Be careful when you install Microsoft Edge extensions from the Microsoft Store
Browser extensions can extend the functionality of the web browser they are installed in or a site significantly; this is true for all browsers that support extensions, and the new Chromium-based Microsoft Edge is no exception to the rule.
Microsoft operates its own extensions store as part of Microsoft Store, and things seemed to have taken a turn for the better with the switch to the Chromium base earlier this year.
Classic Microsoft Edge suffered from a lack of available extensions, and while Microsoft tried to explain the low number of extensions for the browser, it was clear that the browser could not compete with Google's or Mozilla's extension stores.
The switch to Chromium pushed the number of available extensions for Microsoft Edge and the Store is now hosting thousands of extensions for the browser. Edge users may install Chrome extensions as well next to that.
The increase seems to have brought along with it the issues that the other popular extension stores face from time to time. Microsoft had to remove malicious extensions from its Edge extensions store in May, and it appears that the company had to remove additional extensions this month.
Sites like Techdows published articles on the removal. According to the information, users of Edge opened support requests when they started to notice that searches were redirected when they used the Microsoft Edge browser.
It turned out that rogue extensions were responsible for that. All of these extensions were hosted on the official Microsoft Store; they used names of popular services and programs, e.g. NordVPN, Adguard VPN or The Great Suspender to lure users into installing the extensions.
Microsoft pulled the fake extensions from its web store and users who installed these in Edge will have them disabled on the next start of the browser automatically.
Raymone Hill, maker of the popular content blocker uBlock Origin, discovered another fake extension in the store that was based on an earlier version of uBlock Origin and manipulated website content to inject content on websites the user visited.
The two incidents suggest that users need to be very careful when installing extensions from the Microsoft Edge extensions store as Microsoft's protections are as weak as Google's protections on the Chrome Web Store.
In other words: there is always the chance that an extension is malicious in nature because of an insufficient vetting process. This leads to the following question: what can you do to protect yourself?
One of the best options is to analyze the code of the extension, but that is hardly something that all Edge users can do. Reviews and ratings help only so much, as they can be faked and sometimes, may not be available. You could look for reviews on trusted sites, or make sure that the company that supposedly created the extension has indeed created it by verifying that on the company site.
Now You: do you vet extensions before you install them?
I do not tell what people browsers to use, but I am use Firefox.
On the addons pages, there are some “Recommended” — these have vetting from Mozilla.
If not “Recommended”, it says it has not been thoroughly tested, caveat emptor. I look around web sites and read, and maybe look at the code too.
I use NoScript, UBO, HTTP Everywhere (maybe not needed with newest Firefox), and some other minor extensions.
So far I think Firefox Addons “store” is probably best, Firefox does better job at respecting privacy than other browsers.
@Tiraj Modium
Some of the “Recommended” extensions are also being promoted because the developers pay Mozilla. This is the case with the “Honey” extension (problematic from a privacy perspective), for example. Yes, the code is being checked, but as far as I understand it they only check for outright malware, not for spying functionality you might have agreed to in some privacy policy (in which case it would be legal though unethical).
Anyway, if you are into privacy extensions also check out Cookie AutoDelete, ClearURLs, LocalCDN, all of them are must haves as far as I’m concerned.
> Firefox does better job at respecting privacy than other browsers.
Firefox is worse than e.g. Brave by default:
https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf
It can be modified to be privacy-respecting with about:config (and you need to stay ahead of Mozilla, since they are frequently adding new anti-features), but by default it is not that much better than Chrome. Pale Moon, Waterfox, some Chromium variants like Vivaldi, Ungoogled Chromium, Bromite are also better than Firefox by default. Needless to say, same goes for the Tor browser.
The “Chromium” version of UBO (unlike the Firefox version) is a “half-finished specification” that function restricted (limited).
The developer of UBO (Raymone Hill) discovered that “UBO”, which can be added from Microsoft’s official extension download site, has been replaced with a tampered “illegal product”, tweeted the findings two weeks ago, and reported the “illegal” to Microsoft on the same day.
No progress has been made after two weeks, and fraudulent products remain available.
If you install the malicious product, the “iframe” will be inserted in the “div dot show / alink” of every page accessed by the user.
https://twitter.com/gorhill/status/1329831114119254026
For the “Chromium” version of UBO, Raymone Hill declared “development support discontinuation” a year ago.
The official view was that Microsoft switched to the “Chromium” base because “the extensions that could be added to Microsoft browsers were too poor (both quality and quantity) to compete with Google and Mozilla.”
