Microsoft has a fake extensions problem in its Microsoft Edge Store
Microsoft has a serious problem with fake extensions for its Microsoft Edge web browser that are hosted on the company's own store for the web browser.
After the removal of several fake extensions last week, Microsoft once again had to remove a fake extension. Last week, it became known that several fake extensions were removed by Microsoft that were made to look like extensions from legitimate services. Affected products were the content blocker uBlock Origin, the VPN services NordVPN, Adguard VPN and TunnelBear VPN, and other legitimate browser extensions.
Many companies and developers have not created extensions for Microsoft Edge or ported existing extensions to the Microsoft Store. The fake extensions were created and uploaded by third-parties; all used the names of popular products, likely to get users of Microsoft Edge to install these extensions without much inspection beforehand. The extensions would redirect searches through OKSearch when installed in the web browser.
The makers of Windscribe, a popular free and paid VPN providers, revealed yesterday that they have been a target as well. A fake Windscribe extension was uploaded to the Microsoft Store, and like all the others, accepted by Microsoft.
That was not our extensions, because MS review process is useless. Someone uploaded a modified version of the extension, and MS just approved it. We looked at it, it didn't seem to contain any actual malware at first glance, however we encourage you to change your Windscribe password.
Microsoft did flag the fake extension as malicious in the meantime. The extension is no longer available as a consequence, and users who have it installed should see it being disabled automatically in the browser. The real Windscribe extension that is created by the makers of the service is still in Microsoft's review queue. Affected users should consider changing passwords to the service, and maybe also to other services that they signed-in while using the extension.
Microsoft's review process did not catch the fake extensions that were released to the store in the past two weeks. It is not the first time that malicious extensions were made available in the store. If Microsoft does not change the review process, it is likely that it won't be the last time that users will install fake extensions from the official Edge extensions store.
It is recommended that users check with the maker of the product to see if a browser extension for Microsoft Edge is available before installing any extension from the Microsoft Store.
Now You: Did you install any of these extensions? What needs to change in your opinion to block fake extensions outright? (via Deskmodder)
I would think that the easiest change for Microsoft to implement would to simply have developers confirm that the application is in fact genuine before uploading it to the store.. Microsoft would still have to verify that the developer was a legitimate entity, but that would certainly be a lot easier than having to assess every extension themselves. This procedure would presumably catch most outright counterfeit extensions, but of course users would still be vulnerable to seemingly legitimate developers who choose to mislead users about their privacy policies.
In my case, it is not an issue as I have a local account and would never consider using the Microsoft store for anything, and have not the slightest interest in Edge.
I would think that the easiest change for Microsoft to implement would to simply have developers confirm that the application is in fact genuine before uploading it to the store.. Microsoft would still have to verify that the developer was a legitimate entity, but that would certainly be a lot easier than having to assess every extension themselves.
Your view does not understand these cases correctly.
For example, the popular content blocker uBlock Origin discontinued support for Chromium a year ago (only “Firefox” is officially supported).
That is, such an unofficial version of the extension is not responsible for any incidents that occur in Chromium.
Absolutely, parties to the case (responsibility) is the Chrome Web Store (or Extension for Microsoft Edge), which is a flaw in the “review process and crisis management skills.”
Google does not â€œmanuallyâ€ check extension reviews and relies on AI (artificial intelligence).
At AMO (addons.mozilla.org), AI dependence has been discontinued and a dedicated person has changed to a method of manual and thorough inspection, and since then, fraudulent products have been eradicated.
Donâ€™t trust the for-profit company Microsoft. This is because shareholders are prioritized over user interests, and from a cost-effectiveness perspective, â€œI donâ€™t want to spend money on managing extensions.â€
The same is true for Google, so we are pursuing â€œAIâ€ dependence as a system that does not incur labor costs. If an incident occurs, Google will not adopt costly measures.
After all, reliable extensions will be limited to â€œAMOâ€ or â€œdownload directly from GitHubâ€.
Now You: Did you install any of these extensions? What needs to change in your opinion to block fake extensions outright?ï¼š
Do not use Microsoft’s browser (Edge), which is an insufficient review process and lack of crisis management skills.
