Be careful when you install Microsoft Edge extensions from the Microsoft Store

Martin Brinkmann
Nov 23, 2020
Internet, Microsoft Edge
|
39

Browser extensions can extend the functionality of the web browser they are installed in or a site significantly; this is true for all browsers that support extensions, and the new Chromium-based Microsoft Edge is no exception to the rule.

Microsoft operates its own extensions store as part of Microsoft Store, and things seemed to have taken a turn for the better with the switch to the Chromium base earlier this year.

Classic Microsoft Edge suffered from a lack of available extensions, and while Microsoft tried to explain the low number of extensions for the browser, it was clear that the browser could not compete with Google's or Mozilla's extension stores.

The switch to Chromium pushed the number of available extensions for Microsoft Edge and the Store is now hosting thousands of extensions for the browser. Edge users may install Chrome extensions as well next to that.

The increase seems to have brought along with it the issues that the other popular extension stores face from time to time. Microsoft had to remove malicious extensions from its Edge extensions store in May, and it appears that the company had to remove additional extensions this month.

microsoft edge extensions

Sites like Techdows published articles on the removal. According to the information, users of Edge opened support requests when they started to notice that searches were redirected when they used the Microsoft Edge browser.

It turned out that rogue extensions were responsible for that. All of these extensions were hosted on the official Microsoft Store; they used names of popular services and programs, e.g. NordVPN, Adguard VPN or The Great Suspender to lure users into installing the extensions.

Microsoft pulled the fake extensions from its web store and users who installed these in Edge will have them disabled on the next start of the browser automatically.

Raymone Hill, maker of the popular content blocker uBlock Origin, discovered another fake extension in the store that was based on an earlier version of uBlock Origin and manipulated website content to inject content on websites the user visited.

The two incidents suggest that users need to be very careful when installing extensions from the Microsoft Edge extensions store as Microsoft's protections are as weak as Google's protections on the Chrome Web Store.

In other words: there is always the chance that an extension is malicious in nature because of an insufficient vetting process. This leads to the following question: what can you do to protect yourself?

One of the best options is to analyze the code of the extension, but that is hardly something that all Edge users can do. Reviews and ratings help only so much, as they can be faked and sometimes, may not be available. You could look for reviews on trusted sites, or make sure that the company that supposedly created the extension has indeed created it by verifying that on the company site.

Now You: do you vet extensions before you install them?

Summary
Be careful when you install Microsoft Edge extensions from the Microsoft Store
Article Name
Be careful when you install Microsoft Edge extensions from the Microsoft Store
Description
Microsoft removed malicious extensions from its Microsoft Edge extensions store, and not for the first time. You need to be careful when installing browser extensions.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Triaj Modium said on November 26, 2020 at 9:10 am
    Reply

    I do not tell what people browsers to use, but I am use Firefox.

    On the addons pages, there are some “Recommended” — these have vetting from Mozilla.

    If not “Recommended”, it says it has not been thoroughly tested, caveat emptor. I look around web sites and read, and maybe look at the code too.

    I use NoScript, UBO, HTTP Everywhere (maybe not needed with newest Firefox), and some other minor extensions.

    So far I think Firefox Addons “store” is probably best, Firefox does better job at respecting privacy than other browsers.

    1. Iron Heart said on November 26, 2020 at 12:19 pm
      Reply

      @Tiraj Modium

      Some of the “Recommended” extensions are also being promoted because the developers pay Mozilla. This is the case with the “Honey” extension (problematic from a privacy perspective), for example. Yes, the code is being checked, but as far as I understand it they only check for outright malware, not for spying functionality you might have agreed to in some privacy policy (in which case it would be legal though unethical).

      Anyway, if you are into privacy extensions also check out Cookie AutoDelete, ClearURLs, LocalCDN, all of them are must haves as far as I’m concerned.

      > Firefox does better job at respecting privacy than other browsers.

      Firefox is worse than e.g. Brave by default:

      https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

      It can be modified to be privacy-respecting with about:config (and you need to stay ahead of Mozilla, since they are frequently adding new anti-features), but by default it is not that much better than Chrome. Pale Moon, Waterfox, some Chromium variants like Vivaldi, Ungoogled Chromium, Bromite are also better than Firefox by default. Needless to say, same goes for the Tor browser.