The frequent storm of “illegal goods” on the “Chrome Web Store” has spread to “extensions for Microsoft Edge,” Microsoft’s sloppyness is revealed (insufficient review process and lack of crisis management skills).
Google does not “manually” check extension reviews and relies on AI (artificial intelligence).
At AMO (addons.mozilla.org), AI dependence has been discontinued and a dedicated person has changed to a method of manual and thorough inspection, and since then, fraudulent products have been eradicated.
Related information:
The Chrome Web Store and AMO (addons.mozilla.org) had serious incidents such as tricks to embed malicious code in browser extension updates.
Chrome extension CopyFish hijacked: remove now!
https://www.ghacks.net/2017/07/31/chrome-extension-copyfish-hijacked-remove-now/
Google pulls Chrome Web Developer extension over ad-injecting
https://www.ghacks.net/2017/08/02/google-pulls-chrome-web-developer-extension-over-ad-injecting/
First Chrome extension with JavaScript Crypto Miner detected
https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/
Steam Inventory Helper monitors your browsing activity
https://www.ghacks.net/2017/09/19/steam-inventory-helper-monitors-your-browsing-activity/
Chrome has a massive copycat extensions problem
https://www.ghacks.net/2017/10/11/chrome-has-a-massive-copycat-extensions-problem/
Chrome Extension Uses Your Gmail to Register Domains Names & Injects Coinhive
https://www.bleepingcomputer.com/news/security/chrome-extension-uses-your-gmail-to-register-domains-names-and-injects-coinhive/
Another Chrome extension horror story: coinhive and domain registration
https://www.ghacks.net/2017/10/15/another-chrome-extension-horror-story-coinhive-and-domain-registration/
Mozilla’s AMO Extensions store has a spam infestation problem
https://www.ghacks.net/2017/12/13/mozillas-extensions-store-has-a-spam-infestation/
Malicious Chrome extensions with Session Replay appear in Chrome Store
https://www.ghacks.net/2018/02/05/malicious-chrome-extensions-with-session-replay-appear-in-chrome-store/
Another wave of spam add-ons hits Mozilla Firefox AMO
https://www.ghacks.net/2018/04/09/another-wave-of-spam-add-ons-hits-mozilla-firefox-amo/
Google’s bad track record of malicious Chrome extensions continues
https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/
It is time to get rid of Stylish
https://www.ghacks.net/2018/07/03/it-is-time-to-get-rid-of-stylish/
Time to remove Nano Adblocker and Defender from your browsers (except Firefox)
Microsoft Edge will support Chromium extensions
https://www.ghacks.net/2018/12/10/microsoft-edge-will-support-chromium-extensions/
Chrome Extension Manifest V3 could end uBlock Origin for Chrome
https://www.ghacks.net/2019/01/22/chrome-extension-manifest-v3-could-end-ublock-origin-for-chrome/
Firefox Recommended Extensions program announced
https://www.ghacks.net/2019/04/09/firefox-recommended-extensions-program-announced/
These Extensions are exclusive to the Chromium-based Microsoft Edge
https://www.ghacks.net/2019/04/12/these-extensions-are-exclusive-to-the-chromium-based-microsoft-edge/
Your Firefox extensions are all disabled? That’s a bug!
https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disabled-thats-a-bug/
A wave of malware add-ons hit the Mozilla Firefox Extensions Store
https://www.ghacks.net/2019/05/29/another-malware-wave-hit-the-mozilla-firefox-extensions-store/
Extensions are still collecting and selling your browsing data
https://www.ghacks.net/2019/07/19/extensions-are-still-collecting-and-selling-your-browsing-data/
Firefox Add-ons Warning: This extension isn’t monitored by Mozilla
https://www.ghacks.net/2019/09/06/firefox-add-ons-warning-this-extension-isnt-monitored-by-mozilla/
Mozilla bans all extensions that execute remote code
https://www.ghacks.net/2019/11/05/mozilla-bans-all-extensions-that-execute-remote-code/
Mozilla removes all Avast Firefox extensions
https://www.ghacks.net/2019/12/03/mozilla-removes-all-avast-firefox-extensions/
Microsoft removed malicious extensions from its Edge Extensions Store
https://www.ghacks.net/2020/05/16/microsoft-removed-malicious-extensions-from-its-edge-extensions-store/
Time to remove Nano Adblocker and Defender from your browsers (except Firefox)
https://www.ghacks.net/2020/10/16/time-to-remove-nano-adblocker-and-defender-from-your-browsers-except-firefox/
uBlock Origin for Chrome is still being maintained by the developer.
