Low-hanging fruit
Google has poured hundreds of millions of dollars into fortifying the security of Chrome, making it resistant to the kinds of drive-by attacks that used to be common and still happen on occasion to competing browsers. But two Chrome extension account hijackings in five days suggest that extensions are one of the more effective ways attackers can target Chrome users.
In blog-post comments and in an e-mail to Ars, officials with Copyfish developer A9t9 Software said the account used to distribute the Chrome extension wasn’t protected by two-factor authentication, which Google provides for free. (The A9t9 Software account now uses the added protection of two-factor authentication.) The account was compromised after a company employee clicked on a link in a phishing e-mail that purported to be from Google. Shortly after the employee entered the account password into the fraudulent webpage that appeared, the Copyfish account was taken over. A day later, the Copyfish extension was updated with the adware.
Chris Pederick, the developer of the Web Developer extension, said on Twitter that his account was also hijacked through phishing. He didn’t respond to an e-mail seeking comment for this post.
A Google spokeswoman told Ars that two-factor authentication isn’t mandatory for extension developers; she didn’t respond to a follow-up question asking why the additional security is optional.
It’s understandable that Google doesn’t make two-factor authentication mandatory for all account holders. But given Chrome’s track record with security, it’s surprising that the company doesn’t require the added protection for extension developers, who—because of their ability to push code onto millions of users’ computers—represent high-value targets to criminals.
Truly security-conscious users should remember this limitation when deciding whether to install Chrome extensions.