As advice: Demerits of capitalism
Create a greedy capitalist society, turn it into a monster, dominate and conquer the market, and runaway (out of control).
Its greed is “endless.”
The “Antitrust Law” has been enacted to stop this…..
However, the greatest control is “the user’s efforts to avoid products that lead to monopoly.”
Offered by: Raymond Hill (gorhill)”
“November 27, 2020”
So, the official version is still in the Chrome store and updated- for now.
Mr. Hill has, however, said that if and when Chrome makes Manifest v3 it’s only supported extension format, if the version at that time still doesn’t allow him to do UBO the way he feels it should be done, he will stop updating his extension in the Chrome store. It sounds like he would continue it for Firefox (and Firefox-extension compatible browsers) and *perhaps* offer a version for Chromium-compatible browsers that continue to support access to the APIs he needs in a standard way (Some of the Chromium-based spin-offs may want to consider working together to come up with a single next-gen standard- or just keep offering Manifest v2 in addition to Manifest v3, though that may be hard to pull off in the long run as Google makes it harder and harder to do that with potential coding changes that will make it hard to both merge in the new Chromium updates they want regularly and easily without merging in changes that make it hard to do anything that isn’t Ext v3.).
If you’re wondering why I phrased the part of about him planning to “stop updating” his extension for Chrome under certain circumstances a little oddly, it’s because I asked him months ago in an online fora somewhere or other if he would remove the extension from the Chrome webstore when/if this stuff unfolds. He said he would not, but that he would stop updating it if Google made it impossible for it to work to his standards. His attitude seemed to be that he didn’t want to pull it away from existing users, but if Google breaks it, it breaks it, and he’s not going to “fix” it so that it’s a shadow of it’s former self. I personally feel like the proper thing to do under those circumstances would be to actually remove it from the store, but it’s his extension- and at least we as GHacks readers are almost certain to find out if it stops getting updates for a given platform.
Mozilla is starting to use weasel words again on whether Firefox will continue support for extension access to key APIs indefinitely. They seem to committed to going forward with it beyond what Chrome is going to do, or at least recognizing the key code command that Chrome’s v3 standards won’t in their implementation of v3 or a psuedo-v3, but whether the same will hold true 6 months later, 12 months later, or 2 years later is anyone’s guess.
It would be a good idea for developers who care about this issue to start getting on board with forks of Firefox like Iceraven for Android so they can get involved and keep that browser and perhaps others alive to put pressure not just for their own good (Though many people love Iceraven and it does an need an influx of developers to guarantee more regular updates), but also to implicitly put pressure on Mozilla not not to cave (i.e. “Your users have a choice. Are you sure you want to push them to us by making that decision?”. That works much better if there actually is an “us”. ;) ) and to be there to attempt to keep support for UBO in the fork beyond the potential end of Firefox support for it (Iceraven currently supports UBO and it’s mission is to offer as many user options, as much customization, and as much expandability as possible, along with as much direct user access to information about their browser, the pages it is visiting, and how they are interacting, within the constraints it faces as a close fork with a limited number of maintainers. So something that is in total accord with Iceraven’s mission, but the question is whether they will have enough skilled people to pull it off and keep pulling it off.).. Right now, Iceraven is down to one very part-time developer from three very part time developers. The remaining gentleman (interfect on Github) has called for more developers openly, so if anyone wants to volunteer, I’m sure they’d be welcome. He specifically wants people for CI testing, but being as that it is now down to a one man shop, I am sure there are other things people could do if that’s beyond their abilities.
I’ve tried IceRaven on mobile. It offers support for more extensions than Firefox mobile currently. How has your experience been with IceRaven?
uBlock Origin is the only property trusted adblocker(for eg, Nano Defender was quite popular last year but it has been sold to a shady company recently) and if its Chromium version is stopped in the future, I assume it will atleast make some users look towards Firefox.
Nope, the only extension i use is the one i have developed and uploaded myself “Aelisya”.
For Ads-block “Adguard for Windows” and “Adguard home” do the tricks.
