The incident demonstrates the downside of automatic updates. Chrome itself is a pioneer of the process, where the browser is automatically and silently updated to ensure users always have the latest and fully patched version. This is a huge boon to Chrome users; but the principle only works where the user has trust in the supplier. With both of these extensions, the supplier changed hands when they were bought by an ad-serving company, who then used the automatic updating facility to change their functionality.
Amit Agarwal, the original author of Add to Feedly, explains what happened. "One morning I got an email from someone... asking me if I would be interested in selling the Feedly Chrome extension. It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal." But it was a bad move, he says. "A month later, the new owners of the Feedly extension pushed an update to the Chrome store. No, the update didn’t bring any new features to the table nor contained any bug fixes. Instead, they incorporated advertising into the extension."
The business model is attractive. For a four-figure sum (let's say $3000) the ad company gets use of Agarwal's 30,000 users. "The business model of the buyer is simple – they buy popular add-ons, inject affiliate links and the bulk of users would never notice this since the Chrome browser automatically updates add-ons in the background. And there are no changelogs either," explains Agarwell.
It seems to be a growing practice. Ars Technica reports a personal experience with Tweet This Page. "About a month ago," it reports, "I had a very simple Chrome extension called 'Tweet This Page' suddenly transform into an ad-injecting machine and start hijacking Google searches... The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage."
Meanwhile, one of the authors of Honey, a popular extension that automatically finds the best coupons and promo codes and has more than 700,000 users, has explained on Reddit, "Over the past year we've been approached by malware companies that have tried to buy the extension, data collection companies that have tried to buy user data, and adware companies that have tried to partner with us. We turned them all down."
Fred Touchette, a senior security analyst with AppRiver offers simple advice to users who think they might be affected by such adware: uninstall, uninstall, uninstall, he says. “It’s not uncommon to find browser extensions that supply specific ads to those who dare install them," he explains. "But it is an interesting approach for spammers to take over a once reputable browser extension with often tens of thousands of active users and suddenly inundate them with custom-made advertisements. I suppose spammers believe it’s a good, ‘legal’ approach of supplying victims with a network of click-through fraudsters and affiliate advertisers."
The immediate response from Google has been to invoke the changes to its policy it made as recently as last month: "extensions in the Chrome Web Store must have a single purpose that is narrow and easy-to-understand," and to remove Add to Feedly and Tweet This Page. "Since these changes may take some time to implement, we're not going to start enforcing the policy for existing extensions in the Web Store until June 2014."
“Moving forward," comments AppRiver's Jon French, "it appears that Google may be planning to implement an auditing system for Chrome extensions in order to weed out apps they believe to be too over-reaching. It’ll be interesting to see how they balance the desire to keep app and extension stores open to developers while trying to secure stores from malicious programs.”