A popular Chrome extension named “Auto Refresh Plus,” boasting over 1 million users, has recently become a browser hijacker, causing concern among its user base.
Multiple user reports on Reddit reveal that the extension redirects to random spam websites, particularly when browsing shopping and travel sites.
The issue was first identified by users who experienced frequent redirects to spam websites. After running malware scans with no success, users found that the “Auto Refresh Plus” extension was the cause. Uninstalling the extension immediately resolved the problem.
A Reddit user noted that sorting the extension's Chrome Web Store reviews by the lowest score revealed similar reports from other users.
One user pointed out that the extension's options page is hosted on a website, which could be used for tracking purposes. Additionally, the extension contains minified code and uses permissions like “tabs.executeScript,” which are commonly exploited for malicious activities.
The “Auto Refresh Plus” extension had already raised suspicions two years ago, with users noticing that the EFF Privacy Badger detected the tracker “3001.ScriptCDN.net” when the extension was enabled but not when it was disabled.
User discussions on Reddit highlighted the broader problem of extension developers being targeted by shady marketing companies offering money in exchange for their popular extensions. This practice often leads to extensions being sold and subsequently misused for malicious purposes, compromising user data and security.
This is a risk that people have been trying to address via various methods, including by releasing dedicated tools like UNM that constantly monitors installed extensions and alerts users when potential changes of ownership are detected.
The “Auto Refresh Plus” extension has a user base of over 1 million, making the potential impact substantial. Users are advised to uninstall the extension immediately to avoid security risks.
Chrome Web Store vetting shortcomings
A recent study by researchers at Universidad Carlos III de Madrid assessing the Chrome Web Store vetting process, reveals significant gaps in the Chrome Web Store's (CWS) vetting process:
- 86% of infringing extensions are extremely similar to previously vetted items, indicating that the Chrome Web Store's vetting process does not adequately learn from past experiences.
- Infringing extensions often remain available for months or even years before being removed. Only 13% of these extensions are vetted within a month, with malware extensions having a median removal time of 282 days.
- Only 1% of malware extensions flagged by the Chrome Web Store are detected as malicious by anti-malware engines, highlighting a significant gap between the threat landscape seen by Chrome Web Store moderators and the detection capabilities of the threat intelligence community.
Recommendations
To safeguard against malicious extensions, users should:
- Regularly review and audit installed extensions.
- Use security tools like Privacy Badger and UNM to detect suspicious activities.
- Prefer extensions from reputable developers and scrutinize recent reviews before installing updates.
- Change reviews sorting to reveal legitimate user comments lost among bot-generated submissions.
TikTok Fixes Flaw Hackers Leveraged to Hijack CNN Account
Leave a Reply