Could you err, link the extension? And why bother building your own; isn’t it quite resource and time intensive to build and maintain a custom adblocker from the ground up?
What needs to happen is education.
The majority of people are totally ignorant of how the internet even works on top of how thier own hardware and software work or how to keep it secure.
Example: I’ve got two kids using online school right now. Both have a google account created by the school district. Not a school only account, a full blown google account that can be logged into from anywhere and used for all of googles services and anything else you can ‘log in with google’ with.
They use thier real first initial and real last name with thier student id number appended to it for a username and that same student ID, the one clearly visible in thier public username, for a password.
Please say that the students are allowed to change their password?
The school did that. I’m sure that’s obvious but what is often missed is schools, teachers, etc., aren’t any more knowledgeable overall about the online world than the average user.
Plus, the chromebooks they buy, lease, whatever, basically suck. Compared to a middling windows laptop, they’re slow, have dreadful displays and are loaded (surprise!) with ads to the point where browsing is almost impossible. At least the ads can be stopped on a laptop.
In the second year of distance learning, I’d love to get laptops working for school so the chromebooks can be closed permanently but even our kids are realizing they don’t want google even closer to them than now.
If google makes it, it’s an ad server.
The ublock origin for the original edge was ok, but was an old version. (Nik Rolls build) Over the past year, the extension for the new edge seemed ok, with the only difference being the different author listed. (Nik Rolls also). I have not used any extensions from there over the last couple months.
You can install the official uBlock Origin (Raymond Hill) from the Chrome Web Store in the new Edge. You just have to allow the installation of extensions from other sources / stores in Edge’s settings.
Avoid Edge. Part of the MS spyware conglomerate.
Anytime these corps begin aggressively pushing products like edge browser, they will be erased from my systems immediately. Or blocked, I’m using “Edge Blocker” from Sordum until I find a way to safely delete edge permanently. https://www.sordum.org/9312/edge-blocker-v1-6/
Ungoogled Chromium for now, am trying out Vivaldi Snapshot. But UC is good at present until manifest V3.
> But UC is good at present until manifest V3.
UC likely won’t have a fix for those. Brave (desktop / mobile) or Bromite (mobile) are the answer to this. Their native adblockers are not extensions and won’t be affected.
I just had the Adobe Acrobat show me a “This extension contains malware.” message. It links to here – https://microsoftedge.microsoft.com/addons/detail/npmdiogjnjmbfjgnmnjnmijikcmdmfjd which is now down.
But as far as I know this was installed when I installed the official Adobe Acrobat, I never installed this from the Microsoft Extension store. Weird.
If after 5 years they can’t get rid of the trashy and fake apps from their Store, you should not expect they will treat extensions any differently. They just want to show the world a figure – hey look at us – our platform has so many apps, our browser has so many extensions – quantity over quality. They hope that will kick off their sucky platform.
uBlock Origin for Chrome is still being maintained by the developer, so support did not end last year.
The last update is from 27 november 2020.
Your perception is fundamentally wrong. The Chrome web store is just an excerpt of what’s convenient for Google (Inconvenient things are omitted), and the full overview is on the official support site:
Due to the restrictions of the Chromium extension “API”, the Chromium version of UBO is spoiled.
Only Firefox can enable all the features available in UBO.
Raymond Hill, maker of the popular content blocker uBlock Origin, introduced support for CNAME-based blocking in the Firefox version one year ago. The developer was the first to introduce such functionality in a browser extension, but could do so only in Firefox as Mozilla’s browser was, and is, the only browser that supports DNS API capabilities that make such functionality possible in first place.
uBlock Origin for Firefox addresses new first-party tracking method
If you run uBlock Origin, use the Firefox version as it offers better protection
Official release page of “uBlock Origin”:
Latest release: 1.31.0
Firefox: Click uBlock0_1.31.0.firefox.signed.xpi
uBO works best on Firefox.
Chromium: Install from the Chrome store (CWS): https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
Edge: Install from Microsoft Store: https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak
The Microsoft Store version of uBO is published by Nik Rolls
Opera: Install from Opera addons: https://addons.opera.com/en/extensions/details/ublock/
I am aware that uBlock Origin has less blocking functionality on Chrome and works better on Firefox. That is why I use Firefox as my main browser.