  2. owl said on November 25, 2020 at 12:12 pm
    Reply

    The “Chromium” version of UBO (unlike the Firefox version) is a “half-finished specification” that function restricted (limited).
    The developer of UBO (Raymone Hill) discovered that “UBO”, which can be added from Microsoft’s official extension download site, has been replaced with a tampered “illegal product”, tweeted the findings two weeks ago, and reported the “illegal” to Microsoft on the same day.
    No progress has been made after two weeks, and fraudulent products remain available.
    If you install the malicious product, the “iframe” will be inserted in the “div dot show / alink” of every page accessed by the user.
    https://twitter.com/gorhill/status/1329831114119254026

    For the “Chromium” version of UBO, Raymone Hill declared “development support discontinuation” a year ago.

    The official view was that Microsoft switched to the “Chromium” base because “the extensions that could be added to Microsoft browsers were too poor (both quality and quantity) to compete with Google and Mozilla.”

    The frequent storm of “illegal goods” on the “Chrome Web Store” has spread to “extensions for Microsoft Edge,” Microsoft’s sloppyness is revealed (insufficient review process and lack of crisis management skills).

    Google does not “manually” check extension reviews and relies on AI (artificial intelligence).
    At AMO (addons.mozilla.org), AI dependence has been discontinued and a dedicated person has changed to a method of manual and thorough inspection, and since then, fraudulent products have been eradicated.

    Related information:
    The Chrome Web Store and AMO (addons.mozilla.org) had serious incidents such as tricks to embed malicious code in browser extension updates.

    Chrome extension CopyFish hijacked: remove now!
    https://www.ghacks.net/2017/07/31/chrome-extension-copyfish-hijacked-remove-now/
    Google pulls Chrome Web Developer extension over ad-injecting
    https://www.ghacks.net/2017/08/02/google-pulls-chrome-web-developer-extension-over-ad-injecting/
    First Chrome extension with JavaScript Crypto Miner detected
    https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/
    Steam Inventory Helper monitors your browsing activity
    https://www.ghacks.net/2017/09/19/steam-inventory-helper-monitors-your-browsing-activity/
    Chrome has a massive copycat extensions problem
    https://www.ghacks.net/2017/10/11/chrome-has-a-massive-copycat-extensions-problem/
    Chrome Extension Uses Your Gmail to Register Domains Names & Injects Coinhive
    https://www.bleepingcomputer.com/news/security/chrome-extension-uses-your-gmail-to-register-domains-names-and-injects-coinhive/
    Another Chrome extension horror story: coinhive and domain registration
    https://www.ghacks.net/2017/10/15/another-chrome-extension-horror-story-coinhive-and-domain-registration/
    Mozilla’s AMO Extensions store has a spam infestation problem
    https://www.ghacks.net/2017/12/13/mozillas-extensions-store-has-a-spam-infestation/
    Malicious Chrome extensions with Session Replay appear in Chrome Store
    https://www.ghacks.net/2018/02/05/malicious-chrome-extensions-with-session-replay-appear-in-chrome-store/
    Another wave of spam add-ons hits Mozilla Firefox AMO
    https://www.ghacks.net/2018/04/09/another-wave-of-spam-add-ons-hits-mozilla-firefox-amo/
    Google’s bad track record of malicious Chrome extensions continues
    https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/
    It is time to get rid of Stylish
    https://www.ghacks.net/2018/07/03/it-is-time-to-get-rid-of-stylish/
    Time to remove Nano Adblocker and Defender from your browsers (except Firefox)
    Microsoft Edge will support Chromium extensions
    https://www.ghacks.net/2018/12/10/microsoft-edge-will-support-chromium-extensions/
    Chrome Extension Manifest V3 could end uBlock Origin for Chrome
    https://www.ghacks.net/2019/01/22/chrome-extension-manifest-v3-could-end-ublock-origin-for-chrome/
    Firefox Recommended Extensions program announced
    https://www.ghacks.net/2019/04/09/firefox-recommended-extensions-program-announced/
    These Extensions are exclusive to the Chromium-based Microsoft Edge
    https://www.ghacks.net/2019/04/12/these-extensions-are-exclusive-to-the-chromium-based-microsoft-edge/
    Your Firefox extensions are all disabled? That’s a bug!
    https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disabled-thats-a-bug/
    A wave of malware add-ons hit the Mozilla Firefox Extensions Store
    https://www.ghacks.net/2019/05/29/another-malware-wave-hit-the-mozilla-firefox-extensions-store/
    Extensions are still collecting and selling your browsing data
    https://www.ghacks.net/2019/07/19/extensions-are-still-collecting-and-selling-your-browsing-data/
    Firefox Add-ons Warning: This extension isn’t monitored by Mozilla
    https://www.ghacks.net/2019/09/06/firefox-add-ons-warning-this-extension-isnt-monitored-by-mozilla/
    Mozilla bans all extensions that execute remote code
    https://www.ghacks.net/2019/11/05/mozilla-bans-all-extensions-that-execute-remote-code/
    Mozilla removes all Avast Firefox extensions
    https://www.ghacks.net/2019/12/03/mozilla-removes-all-avast-firefox-extensions/
    Microsoft removed malicious extensions from its Edge Extensions Store
    https://www.ghacks.net/2020/05/16/microsoft-removed-malicious-extensions-from-its-edge-extensions-store/
    Time to remove Nano Adblocker and Defender from your browsers (except Firefox)
    https://www.ghacks.net/2020/10/16/time-to-remove-nano-adblocker-and-defender-from-your-browsers-except-firefox/

