09 June 2021 at 15:33 UTC
Updated: 09 June 2021 at 15:50 UTC
Privacy add-ons uBlock Origin and AdGuard are among the affected apps
Suspicious browser extensions are relying on manipulating search results on the Google Chrome Web Store to rank higher than their legitimate counterparts.
This is according to the developers of two popular ad-blocking extensions available on the site.
Screenshots posted on Twitter this week show that a search result for â€کuBlock Originâ€™ â€“ a web extension which has more than 10,000 users on Chrome alone â€“ appears below multiple add-ons, some of which, it has been claimed, appear malicious.
A test on the Chrome Web Store performed by The Daily Swig confirmed that in a search query for â€کuBlock Originâ€™, the plugin appears third â€“ below rival applications â€کNBlockerâ€™ and â€کAdtrooper adblockerâ€™.
Read more of the latest browser security news
Weighing in on the tweet, Raymond Hill, the developer of uBlock Origin, said: â€œIâ€™m aware of this [issue].
â€œEven when narrowing to â€کExtensionsâ€™ [filter], uBO is listed fourth, after those sleazy extensions (which incidentally are all based on Adblock Plusâ€™ code â€“ with copyright and license notices removed).â€
Hill added: â€œNo â€کublockâ€™ used anywhere in the description of these extensions, itâ€™s a mystery as to why they are reported as top matches while uBO is not.â€
Hill also noted that this issue is not present in the web stores for Firefox or Safari.
â€œSeven years of never breaching user trust counts for nothing in the Chrome Web Store, sleazy extensions which are unrelated to the searched terms are listed first,â€ he said.
Gaming the ecosystem?
In a separate test, the developer of AdGuard, Andrey Meshkov, found that while his ad-blocker still came out on top in a search query for â€کAdguardâ€™, a potentially suspicious extension followed closely behind.
After taking a further look at the plugin, â€کAdresist adblockerâ€™, could contain malicious code, Meshkov warned.
â€œIt loads Google Tag Manager (which allows remote execution of arbitrary scripts) and immediately uses it to load additional scripts: analytics and a script that handles uninstall. Of course, all this does not prove that this extension is malicious,â€ the developer wrote.
Data privacy risks
Speaking to The Daily Swig, Meshkov said there are numerous reasons why a malicious actor might want to develop a fraudulent web extension.
Perhaps unsurprisingly, one prime motivating factor is the desire to secretly siphon sensitive user data, including their browsing history, as well as to embroil users in ad-fraud schemes.
â€œExtensions are really easy to create, they just copy an existing popular open source extension, change the code a little, add their malicious stuff on top of it, and here we go, the malware is ready,â€ Meshkov added.
â€œWhatâ€™s even more important, the Chrome Web Store is an awesome distribution channel for them. Being in the search top results allows them to get a lot of people to install their software for free.â€
RELATED When browser extensions go rogue
Meshkov said he has previously contacted Google regarding a similar instance to the Web Store issue, but said that Google does not disclose how its search algorithms work.
â€œThey are hiding it to make it harder to manipulate search results,â€ he said. â€œUnfortunately, security through obscurity does not seem to be working in this case.â€
The Daily Swig has reached out to Google for further comment, but we are yet to hear back.
YOU MAY ALSO LIKE â€کBeing serious about security is a mustâ€™ â€“ Apache Software Foundation custodians on fulfilling its founding mission