But the fact I was pointing out is that Raymond Hill is still maintaining UBO on Chrome, even if it has become less functional compared to Firefox. So your statement that development of UBO for Chrome ended a year ago is (for now) not correct.
Sadly Raymond stopped maintaining uMatrix, instead of giving it the same blocking lists like UBO and then dropping UBO. The interface and blocking options of uMatrix are much better than those of UBO.
So maybe he will at some point stop maintaining UBO on Chrome, when Google makes it too hard to block ads. Then you can say that UBO is no longer supprted on Chrome.
uBlock Origin can do CNAME uncloaking on Firefox while it can’t do that on Chrome. CNAME cloaking is an irrelevant form of tracking, though. You’d be hard-pressed to encounter it in real life. I use Brave and Brave’s internal adblocker can do CNAME uncloaking (it’s not an extension, therefore not under extension limitations) – I still don’t see the point.
I know you prefer Brave over Firefox.
I agree with you that Mozilla has made some very bad choices concerning privacy.
For example, I use a app called App Manager on f-droid, that detect trackers in installed apps and it shows that Firefox (Fennec) on Android has trackers (Adjust and LeanPlum) and even Tor Browser for Android has the Adjust tracker (though according to Tor developer, they disable or remove trackers).
I use Ungoogled Chromium as a backup browser, but have no problems with Brave and would recommend it to friends and family who are not tech savvy enough to install Ungoogled Chromium. Brave has a more certain future and user support than the Ungoogled Chromium project, and it better for your privacy than Google Chrome.
I also value Brave’s effort to creat a privacy friendly ad system to support content creators.
However, I still use and promote Firefox, because if Mozilla goes away, then there will only be the big tech companies like Google and Microsoft to drive internet standards and browser tech, and they have no respect for our privacy rights.
Also, there is the possibility that the current management of Mozilla could be replaced by more sensible people sometime in the future.
Me preferring Brave over Firefox was not really the point of my comment. The point was that uBlock Origin on Chromium is only better than uBlock origin on Firefox in regards to CNAME uncloaking. And CNAME cloaking is something you will hardly ever encounter in the wild, rendering the only advantage of the uBO / FF combo (almost) mute. Users of the Chromium version of uBlock Origin are not much worse off. As I said, Brave’s native adblocker can in fact do CNAME uncloaking, I just never encountered it in real life!
> However, I still use and promote Firefox, because if Mozilla goes away, then there will only be the big tech companies like Google and Microsoft to drive internet standards and browser tech,
Mellon, they already do. Look at the Chrome and Edge combined market share and then look at the market share of other browsers. Now tell me that they can do anything against what Google and Microsoft have in mind…
> and they have no respect for our privacy rights.
Neither has Mozilla. They are funded by Google and do Google’s bidding (Brendan Eich – former Mozilla CEO, now Brave – even said during the TEDxVienna conference, that Mozilla actively doesn’t want to harm their golden goose, it’s on YouTube). Simple as that. One primary example? The proposed web bundle standard:
Mozilla deems that “non-harmful”, however it will indeed make ad- and tracker-blocking impossible. Absolutely ridiculous, Mozilla should probably be first in line when it comes to opposing this. Brave Software spoke out against it, yeah. But Brave is (realistically) even more irrelevant than Mozilla, so the effect is basically nil. Still, Mozilla’s claims regarding privacy protection are just marketing. Also take a look at this:
Sponsored Top Sites in the suggestion list of the address bar. While distasteful, it wouldn’t be a problem if those were just hardcoded local entries that could be easily disabled. The problem is – Firefox connects to a proxy server in relation to this feature. Why? They could implement this in a privacy-friendly way, and simply chose not to.