    1. Sol Shine said on December 2, 2020 at 2:38 pm
      Reply

      uBlock Origin for Chrome is still being maintained by the developer.
      The last update I see is from 27 november 2020.
      https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

      1. owl said on December 3, 2020 at 1:35 am
        Reply

        @Sol Shine,

        Your perception is fundamentally wrong. The Chrome web store is just an excerpt of what’s convenient for Google (Inconvenient things are omitted), and the full overview is on the official support site:
        https://github.com/gorhill/uBlock#ublock-origin
        Due to the restrictions of the Chromium extension “API”, the Chromium version of UBO is spoiled.
        Only Firefox can enable all the features available in UBO.

        Raymond Hill, maker of the popular content blocker uBlock Origin, introduced support for CNAME-based blocking in the Firefox version one year ago. The developer was the first to introduce such functionality in a browser extension, but could do so only in Firefox as Mozilla’s browser was, and is, the only browser that supports DNS API capabilities that make such functionality possible in first place.
        https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/
        uBlock Origin for Firefox addresses new first-party tracking method
        https://www.ghacks.net/2019/11/20/ublock-origin-for-firefox-addresses-new-first-party-tracking-method/
        If you run uBlock Origin, use the Firefox version as it offers better protection
        https://www.ghacks.net/2020/02/26/if-you-run-ublock-origin-use-the-firefox-version-as-it-offers-better-protection/

        Official release page of “uBlock Origin”:
        https://github.com/gorhill/uBlock/releases
        Latest release: 1.31.0
        Firefox: Click uBlock0_1.31.0.firefox.signed.xpi
        uBO works best on Firefox.
        Chromium: Install from the Chrome store (CWS): https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
        For Chromium version 54 and older, it is necessary to enable “Experimental JavaScript” at chrome://flags/#enable-javascript-harmony.
        Edge: Install from Microsoft Store: https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak
        The Microsoft Store version of uBO is published by Nik Rolls
        Opera: Install from Opera addons: https://addons.opera.com/en/extensions/details/ublock/

  3. Jozsef said on November 24, 2020 at 7:31 pm
    Reply

    I’m not sure exactly what vetting I can do without coding knowledge. I used a number of trusted extensions on Firefox before it went to web extensions. Since they have stopped doing their own vetting, I stick to Ublock Origin on every browser, actually, and nothing else. It’s a miserable experience now with greatly reduced functionality for power users.

    1. Iron Heart said on November 25, 2020 at 9:41 am
      Reply

      @Jozsef

      Reading the reviews of the extension and some research would suffice. If the extension is open source, that’s also a plus (nothing to hide).

      1. James Kirk said on November 25, 2020 at 10:29 am
        Reply

        True. An extension with very few installs and no reviews is more likely to be fake.

      2. owl said on November 26, 2020 at 10:05 am
        Reply

        > very few installs and no reviews is more likely to be fake.

