Bad extensions spell bad news for Google users

bad extensions spell bad news for google users

Google users across the world are unknowingly being exposed to security vulnerabilities by their internet browsers, according to an official study from the search giant.

This latest research found that tens of millions of people are at risk from rogue browser extensions. While most add-ons are created to offer new features and functions, many cause trouble for those who install them. Some, for example, have been configured to steal usernames, passwords and personal data, while others cause users to be bombarded with unwanted ads – or spam – while they surf.

All of the plug-ins had been freely available online, although the finding has caused Google to remove almost 200 malicious examples from its collection. According to the research, bad extensions were available for all major browsers, including Firefox, Internet Explorer and Google’s own, Chrome.

Although the final findings won’t be released until the IEEE Symposium on Security and Privacy takes place next month, preliminary results show that five per cent of regular Google users have fallen victim to at least one bad plug-in. Around a third of these people have four or more malicious extensions installed.

Alexandros Kapravelos, a UC Santa Barbara computer scientist who has been working with Google on the project, thinks dealing with the issue may be easier said than done as many of the offending extensions are built using similar techniques as their harmless counterparts.

He was quoted as saying: “Even when we have a complete understanding of what the extension is doing, sometimes it is not clear if that behaviour is malicious or not.

“You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar.”

Mr Kapravelos’s team has been working with Google to develop tools capable of automatically spotting malicious extensions. The firm’s security team can then be notified before the user is affected.