“Web Developer” is a popular extension that adds various web developer tools to a variety of browsers.
Unfortunately, the fact that the Chrome edition of the Web Developer extension has over one million users has also made its author – San Francisco-based Chris Pederick – a target for attack.
Yesterday, Pederick had some bad news for his Chrome extension’s many users.
Online criminals managed to compromise the Chrome Web Store account for the Web Developer extension after Pederick fell for the simplest and oldest trick in the book: a phishing attack.
Once the hackers stole the account credentials, they uploaded a modified malicious version (0.4.9) of the extension that included code to inject money-making adverts into over a million users’ web browsers.
That’s not the kind of behavior that goes unnoticed by the extension’s typical users: savvy web developers. These individuals began leaving negative reviews for the extension, warning that its out-of-character behavior might be an indication that it had been hijacked.
Despite the disruption and annoyance that the insert ads would have caused for the extension’s users, they should probably feel relieved that the attacker didn’t attempt something more malicious. After all, it appears that it would have been possible to inject more dangerous code that might have been harder to spot with the naked eye.
For instance, because the Web Developer extension has been granted wide access to what happens in a user’s browser, a maliciously-modified version could potentially grab keystrokes or intercept everything being displayed on websites that a victim visits.
The attack on the Web Developer extension is just the latest in what appears to be a trend for criminals to target the accounts of popular browser extensions in an attempt to display revenue-generating adverts or spread malicious code.
Just last week, another developer described how its CopyFish Chrome extension had been compromised to insert spammy ads into websites as users surfed the internet.
Like Pederick, the developers of CopyFish had been tricked into handing their passwords over after receiving a communication which they believed had come from Google.
A new version of Web Developer for Chrome has since been made live, removing the compromised code. Users are advised by Pederick to update immediately.
Anyone who was running the compromised extension should consider changing any passwords that they have entered as well as wiping any login tokens and cookies used on sites they visited during the infection period