        That insight is too straightforward.
        The reality is a complicated and mysterious matter.
        This kind of rogue extension is for fraudulent profits, so target “popular ones with a large user base” for maximum effect. This is a “truism”, and the reality is clear in past cases.
        https://www.ghacks.net/2020/11/23/be-careful-when-you-install-microsoft-edge-extensions-from-the-microsoft-store/#comment-4478571

        Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “I don’t want to spend money on managing extensions.”
        The same is true for Google, so we are pursuing “AI” dependence as a system that does not incur labor costs. If an incident occurs, Google will not adopt costly measures.

        After all, reliable extensions will be limited to “AMO” or “download directly from GitHub”.

      3. owl said on November 26, 2020 at 10:51 am
        Reply

        Sentence correction:
        Wrong: Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “I don’t want to spend money on managing extensions.”
        Correct: Don’t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, “Don’t want to spend money on managing extensions.”

  4. ULBoom said on November 24, 2020 at 2:52 pm
    Reply

    Seems like most of the extensions would be the same whether installed from Google or MS since Chredge is Chromium with layers of MS junk added. Some Chrome extensions, maybe most, are so F’d up, basically complicated data mining web sites that remain active all the time, those who are extension happy will certainly have major problems.

    Same as others, I have a few extensions installed, four or so, that only modify basic browser behavior locally vs. giving the browser online capabilities it doesn’t normally have. NewTabHomepage opens my home page on new tabs, for example.

    Chredge? That was deleted before it installed during a recent upgrade from 1909 to 2009 with a stand alone offline updater MS provided. One experience I have no interest in experiencing. Let’s see how many more updates try to install that thing.

  5. Nikolaos Mark said on November 24, 2020 at 1:23 pm
    Reply

    And currently I was really wondering and might add, afraid of VPN-like, proxy extensions. I use one for some sites I can enter from my country. Don’t know what else to do except pay for a legit VPN. Anyone knows at least a decent free proxy that doesn’t do shenanigans?

    1. James Kirk said on November 25, 2020 at 10:28 am
      Reply

      Try Tor browser.

  6. Ray said on November 24, 2020 at 3:33 am
    Reply

    If you can natively install from the Chrome store, why would you install from MS’s store?

    Granted, Chrome’s store also has malware extensions every once in awhile.

    1. ShintoPlasm said on November 24, 2020 at 11:14 am
      Reply

      @Ray:

      Some extensions are only available on the Edge Store, like HTTPZ and Don’t Touch My Tabs.

      1. Ray said on November 25, 2020 at 2:13 am
        Reply

        @ShitoPlasm – I just tried the HTTPZ port and it’s a little buggy I’m afraid.

      2. Iron Heart said on November 25, 2020 at 9:44 am
        Reply

        @Ray

        No idea why you’d want to bother with HTTPZ. Yes, HTTPS Everywhere is rule-based, however, its rulesets are so extensive that you should more or less be covered.

        Trying to establish an HTTPS connection every single time, have it fail, then revert to HTTP is an approach that is detrimental for performance and is also prone to bugginess.

      3. Ray said on November 25, 2020 at 8:45 pm
        Reply

        @Iron Heart – I don’t use HTTPZ I was just testing. I use Firefox with HTTPS-only mode.

      4. Ray said on November 25, 2020 at 2:04 am
        Reply

        @ShintoPlasm – Didn’t know HTTPZ was on the MS store. That’s a nice surprise! Are there any other standout extensions that are only on the Edge Store?

    2. Aelisya said on November 24, 2020 at 6:36 am
      Reply

      because many user of edge hate Google so they don’t want to use chrome store, and with edge store microsoft can disable a rogue extension, with chrome sore Microsoft can’t and google neither

      1. James Kirk said on November 25, 2020 at 10:26 am
        Reply

        IMO,if they hate Google so much, they should switch to Firefox since Edge is based on Chromium which despite being open source, heavily owes its existence these days to Google.

      2. Techniker said on November 26, 2020 at 10:41 pm
        Reply

        @James Kirk

        You do realize though how Mozilla funds itself, right? 90% Google money, Firefox owes its existence to Google. Also purely in terms of code, Mozilla is importing more and more Chromium code as of late as well. Not sure what you are on about here.

        I wouldn’t switch to a browser that won’t exist anymore in 5 years, either, if Firefox’s past market share development is anything to go by.

  7. Greg said on November 24, 2020 at 1:17 am
    Reply

    i only get extensions from Google web store

    1. James Kirk said on November 25, 2020 at 10:24 am
      Reply

      Rogue extensions exist there as well.

