
"Web Developer" Chrome Extension Infected with Adware - dperfect
The &quot;Web Developer&quot; extension (ID bfbameneiokkgbdmiekhjnmfkcnldhhm) has started injecting ads into websites. It looks like Google has since removed it from the their listings, but unfortunately that doesn&#x27;t help people who already have it installed[1].<p>You may want to check to see if you have it installed so you can remove it.<p>[1] Seriously, why doesn&#x27;t Google at least notify users who have extensions with reported abuse installed?
======
Sironfoot
Dammit! Just been hit with this. I've disabled it. But in the 2 hours it was
running, it had a lot of permissions. Any damage it could have done?

This has shaken my faith in browser extensions, and I (IMHO) an example of why
we need iOS style sandboxing.

~~~
lumpio-
And how would "iOS style sandboxing" prevent a browser extension from
specifically injecting ads onto a webpage? If an extension cannot access and
modify webpages, there's no point in having them in the first place.

At least adding ads is visible to the user. I once noticed a screen capture
extension I had was sending every URL I viewed to about 7 different tracking
services behind the scenes...

~~~
Sironfoot
I was more referring to browser extensions punching out of the browser
sandbox. I'm not a browser extensions developer, but can extensions read/write
to your file system for instance, given enough permissions? If I was the
hacker, what would be the maximum damage I could do with this particular
extension? I guess I'm just a bit worried that's all :-)

~~~
lumpio-
Chrome extensions are "sandboxed" in the sense that only the extension code
has access to the special APIs behind special permissions. If they just inject
some ads onto a page, they won't have access to the extension APIs (they do
naturally have access to everything on the page itself, which is why it's
still a bad thing).

It would take a reasonable amount of stupidity to manage to download untrusted
code and run it in a context that has access to the extension APIs if all you
wanted to do is inject ads onto webpages. But no amount of sandboxing is going
to stop that, if you give the code the permissions it wants. That's why one
should always evaluate both the trustworthiness _and_ competence of the
developer before granting them scary permissions.

~~~
Sironfoot
Trouble is the developer seems competent enough, and "Web Developer" is a
popular, well-loved Chrome extension. Apparently he fell for a phishing attack
[https://twitter.com/chrispederick/status/892786731564417024](https://twitter.com/chrispederick/status/892786731564417024)

I guess it can happen to anyone.

------
dperfect
Looks like this extension was developed by the same author as the "User Agent
Switcher" extension (mentioned in the comments of
[https://news.ycombinator.com/item?id=14888010](https://news.ycombinator.com/item?id=14888010)).

------
chrisux
I ran into the same thing this morning.

Any click to dom element or opening new tabs was popping up
alerts/confirmations and/or attempting redirects.

Only reason I noticed it was web developer extension was weird console-logs
that I had never seen coming from the extension.

Disabled and all the popups have disappeared.

------
jamesmp98
I remember that quite some time ago, the Live HTTP Headers extension did this
as well

------
J-dawg
Update from the developer:

[https://twitter.com/chrispederick/status/892780120032681984](https://twitter.com/chrispederick/status/892780120032681984)

------
thinkingemote
Who's up for making an open source extension which tracks compromised
extensions and warns the user if they have any?

How this could also be protected against similar phishing attacks would be an
interesting problem to solve too.

------
borfast
I had the extension disabled, so I'm guessing I should be OK, right? Or can
Chrome extensions still run stuff even after the user disabled them?

