ArsTechnica is reporting on an apparent security issue with the way Chrome Extension and updates are handled by the Google Chrome web browser. We all trust that when our browser is updated that the vendors, be they Google, Mozilla or even Microsoft aren't loading us up with adware and malware. Unfortunately the same cannot be said for browser extensions.

In the case of Google Chrome it goes without saying that when we install a chrome extension we trust the source (at least one would hope so). When you install a browser extension you are giving that extension's owner pretty much unfettered access to your browser and they can push code out of it as they see fit.

However, even if you trust the source upon initial installation you may find it somewhat alarming that the extension you are using can be transferred to another owner without your knowledge. Pretty scary right? Well it gets worse. Malware and adware vendors are catching on to this little loophole and are using it for nefarious means according Ron Amadeo's report on ArsTechnica.

Once ownership has changed the new owner can use Google's update service to push malware-filled updates right into your browser. As pointed out in the aforementioned article Google isn't directly responsible for the malware. but the vendors are taking advantage of this loophole in Google's extension system to spam users. The report uses a firsthand account from OMG Chrome to illustrate the point:
The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base.
Whether you think this is legitimate or FUD it's definitely happening and once it does it becomes very difficult to remove such malware by normal methods. What are users to do? While I'm sure no one is going to cease to use Chrome Extensions altogether, it is still advised to watch out for smaller Chrome vendors and be leery of extension updates.

One thing is abundantly clear: Google may need to make some minor adjustments to the way Chrome extensions are handled. Do you have your own story about a Chrome Extension gone haywire? Let us know in the comments below. As to whether this is FUD or genuinely something to be worried about I'll let you decide. Hit up the source link below and read the report for yourself.

Source: Arstechnica