one thing in common: the anti-user updates all passed the Chrome Web Store's automatic vetting.

Google acknowledged the problem and stated in October 2017 that it planned to do something about it, but did not reveal what it had planned nor when it would launch the changes.

A report on Bleeping Computer highlights another malicious Chrome extension that passed the Chrome Store's initial verification checks for browser extensions.

The extension Ldi shipped with two anti-user functions. It included a crypto miner that would use the computer's resources to mine crypto currency for the creator of the extension. This is not the first incident of a Chrome extension shipping with a crypto miner, and it is likely that it won't be the last, at least not until Google improves the verification process.

Ldi went a step further than that though. It used Gmail addresses of Chrome users, provided that they were signed in to the computer, to register domain names on Freenom. It parsed the email from Gmail, created bogus contact information, checks Gmail for verification emails, and opens these links automatically to complete the verification process.

What that meant is that users who installed the Chrome extension may have had domain names registered under their Gmail account. Anything done with these domains is linked to that email address which could lead to law enforcement inquiry or the closing of the Gmail account in worst case.

Closing Words

Google's current verification system that it uses to verify Chrome extensions before they are made available on the company's Chrome Store is flawed as malicious or invasive extensions manage to sneak past it regularly.

This does not only affect new extensions that are uploaded to the Chrome Web Store, but also extensions that are updated. The hijacking incidents in July and August have shown that this is not limited to brand new extensions but may also happen to established extensions with tens of thousands of users.

This is made worse by Chrome's lack of preferences in regards to extension updates. Extensions are updated automatically, and there are no preferences to change the behavior.

My recommendation on how to deal with it is to be very careful when it comes to Chrome extensions, to permissions that they request, and to avoid being signed in to Gmail or other accounts in Chrome all the time as extensions may abuse this as well.

Article Name
Another Chrome extension horror story: coinhive and domain registration
Read how a malicious Chrome extension called Ldi mined crypto currency and registered domain names on behalf of the Chrome user's Gmail email address.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Stefan said on October 21, 2017 at 11:35 pm

    Stop use all Google softwares and services. Since they started to manipulate and censor the web (both confirmed) all Google is blocked in HOSTS and the blockers in my browser. There are good alternatives !

  2. TelV said on October 17, 2017 at 5:29 pm

    I’m pretty sure Google achieved its market dominance in the browser market by bundling Chrome with the multitude of free apps that are available around the track. This one goes back to 2012:

    It’s a pity that Mozilla didn’t try the same tactic because they wouldn’t have lost so much market share to Google if they had.

    1. Kubrick said on January 9, 2018 at 2:14 pm

      your comment does not make any sense.Even if chrome were bundled into free apps etc ,people are not being held at gunpoint to keep chrome installed.I have heard this argument for years where users claim google chrome was installed sneakily,well if that were the case then how come chrome STILL has over half the market share.?
      If people didnt want chrome then they would simply uninstall it so the bundling theory simply does not work.

  3. Rick A. said on October 17, 2017 at 2:45 am

    But, but, but, Appster and others say use Chrome !……….

  4. Mystique said on October 16, 2017 at 3:00 pm

    Chrome is garbage. What else is new?

    Running chrome or any other browser without extensions is like driving a car with very flat tires… sure you could travel on them but your ride is not going to be a comfy or efficient one.

    Best of luck to any chrome users over the next few months while google decides what they can do to keep the money coming whilst stopping everyone else from being underhanded and abusing its users better than they did.

  5. Dan82 said on October 16, 2017 at 12:50 pm

    Stopping extensions from auto-updating – the most important step in guaranteeing that you don’t use malware infested or privacy breaking extensions – isn’t trivial, mostly because Chrome does not offer any user-friendly way of doing so and merely adjusting the timings in the registry doesn’t disallow updates entirely. Ultimately, the user will be left with changing the manifest.json file of each extension by hand through either adding or changing the update_url parameter to a nonsensical value. Provided you’re somewhat familiar with the JSON string format that should be no issue.

    That being said, extensions have a huge abuse potential because many require access to all webpages and their contents. For a hobby coder it is often easy enough to check the code of an extension for embedded malware (like the recent coin mining issue for example), but many other more subtle methods are more difficult to detect. With JS code being minimized and potentially modified embedded libraries like jQuery, it takes both skill and patience to reliably judge whether an entire extension is safe or not.

    Personally speaking, I’ve written a small handful of extensions myself. They’re unpublished and for my personal use, not only out of the desire to maximize my privacy but also because I don’t need a bloated set of features and my requirements are unlikely to change going forward. Not everybody can do that and it would be unrealistic to view this as a solution either. Crowdsourcing technical knowledge and the willingness to use it on some kind of moderated extension store on the other hand could be an amazing achievement everyone could benefit from.

  6. AnorKnee Merce said on October 16, 2017 at 10:43 am

    There is the “No Coin” browser extension or add-on available.


  7. Croatoan said on October 16, 2017 at 9:25 am

    Chrome is secure if you don’t use extensions.

  8. Anonymous said on October 16, 2017 at 5:19 am

    Another “horror” is the non-transparent ghacks’ favicon with FT Deepdark.

  9. Clairvaux said on October 16, 2017 at 4:54 am

    “Users who installed the Chrome extension may have had domain names registered under their Gmail account.”