I consider myself privacy-conscious and as such I am using Brave / DuckDuckGo + searx / a privacy-friendly email service, I promote (and use myself) add-ons like uBO, LocalCDN, ClearURLs, Cookie AutoDelete, HTTPS Everywhere… The thing is, I have done my part, as you can see I am trying to avoid privacy-hostile companies and their services to the best of my abilities. Part of the process of learning was that some companies claim to care about privacy, but really don’t. I count Mozilla among them, others include NordVPN (data collection honeypot – look at ownership), ProtonMail (CIA honeypot – the founders have strong CIA connections and the employees don’t use the service themselves for reasons unknown) and many others. My respect for Mozilla is nigh zero as long as their phony claims in regards to privacy only amount to lip service.
> Also, there is the possibility that the current management of Mozilla could be replaced by more sensible people sometime in the future.
I commend you for your optimism, but the way I see it, M. Baker is too deeply ingrained into the company, the current CEO was part of the company’s leadership from the get go. Don’t see her abandoning the sinking ship before a total collapse of the company. Sorry to say.
> The point was that uBlock Origin on Chromium is only better than uBlock origin on Firefox in regards to CNAME uncloaking.
uBlock Origin on Firefox also has the advantage that the size of a block list can not be restricted by Google. Brave users are dependant on a single entity (Brave developers) and their implementation choices, to bypass Google plans in this area. Firefox users have more choice in various ad blockers that suite their preferences.
> Neither has Mozilla. They are funded by Google and do Googleâ€™s bidding
I agree that Mozilla is not privacy friendly and a hypocrite in their marketing.
But they are trying to be less dependant on Google.
> M. Baker is too deeply ingrained into the company, the current CEO was part of the companyâ€™s leadership from the get go.
The chance of a management change at a company often increases, the more they lose market share. Even if Mozilla was to go bankrupt, the chance is high a new company or organisation would take over the development of Firefox. The more Firefox users there are, the higher the chance that will occur.
If Firefox development stops, there would only be Chromium based browsers for Windows and Linux users. The risk is real that Google will keep implementing more privacy unfriendly code in Chromium that is harder to remove or workaround. That is a mayor reason why Firefox needs to be kept alive.
>ProtonMail (CIA honeypot â€“ the founders have strong CIA connections and the employees donâ€™t use the service themselves for reasons unknown)
I did not know the ProtonMail employees did not use the service. Strange.
> uBlock Origin on Firefox also has the advantage that the size of a block list can not be restricted by Google.
It’s currently still unrestricted in Chromium, and will be until Manifest V2 code is being removed from the codebase. I could totally see Mozilla limiting it as well, if not for any other reason, then for keeping 100% compatibility with Chromium’s extension APIs. That was the original point of WebExtensions back in 2017 as per Mozilla, to facilitate cross-platform development of extensions by providing the same APIs as Google.
It’s also not clear yet whether or not the announced 150K rule limit is really a hard limit. Take Safari as an example, there is a 50K rule limit (so even worse than Chromium), yet you can still run more lists (I use 500K unique filters), you just have to comply to the 50K limit for each. 10 x 50K = 500K, the 50K limit is not absolute. Could be the same for Chromium, we don’t know yet.
> Brave users are dependant on a single entity (Brave developers) and their implementation choices, to bypass Google plans in this area. Firefox users have more choice in various ad blockers that suite their preferences.
While true in theory, the choice of adblocking extensions is not that broad, either. There is basically just uBlock Origin (and derivatives) and AdBlock Plus, unless I have missed something. The latter can’t be trusted, and the former is also just one guy. I doubt that Brave Software will soften their adblocking capabilities, because their endgame is to establish an alternative ad ecosystem based on BAT. They won’t let the current system thrive, they have no reason to.
> But they are trying to be less dependant on Google.
This may sound pessimistic, but: That won’t happen. Mozilla doesn’t offer a service that would realistically catch people’s attention, their historical services were all failures. Just look at their “Mozilla VPN”, it’s basically a rebranded Mullvad in a crowded and oversaturated market. If I wanted Mullvad, I could have had Mullvad before… Mozilla’s brand added on top of it adds nothing, except the necessity to support a company I really don’t want to support for good reason.
> Even if Mozilla was to go bankrupt, the chance is high a new company or organisation would take over the development of Firefox.
