A Google Chrome extension with over four million users is abusing the trust users have placed in it and is now showing popup ads for other extensions.
Named "Automatic 4K/HD for Youtube," this extension wasn't always bad, as it did manage to amass nearly 4.2 million users by providing a quality service for years.
The extension got its fame and fans by providing a mechanism through which users could select a permanent video playback quality level for YouTube videos and prevent the YouTube platform from selecting a lower video quality setting on the user's behalf. Other features were added afterward, making the extension even more attractive.
But starting sometime last week, the extension's mysterious authors (author info not disclosed in extension source code and Chrome Web Store listing) began showing unwanted popups to their userbase, effectively turning their highly popular extension into adware.
The popups currently show ads for another Chrome extension, named "Adblocker for Chrome - NoAds," also developed by a developer with a generic name (Adblocker) and no contact info listed in its manifest file or Chrome Web Store page.
The popups ads abuse Chrome's ability to show desktop notifications, permission that the extension contains from users during installation, but which it is not allowed to abuse to bombard them with unrelated content, such as ads.
The ads appear shortly after installation, as is visible in this GIF recorded by this reporter, but also pester users at regular intervals, sometimes as often as an hour, according to another user who complained about them in a Reddit thread.
The extension's reviews page, once filled with five-star ratings and praises about its usefulness, has now turned into a place where users are venting their anger at being bombarded with ads.
"Worked great until a few days ago when it started advertising for an adblocker and automatically opening up the [adblocker's] extension page," one of the reviewers said.
Because the current behavior of showing popup ads is not malicious, the extension won't be permanently banned from the Chrome Web Store. However, its devs are very likely to receive an email from the Web Store mods asking devs to remove the popups or to have their extension taken down.
Users should, however, at least disable it in their Chrome browsers to prevent any other abuse. If the extension devs were willing to start showing ads, there's no guarantee they won't start doing other things.
Last month, the Chrome Web Store team also removed an extension that was caught stealing payment card numbers.
More browser coverage:
- Safari engineers look at different approach to fighting intrusive ads
- Google Chrome to get warnings for 'lookalike URLs'
- Firefox will soon warn users of software that performs MitM attacks
- Firefox to get a 'site isolation' feature, similar to Chrome
- Google releases Chrome extension to check for leaked usernames and passwords
- Firefox to block auto-playing audio starting March 2019
- How to use Vivaldi Tab Sessions TechRepublic
- Brave's privacy-focused ads to spread beyond startup's own browser CNET