The last update I see is from 27 november 2020.
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
@Sol Shine,
Your perception is fundamentally wrong. The Chrome web store is just an excerpt of what’s convenient for Google (Inconvenient things are omitted), and the full overview is on the official support site:
https://github.com/gorhill/uBlock#ublock-origin
Due to the restrictions of the Chromium extension “APIâ€, the Chromium version of UBO is spoiled.
Only Firefox can enable all the features available in UBO.
Raymond Hill, maker of the popular content blocker uBlock Origin, introduced support for CNAME-based blocking in the Firefox version one year ago. The developer was the first to introduce such functionality in a browser extension, but could do so only in Firefox as Mozilla’s browser was, and is, the only browser that supports DNS API capabilities that make such functionality possible in first place.
https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/
uBlock Origin for Firefox addresses new first-party tracking method
https://www.ghacks.net/2019/11/20/ublock-origin-for-firefox-addresses-new-first-party-tracking-method/
If you run uBlock Origin, use the Firefox version as it offers better protection
https://www.ghacks.net/2020/02/26/if-you-run-ublock-origin-use-the-firefox-version-as-it-offers-better-protection/
Official release page of “uBlock Originâ€:
https://github.com/gorhill/uBlock/releases
Latest release: 1.31.0
Firefox: Click uBlock0_1.31.0.firefox.signed.xpi
uBO works best on Firefox.
Chromium: Install from the Chrome store (CWS): https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
For Chromium version 54 and older, it is necessary to enable “Experimental JavaScript†at chrome://flags/#enable-javascript-harmony.
Edge: Install from Microsoft Store: https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak
The Microsoft Store version of uBO is published by Nik Rolls
Opera: Install from Opera addons: https://addons.opera.com/en/extensions/details/ublock/
I’m not sure exactly what vetting I can do without coding knowledge. I used a number of trusted extensions on Firefox before it went to web extensions. Since they have stopped doing their own vetting, I stick to Ublock Origin on every browser, actually, and nothing else. It’s a miserable experience now with greatly reduced functionality for power users.
@Jozsef
Reading the reviews of the extension and some research would suffice. If the extension is open source, that’s also a plus (nothing to hide).
True. An extension with very few installs and no reviews is more likely to be fake.
> very few installs and no reviews is more likely to be fake.
That insight is too straightforward.
The reality is a complicated and mysterious matter.
This kind of rogue extension is for fraudulent profits, so target “popular ones with a large user base” for maximum effect. This is a “truism”, and the reality is clear in past cases.
https://www.ghacks.net/2020/11/23/be-careful-when-you-install-microsoft-edge-extensions-from-the-microsoft-store/#comment-4478571
Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “I don’t want to spend money on managing extensions.”
The same is true for Google, so we are pursuing “AI” dependence as a system that does not incur labor costs. If an incident occurs, Google will not adopt costly measures.
After all, reliable extensions will be limited to “AMO” or “download directly from GitHub”.
Sentence correction:
Wrong: Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “I don’t want to spend money on managing extensions.â€
Correct: Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “Don’t want to spend money on managing extensions.â€
Seems like most of the extensions would be the same whether installed from Google or MS since Chredge is Chromium with layers of MS junk added. Some Chrome extensions, maybe most, are so F’d up, basically complicated data mining web sites that remain active all the time, those who are extension happy will certainly have major problems.
Same as others, I have a few extensions installed, four or so, that only modify basic browser behavior locally vs. giving the browser online capabilities it doesn’t normally have. NewTabHomepage opens my home page on new tabs, for example.
Chredge? That was deleted before it installed during a recent upgrade from 1909 to 2009 with a stand alone offline updater MS provided. One experience I have no interest in experiencing. Let’s see how many more updates try to install that thing.
And currently I was really wondering and might add, afraid of VPN-like, proxy extensions. I use one for some sites I can enter from my country. Don’t know what else to do except pay for a legit VPN. Anyone knows at least a decent free proxy that doesn’t do shenanigans?
Try Tor browser.
If you can natively install from the Chrome store, why would you install from MS’s store?
Granted, Chrome’s store also has malware extensions every once in awhile.
@Ray:
Some extensions are only available on the Edge Store, like HTTPZ and Don’t Touch My Tabs.
