Google has removed a Chrome extension from the official Web Store yesterday for secretly hijacking search engine queries and redirecting users to ad-infested search results.
The extension's name was "YouTube Queue," and at the time it was removed from the Web Store, it had been installed by nearly 7,000 users.
The extension allowed users to queue multiple YouTube videos in the order they wanted for later viewing.
Extension turned into adware in early June
But under the hood, it also intercepted search engine queries, redirected the query through the Croowila URL, and then redirected users to a custom search engine named Information Vine, which listed the same Google search results but heavily infused with ads and affiliate links.
The extension was removed from the Web Store yesterday after Microsoft Edge engineer (and former Google Chrome developer) Eric Lawrence pointed out the extension's search engine hijacking capabilities on Twitter.
In an interview with The Register, the extension's developer claimed he had no involvement and that he previously sold the extension to an entity going by Softools, the name of a well-known web application platform.
In a following inquiry from The Register, Softools denied having any involvement with the extension's development, let alone the malicious code.
The practice of a malicious entity offering to buy a Chrome extension and then adding malicious code to the source is not a new one.
Such incidents have been first seen as early as 2014, and as recently as 2017, when an unknown party bought three legitimate extensions (Particle for YouTube, Typewriter Sounds, and Twitch Mini Player) and repurposed them to inject ads on popular sites.
In a 2017 tweet, Konrad Dzwinel, a DuckDuckGo software engineer and the author of the SnappySnippet, Redmine Issues Checker, DOMListener, and CSS-Diff Chrome extensions, said he usually receives inquiries for selling his extensions every week.
Developers quietly selling their extensions without notifying users, along with developers falling for spear-phishing campaigns aimed at their Chrome Web Store accounts, are currently the two main methods through which malware gangs take over legitimate Chrome extensions to plant malicious code in users' browsers.
Coming around to the ad blocker debate
Furthermore, Lawrence points out that the case of the YouTube Queue extension going rogue is the perfect example showing malicious threat actors abusing the Web Request API to do bad things.
This is the same API that most ad blockers are using, and the one that Google is trying to replace with a more stunted one named the Declarative Net Request API.
However, Google said last week that 42% of all the malicious extensions the company detected on its Chrome Web Store since January 2018, were abusing the Web Request API in one way or another -- and the YouTube Queue extension is an example of that.
In a separate Twitter thread, Chrome security engineer Justin Schuh again pointed out that Google's main intent in replacing the old Web Request API was privacy and security-driven, and not anything else like performance or ad blockers, something the company also officially stated in a blog post last week.
Awesome Google Chrome extensions (May 2019 edition)