Apparently, Google just changed their Web Store policy to forbid misleading marketing. Let's report this then...

infosec.exchange/@WPalant/1020

Found two more extensions being marketed in this way. One is called "Bild vergrößern", the other "Wiki-Infos." Supposedly, different publishers for all of them. All have been reported to Google.

Wow, Mozilla compiled a list with 93 extensions being spread here. Also, they found them executing remote code - I guess that I wasn't thorough enough. New blocklist entry incoming...

Follow

Looking more into this, I'm confused. Either I am missing something or Mozilla's Andreas Wagner jumped the shark claiming remote code execution here. These extensions certainly have a bunch of security issues, but code execution cannot be triggered by extension developers.

The code might rather execute (in the context of a website, not the extension) if a Wikipedia/Twitter link is hovered. Plus, the code would not be loading from a source that the developers control but rather Wikipedia/Twitter APIs. So rather tricky to exploit.

Whoever is running this campaign noticed their extensions being blocklisted, the site will no longer redirect Firefox users - it looks like an actual quiz then. Chrome users are still being redirected to the site tricking them into installing extensions.

And now the campaign seems to be down for all browsers, no more redirecting. I guess that they try to avoid their Chrome extensions being taken down as well.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.