  8. Aelisya said on November 23, 2020 at 9:39 pm
    Reply

    It’s funny to see all these people against Microsoft out of habit, Microsoft don’t have more or less bad extension … but since they have less extensions for now obviously you have more chance to find a rogue one.

    Personally like @mothy have said i have like 2 extension from Microsoft store (“Aelisya”, i have developed it myself, and “Ublock Origin”) so in fact it’s pretty safe.

    Of course if you install 4 thousand extension without any check even on opera store or chrome store you will have a rogue one extension installed very fast.

  9. Lancelot said on November 23, 2020 at 9:17 pm
    Reply

    It’s a shame Microsoft abandoned their web browser, for all its supposed warts and real privacy issues, it provided necessary competition for this very limited space, which is now essentially all Chromium/Blink, and a barely noticeable sprinkling of Safari/Webkit and some Firefox/Gecko.

  10. Anonymous said on November 23, 2020 at 8:39 pm
    Reply

    Microsoft will have a perfect system that acts precisely how I need and does not steal my data by the time I test Edge

    1. Valro said on November 24, 2020 at 2:53 am
      Reply

      Is this a joke? Read the TOS of your M$ software honey, they love your data.

  11. DVDRambo said on November 23, 2020 at 7:22 pm
    Reply

    Edge extensions would have been a great way for Microsoft to stand out from Chrome, and claim superiority. They failed to do so. It seems odd that trillion dollar tech firms don’t even try to be as “perfect” as possible. Relying on algorithms to check for issues always overlooks new ones designed to get around the algorithms checks. People are smarter, can spot clever new redirect, but cost actual money. I’d hate to see Microsoft spend a million or two out of their many billions to improve the user experience.

    1. ULBoom said on November 24, 2020 at 2:34 pm
      Reply

      They’re busy doing more important things such as developing curated experiences.

      I bet the number of MS employees with regular customer contact and the ability to drive change is very, very small.

    2. Anonymous said on November 23, 2020 at 9:48 pm
      Reply

      It is ‘perfect’ from a business perspective. Focus on the 80% of users, which takes 20% of the work. Ignore the 20% users like you and me.

  12. Dave said on November 23, 2020 at 5:52 pm
    Reply

    Caveat emptor.

  13. chesscanoe said on November 23, 2020 at 5:43 pm
    Reply

    I vet extensions by not installing them in the first place unless I feel I just cannot live without them. 😊 Thus I only use 7 (all from the Google Store) and keep them updated weekly.

    1. James Kirk said on November 25, 2020 at 10:23 am
      Reply

      Could you please share what extensions you prefer?

      1. chesscanoe said on November 25, 2020 at 7:14 pm
        Reply

        Google Dictionary, Privacy Badger, uBlock Origin and Autoplay Stopper can see and change information.
        Google Calendar, Humble New Tab Page, and Microsoft Defender Browser Protection cannot.

  14. Mothy said on November 23, 2020 at 5:30 pm
    Reply

    Now You: do you vet extensions before you install them?

    I would but have yet to install any primarily for reasons stated in the article but also because I just haven’t found a need for them. As a general rule whether on computer or smartphone, I highly limit installed software of any kind in order to keep the system’s attack surface as small as possible. But also because I operate via the KISS principle, a design rule that states that systems perform best when they have simple designs rather than complex ones. It has worked well for a very long time now as my systems have never been compromised in any way or their performance negatively affected.

  15. Jeff said on November 23, 2020 at 3:56 pm
    Reply

    In other words, quality of MS Store, extension store and Windows UWP/WinUI apps continues to be beyond pathetic. Defeating the whole purpose of the store.

    1. dolly buster said on November 24, 2020 at 10:33 am
      Reply

      no Jeff, in other words, you didn’t get the idea quite, as in other words, danger of fake / misleading extensions exists either in MS edge store or in G store……

      1. Corky said on November 25, 2020 at 6:00 pm
        Reply

        I’d say Jeff hit the nail on the head, one of the main, if not the main, reason companies give for setting up stores is so they can offer a curated list of safe extensions/software so users aren’t forced to download ‘untrusted’ extensions/software from random websites.

        If they’re not going to curate what gets put in the store it defats the entire purpose of it, that’s actually the reason why i try to avoid installing anything from the MS store, there’s more chance of installing a rouge program from there than most other sites.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.