Found two more extensions being marketed in this way. One is called "Bild vergrößern", the other "Wiki-Infos." Supposedly, different publishers for all of them. All have been reported to Google.
And reported to Mozilla as well: https://bugzilla.mozilla.org/show_bug.cgi?id=1557258
Wow, Mozilla compiled a list with 93 extensions being spread here. Also, they found them executing remote code - I guess that I wasn't thorough enough. New blocklist entry incoming...
There we go, Mozilla blocklisted all of them: https://blocked.cdn.mozilla.net/67ab85b2-4241-4f2a-8589-801b4221b79d.html
Looking more into this, I'm confused. Either I am missing something or Mozilla's Andreas Wagner jumped the shark claiming remote code execution here. These extensions certainly have a bunch of security issues, but code execution cannot be triggered by extension developers.
The code might rather execute (in the context of a website, not the extension) if a Wikipedia/Twitter link is hovered. Plus, the code would not be loading from a source that the developers control but rather Wikipedia/Twitter APIs. So rather tricky to exploit.
Whoever is running this campaign noticed their extensions being blocklisted, the site will no longer redirect Firefox users - it looks like an actual quiz then. Chrome users are still being redirected to the site tricking them into installing extensions.
And now the campaign seems to be down for all browsers, no more redirecting. I guess that they try to avoid their Chrome extensions being taken down as well.
@WPalant Hell this isn't even a quiz, it's an opinion poll.
@WPalant The "quiz" behaves fine for me (en_US, Firefox, Windows 10). Got through the whole thing.
@r000t That's because you didn't get redirected, probably because your browser's user agent wasn't identified as either Firefox or Chrome.
@WPalant Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
I'm guessing the bad behavior is also region locked. Moderators in the States won't be able to reproduce.
@r000t With your user agent I get the redirect script. You are probably right and this also checks the IP address.
A Mastodon instance for info/cyber security-minded people.