For years, Google and Mozilla have struggled to prevent abuse or outright malicious browser extensions from infiltrating their official repositories. Now Microsoft is starting the fight.
In the last few days, people in website forums have complained about redirecting Google searches to oksearch[.]com when using Edge. Often searches use cdn77[.]org for connectivity.
After discovering that the redirects were not an isolated incident, participants in this Reddit discussion reduced the list of suspects to five. They are all spices of legitimate additives. This means that while extensions bear the names of legitimate developers, they are actually imposters without a connection.
VPN for TunnelBear
The great tyrant
Floating player ̵
“I had a tunnel paw extension installed, but I removed it after realizing it was causing the problem,” Lawrence Nora, a photographer from Finding the Universe, told me by email. “It’s easy enough to see how it works – if you install one of the affected extensions in Edge, open dev tools and click the” sources “tab, you’ll see something that shouldn’t be there, like ok-search.org or cdn77. “
His account matched images and accounts from other forum members. Below are two screenshots:
A statement from Microsoft said: “We are investigating these extensions and will take action to protect customers.” The statement follows comments in that Reddit comment, in which someone who identifies himself as the community manager for Microsoft Edge said he the company is in the process of investigating the extensions.
“The team just updated me to let me know that anyone who sees these injections should turn off their extensions and let me know if you continue to see them at this time,” wrote the person using the MSFTMissy handle. “Once I have news from them, I will update this topic accordingly.”
The maker of legitimate software and browser extensions, TunnelBear, told me that the add-on hosted in the official Microsoft Edge store was fake. He said there was an extension in the Chrome Web Store that was also deceptive.
“We are taking steps to remove them from both platforms and are investigating with both Google and Microsoft,” a TunnelBear spokesman said. “It’s not uncommon for popular, trusted brands like TunnelBear to be deceived by malicious actors.”
None of the other four legitimate developers of the actual extensions responded to a request for comment. However, readers should remember that legitimate developers cannot be held accountable when their applications or add-ons are tampered with.
Along with Android apps, browser extensions are one of the weak points in the online security chain. The problem is that anyone can send them, and Google, Mozilla and now Microsoft have not invented a system that adequately verifies the authenticity of the people who submit them, or the security of the code.
Search engine redirects are usually part of a scheme to generate fraudulent revenue by collecting clicks on ads, and that’s what probably happens here. While reports show that supplements do nothing more than hijack legitimate searches, the privileges that are required provide an opportunity to make them much worse. Usage rights include things like:
- Read and modify all your data on the websites you visit
- Manage your apps, extensions and themes
- Change privacy settings
Anyone who has installed any of the aforementioned Edge add-ons must remove them immediately. And the often-repeated tips for browser extensions still apply here: (1) install extensions only when they provide real value or benefit, and even then (2) take the time to read reviews and check the developer for signs that the extension is deceptive.
The post has been updated to add comments from TunnelBear and Microsoft.