@ShitoPlasm – I just tried the HTTPZ port and it’s a little buggy I’m afraid.
@Ray
No idea why you’d want to bother with HTTPZ. Yes, HTTPS Everywhere is rule-based, however, its rulesets are so extensive that you should more or less be covered.
Trying to establish an HTTPS connection every single time, have it fail, then revert to HTTP is an approach that is detrimental for performance and is also prone to bugginess.
@Iron Heart – I don’t use HTTPZ I was just testing. I use Firefox with HTTPS-only mode.
@ShintoPlasm – Didn’t know HTTPZ was on the MS store. That’s a nice surprise! Are there any other standout extensions that are only on the Edge Store?
because many user of edge hate Google so they don’t want to use chrome store, and with edge store microsoft can disable a rogue extension, with chrome sore Microsoft can’t and google neither
IMO,if they hate Google so much, they should switch to Firefox since Edge is based on Chromium which despite being open source, heavily owes its existence these days to Google.
@James Kirk
You do realize though how Mozilla funds itself, right? 90% Google money, Firefox owes its existence to Google. Also purely in terms of code, Mozilla is importing more and more Chromium code as of late as well. Not sure what you are on about here.
I wouldn’t switch to a browser that won’t exist anymore in 5 years, either, if Firefox’s past market share development is anything to go by.
i only get extensions from Google web store
Rogue extensions exist there as well.
It’s funny to see all these people against Microsoft out of habit, Microsoft don’t have more or less bad extension … but since they have less extensions for now obviously you have more chance to find a rogue one.
Personally like @mothy have said i have like 2 extension from Microsoft store (“Aelisya”, i have developed it myself, and “Ublock Origin”) so in fact it’s pretty safe.
Of course if you install 4 thousand extension without any check even on opera store or chrome store you will have a rogue one extension installed very fast.
It’s a shame Microsoft abandoned their web browser, for all its supposed warts and real privacy issues, it provided necessary competition for this very limited space, which is now essentially all Chromium/Blink, and a barely noticeable sprinkling of Safari/Webkit and some Firefox/Gecko.
Microsoft will have a perfect system that acts precisely how I need and does not steal my data by the time I test Edge
Is this a joke? Read the TOS of your M$ software honey, they love your data.
Edge extensions would have been a great way for Microsoft to stand out from Chrome, and claim superiority. They failed to do so. It seems odd that trillion dollar tech firms don’t even try to be as “perfect” as possible. Relying on algorithms to check for issues always overlooks new ones designed to get around the algorithms checks. People are smarter, can spot clever new redirect, but cost actual money. I’d hate to see Microsoft spend a million or two out of their many billions to improve the user experience.
They’re busy doing more important things such as developing curated experiences.
I bet the number of MS employees with regular customer contact and the ability to drive change is very, very small.
It is ‘perfect’ from a business perspective. Focus on the 80% of users, which takes 20% of the work. Ignore the 20% users like you and me.
Caveat emptor.
I vet extensions by not installing them in the first place unless I feel I just cannot live without them. 😊 Thus I only use 7 (all from the Google Store) and keep them updated weekly.
Could you please share what extensions you prefer?
Google Dictionary, Privacy Badger, uBlock Origin and Autoplay Stopper can see and change information.
Google Calendar, Humble New Tab Page, and Microsoft Defender Browser Protection cannot.
Now You: do you vet extensions before you install them?
I would but have yet to install any primarily for reasons stated in the article but also because I just haven’t found a need for them. As a general rule whether on computer or smartphone, I highly limit installed software of any kind in order to keep the system’s attack surface as small as possible. But also because I operate via the KISS principle, a design rule that states that systems perform best when they have simple designs rather than complex ones. It has worked well for a very long time now as my systems have never been compromised in any way or their performance negatively affected.
In other words, quality of MS Store, extension store and Windows UWP/WinUI apps continues to be beyond pathetic. Defeating the whole purpose of the store.
no Jeff, in other words, you didn’t get the idea quite, as in other words, danger of fake / misleading extensions exists either in MS edge store or in G store……
I’d say Jeff hit the nail on the head, one of the main, if not the main, reason companies give for setting up stores is so they can offer a curated list of safe extensions/software so users aren’t forced to download ‘untrusted’ extensions/software from random websites.
If they’re not going to curate what gets put in the store it defats the entire purpose of it, that’s actually the reason why i try to avoid installing anything from the MS store, there’s more chance of installing a rouge program from there than most other sites.