Counterfeit versions and knockoffs of trusted programs exist in just about every space of computing, and a report from AdGuard states that more than 20 million users were fooled by one particular variant of this trend; fake and malicious ad blockers in Chrome’s Web Store. In most cases, these extensions are simply outright imitations of more well-known options with a few extra lines of code and a fresh coat of paint, meant to do nothing more malicious than mislead users and garner undeserved downloads by stealing the work of others. Some ad blockers in the Web Store, however, inject malicious code into their processes that can escalate their privileges and open the door for them to manipulate a user’s browser in just about any way that they want. To make matters worse, five of those aren’t even ripoffs, but completely original works. That list includes AdRemover For Google Chrome, uBlock Plus, Adblock Pro, HD for YouTube, and Webutation.
Being duped by an ad blocker that’s stolen source code from another program that a team or individual worked hard on may be bad for the makers of ad blocking extensions, but it doesn’t affect the user much. Ad blockers that inject potentially malicious code, however, can wreak havoc on a user’s browsing experience and even their system, if the user is not vigilant. The way that most of these work is similar or even entirely the same, according to AdGuard. The exploit works by inserting a call to a command server into the commonly used and mostly benevolent jQuery Javascript library. From there, command instructions are inserted covertly into an image asset, which is never actually seen by the user in most cases. This means that the command server could send any code they want, and as long as it falls within Chrome’s sandboxing, it should, in theory, execute without any issues, since the user has granted the extension permission to operate.
Most of these extensions appear perfectly safe and inert, and for the most part, you have to actually look into the code to tell you’re dealing with something potentially malicious. Obviously, that’s not something that the average user will or even can do in most cases. As such, the best way to protect yourself is to see who the author of a given extension is, and only install extensions made by authors that you trust. If you can’t find an author you trust for a type of extension that you want to download, doing a quick Google search for the names of different extension authors should quickly tell you who is a reputable programmer or company and who is either well-known as being untrustworthy, or who is a no-name that shouldn’t be trusted above recognized names.