    That’s horrific. It’s a nightmare scenario. Supposedly Chrome was the safest option (but you relinquished your privacy), and then this.

    Not blowing my own horn, but that tends to show that bashing Mozilla for not allowing extensions to do exactly as they please anymore wasn’t especially far-sighted. Having a ton of extensions allowing you to display your browser upside down might be fine and dandy, until someone steals your Gmail account, opens a website in your name, and uses it to, now let me see… display some child porn, for instance, then… blackmail you ? inform your wife ? tell the headmaster of the school where you teach ? possibilities are endless, hours of fun ahead…

    Not saying that Firefox is waterproof against such attacks, just that their general thinking seems to be correct…

  10. chef-koch said on October 16, 2017 at 3:58 am

    Google in fact does do something about fake addons and malware addons. You can report the addon and then it gets an review, if their own system detects some strange addon it gets removed remotely. What people mostly see as ‘spying, monitoring’ (which is just a security mechanism,…).

    To say that they don’t do anything is seriously wrong, there is no perfect Store and there never will be, Steam has is review/comment problem, Google has it’s extension problem, Microsoft is suffering from less/no apps in their own store and and and…

    The problem is that if people abusing their services it only ends up with less control for the end user, because of such dickheads. Otherwise people just messing around to find away to abuse everything. The irony is that this isn’t google, these are the people which trying to be smart ‘to bypass google’.

    It’s totally useless to compare one browser with another, at the end every browser has weaknesses and I’m totally sick reading news after which aren’t news or new. Instead of whine about such things, just show and explain how to protect against such behavior – this however is mostly a user fault because no one reads shit today. Just install everything and click okay without reading – this is our new generation.

  11. Chris said on October 15, 2017 at 8:47 pm

    So are Chromebooks unaffected? Because people love to claim they’re so secure. I haven’t had any extension problems yet on desktop, but I’ve as few extensions as possible and mostly from Google.

    It shows how little Google care about the store when they won’t bother fixing their semi-broken Google Translate extension.

    “I’m Chris!” ;) (3 diff Chris in a row)

    1. John said on October 15, 2017 at 9:16 pm

      There’s a shit ton of negative reviews about the Google Translate extension problem since Google released Chrome 61 (where this problem started), and even some guys in the reviews section told to Google how to EXACLY fix the problem and yet, they don’t do anything.

      Also, a developer released an extension to “fix” this bug (what a joke, if you ask me, having to install a second extension just to fix a problem in a Google extension).

      Google doesn’t care about Chrome anymore, that was one of the reasons why I switched to Firefox some months ago and never looked back.

    2. Martin Brinkmann said on October 15, 2017 at 8:56 pm

      Chrome extensions are the problem. So, any device with Chrome and Chrome extensions is potentially affected.

  12. Chris said on October 15, 2017 at 7:42 pm

    Google has billions of dollars, but they don’t seem interested in hiring people to perform manual reviews.

  13. Chris said on October 15, 2017 at 7:41 pm

    This is one reason why I recommend people stay away from Google Chrome.

    1. Zen Ou-sama said on October 25, 2017 at 5:54 pm

      Yeah, this is terrible. Martin recommends this: “My recommendation on how to deal with it is to be very careful when it comes to Chrome extensions, to permissions that they request, and to avoid being signed in to Gmail or other accounts in Chrome all the time as extensions may abuse this as well.”

      But I would simply not use any add-on on Chrome, except uBlock Origin because the benefit is greater than the risk. Honestly there’s no point to have secure browser with sandboxed processes and such when you have such a glaring security issue plugged in right into it, in the form of the add-on ecosystem.

      And if I am to be limited to only one add-on, I’ll just pick another browser.

  14. John said on October 15, 2017 at 7:30 pm

    The worst thing about all this is that you can’t even disable automatic updates of extensions on Chrome, Google gives absolutely zero user control…

    The only “way” to not get an extension update pushing malware on Chrome is to use the least possible extensions there, and only the ones you trust the most.

  15. ShintoPlasm said on October 15, 2017 at 6:15 pm

    But Mozilla wants to forsake manual reviews for WebExtensions prior to publication on AMO, because.

      1. Clairvaux said on October 25, 2017 at 8:32 pm

        Zen Ou-sama,

        Thank you for this interesting information. Why isn’t the review status of add-ons public, though ? Or is it, and I did not find it ?

      2. Zen Ou-sama said on October 25, 2017 at 5:37 pm

        To note, 80% of Firefox add-ons are manually reviewed within 5 days of publication, 5% between 5 and 10 days, and the remaining 15% more than 10 days. Knowing that this is a surge period where an order of magnitude or two of add-ons are being submitted. (Because of the WebExtensions switch)



        In the past month, our team reviewed 2,490 listed add-on submissions:

        2,074 in fewer than 5 days (83%).
        89 between 5 and 10 days (4%).
        327 after more than 10 days (13%).

        244 listed add-ons are awaiting review.



        In the past month, our team reviewed 1,803 listed add-on submissions:

        1368 in fewer than 5 days (76%).
        147 between 5 and 10 days (8%).
        288 after more than 10 days (16%).

        274 listed add-ons are awaiting review.


        And automatic reviews serve to prioritize manual reviews, not just to block/allow uploads.

      3. ShintoPlasm said on October 15, 2017 at 11:43 pm

        I know, Martin, I was being sarcastic… :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.