Browser extension developers targeted with schemes and scams

They're being asked to sell, or modify, their code – and trust in your favourite add-ons could be a casualty

Code can be bought and sold, or access can be lent, but trust doesn't necessarily come along for the ride, as has been shown.

Last September, Daniel Kladnik, creator of a browser extension called "I don't care about cookies" that suppresses EU cookie popup menus, sold his extension code to Avast – a security firm that subsequently merged with NortonLifeLock (which later rebranded as "Gen Digital").

The deal has not been well received by some users of the extension, who over the past nine months have flooded the Firefox add-on store's review page with one-star reviews. Similar sentiment can be found in recent Chrome Web Store reviews for the extension.

Kladnik characterized Avast as "a famous and trustworthy IT company known for the wide range of products that help secure our digital experience." But almost six hundred user-submitted reviews argue otherwise. Their complaints are perhaps based on accusations Avast's data collection practices aren't kind – a criticism the outfit has disavowed.

Gen Digital did not immediately respond to a request for comment. The Gen Digital Global Privacy Statement [PDF] describes various ways in which the business uses data and the conditions under which it shares data with partners.

The "I don't care about cookies" deal involved code sold to a known commercial company. That's the best case scenario. Extension developers often get approached by entities and individuals whose trustworthiness is much less certain.

These speculators may want to purchase an existing extension and its installed base of users, or partner with the extension developer to add third-party functionality.

Developer Armin Sebastian wrote about receiving such messages back in 2019, and cited offers he'd received to integrate e-commerce affiliate commission code or search monetization. Sebastian blamed Google and Mozilla for failing to support legitimate revenue-generating options for extension developers.

Simeon Vincent, who until recently served as developer advocate for Chrome extensions at Google and now consults on the subject, revisited the issue in a Tuesday blog post discussing efforts to have developers integrate third-party code into their extensions. His concern is that developers should avoid doing deals that will get them and others banned from extension-marts.

Vincent explained that developers of popular extensions frequently receive offers for integrating third-party code. He quoted a message for a service called "Bing Hosted Feed" that promised "$500 per month for every 1,000 users" to integrate a search function – with the promise that the code to be inserted complies with Google's Chrome Web Store rules.

"The people behind these emails want to replace the user’s search engine with something that pays them for that traffic," he said. "Why? Because search is very valuable."

Vincent said the people sending these messages typically want the extension to be altered to change the user's default search provider using the Settings Overrides API or to expose a search box in the extension interface, or to have the extension add a search box to websites.

When done as a partnership deal, Vincent explains, the speculator shifts the risk onto the developer. That's because if the extension is flagged as malware and removed from the Chrome Web Store, it's the developer whose account will be suspended – not the data slurper.

In an interview with The Register, Vincent said, "This is a complicated issue because there are limited tools available for [extension] stores to be able to take action against malicious actors, particularly in the case of third party libraries being integrated. It is to some extent a variation on supply chain attacks. Except, rather than [presenting] as a dependency being compromised, it is an explicit exchange.

"The tools available to the stores to take action against and detect these patterns of abuse are relatively limited, because you have to recognize that the thing is even happening in the first place," he explained. "And [those involved] work hard to make it as unobvious as possible."

Asked whether this particular sort of attack is increasing, Vincent said he had limited visibility into the issue when he was at Google as he did not work on the abuse team. He said he became aware of it mainly when developers – mostly well-intentioned – reported being subject to some enforcement action they hadn't anticipated.

But in general, Vincent said, he believes supply chain attacks have become more common.

"I'm somewhat bullish in that the extension ecosystem in Manifest v3 – due to the inherent platform changes that limit remotely hosted code, as well as policy changes that prohibit it – I feel that it is better than average in that respect than the broader software ecosystem," he said.

"But it is still technically possible to execute remote code, and that is kind of an inherent limitation of the web. So it isn't something that can, at the moment, at least technically, just be turned off."

Vincent expressed skepticism that policy requirements like code sale disclosures would do much good, noting that people regularly fail to comply with government mandated disclosures.

"My concern for all browsers is resourcing," he said. "I don't know that anybody has a ton of extra budget to throw around in terms of actually staffing [for safety]."

And thus we return to Sebastian's observation about the difficulty of monetizing extensions – an issue adjacent to the funding drought for open source developers. When lack of financial opportunity in the extension ecosystem drives developers to sell out or partner with schemers, it also starves extension stores of revenue they might spend to keep developers honest. ®

More about

TIP US OFF

Send us news


Other stories you might like