I’d say the chance is rather low, as long as Chromium remains open source and viable. You might as well pick Chromium and have better web compatibility, and from what I can tell, also lower maintenance effort. If anyone other than Mozilla should pick up Firefox / Gecko, it will be out of pure idealism. Maybe yet another foundation, who knows.
> If Firefox development stops, there would only be Chromium based browsers for Windows and Linux users.
Well, technically you can embed WebKit under Windows and Linux as well, but I get your point. I just don’t see it as a huge problem. Chromium is open source and will remain so, for Google depends on outside contributions (they don’t necessarily want to stem this behemoth alone). Chromium is the core of many browsers just like the Linux kernel is the core of many Linux distributions. Saying that we need Firefox is akin to saying we need FreeBSD to counterbalance Linux… Competition is nice, but there is already intra-Chromium competition, I don’t see what Firefox would add here. Plus, a single engine monopoly, while also having disadvantages (e.g. security vulnerabilities would automatically affect all browsers), definitely has efficiency advantages. I know web devs that would breath a sigh of relief once they no longer have to work around Internet Explorer and Firefox quirks. Just saying it as it is, a single engine to code for reduces the workload and significantly shortens real life testing procedures.
The Internet Explorer days were so dark because 1) IE was closed source, so no way to make better versions of it and because 2) IE was really controlled by a single entity (MS), while Chromium is controlled primarily by Google, yet realistically depends on outside contributions in today’s complex web landscape.
> The risk is real that Google will keep implementing more privacy unfriendly code in Chromium that is harder to remove or workaround. That is a mayor reason why Firefox needs to be kept alive.
While I could see that happening, I think you are overrating them. There are already privacy-hostile code portions in Chromium, projects like Ungoogled Chromium or Brave or Vivaldi have them removed, to the point where the browser no longer connects to Google. As long as there is a demand for privacy, there will be browsers working around such nonsense, whether they are based on Chromium or not.
Google could try to pull off something like the aforementioned web bundles, but their side venture Mozilla is also in favor of it – it stands to reason that nothing is to be gained from using Firefox here. I think you are overrating Mozilla’s capability and even more so their willingness to oppose Google, they didn’t even do it when they were much more relevant than they are now. You see, according to W3C discussions, only Apple opposes Google occasionally, Mozilla usually sides with Google. Look at the public discussion protocols if you don’t believe me.
I realized quite some time ago that nothing can be expected from Mozilla as far as fighting against Google is concerned. What drove me over the edge were some scandals of their own and privacy-hostile functionality being included in Firefox (it’s not only the case for Chrome…). I take a degoogled Chromium fork over Firefox at this point.
> I did not know the ProtonMail employees did not use the service. Strange.
I won’t leave you without a source, of course:
We agree that Brave and Ungoogled Chromium are better choices than Chrome, and that Mozilla is not privacy friendly.
We disagree about supporting Firefox as a alternative to Chromium based browsers, given the possibility Firefox could be developed in the future by a privacy friendly organisation and the possibility that Chromium could get privacy unfriendly code that is too hard to remove or workaround.
I will leave it at that.
Thanks for the links about ProtonMail.
I find the arguments to be weak in the article about ProtonMail developers not using ProtonMail.
Of the 12 developers, 6 of the email addresses were unknown, 3 used gmail, 1 used ProtonMail and 2 used a email address of a custom/personal domain.
This is also about the email adresses they use for GitHub. It says nothing about the email adresses they use for personal matters and email adresses they do not want to make public to avoid getting unwanted emails (spam, etc).
To then claim ‘Protonmail Devâ€™s Do Not Use Protonmail’ as the title of the article does, is in my opinion not justified.
This kind of unjustified accusations makes me doubt other claims they make in other articles.
But it is good to take privacy and the mass spying by governments serious.
Your reply is correct.
I would like to pay tribute to you for your polite comments.
What needs to change in your opinion to block fake extensions outright?
Only allow unvetted extensions in a beta version of Edge. Then after they are vetted by the community and MS, then they can move on to the store.
As it is now, we have a beta version of the store, thus such issues should be expected.