The Electric Educator: When Extensions Go Bad

Tuesday, March 7, 2017

When Extensions Go Bad

When  Chrome Extensions go Bad | John R. Sowash

I am a big fan of Chrome Extensions. I share my favorites on Twitter and this blog.

Extension can control and access a lot of system resources, that's how they can do so many cool things! With that access comes the possibility of misuse. Google reviews all extensions posted to the Chrome Web Store and requires that developers adhere to certain data and privacy rules.

Chrome Extension permissions
Any time you install a new extension you see a list of system controls and data that the extension will be able to access.

I am comfortable with Google's review policy and their ability to monitor content from the Chrome Web Store. For this reason, I regularly add new extensions and recommend them to others.

There is, however, a loophole in this process that can cause issues. It doesn't happen often, but can result in a significant security risk.

Occasionally, after publishing an extension, a developer may modify it in ways that violate Google's policies. Frequently this includes intrusive advertising, modification of key Chrome browser settings, or key logging activities. Sometimes this is due to a greedy developer who is trying to make money. I have also seen this happen when a popular extension is sold and the new developer modifies the original extension. It can also be caused when an extension is hacked and modified against the wishes of the developer.

Google is pretty quick about removing such extensions from the webstore. However this doesn't help anyone who installed the extension before it was removed.

Users installed a tool and gave it permission to do a certain set of things but now it is doing things they did NOT give it permission to do. It has become an "Extension Virus"

This recently happened to me.

My Extension Virus Story

I had installed and was using an extension called Web Paint. It was very helpful and I regularly recommended it. I used it for almost a year without incident.

Last week weird things started to happen. Advertisements would randomly appear and my new tab page was filled with ads.

The worst thing was that my Twitter account was hacked. Someone accessed my account and used it to DM thousands of my followers. I am very careful with my Twitter password and and cautions about phishing attempts. I believe that the Web Paint extension was modified to gain access to my Twitter account.

It took me a few days to track down these issues to the Web Paint extension. There were a few signs:
Web Paint hacking notice
  • The Web Paint extension had been removed from the Chrome web store. 
  • When I reviewed the permissions for Web Paint (Chrome Menu > More Tools > Extensions > Details) I noticed that it said "allows extension to access proxy settings." This is a very invasive setting which is NOT required for what the extension does. 
  • When I disabled the extension, the random ads disappeared. 
Through my research for this article I discovered that Web Paint was the victim of a hack which corrupted the original extension. The developer acted quickly to patch the extension and fix the problem. The issue, as the developer indicates, is that extensions do not auto-update. You must uninstall and reinstall the extension to remove the infected code. 

Keeping your devices and data private requires vigilance and caution. No one (not even the guy who wrote the book on Chromebooks!) is protected against malicious attacks. 

I will continue using the Web Paint extension (it's a great tool)! My attention to security has been heightened as a result of this issue. If you are a Chrome browser user and are experiencing weird issues with your device. Most of the time these issues can be traced back to an "Extension Virus."  

What to do when you have an extension virus

If you have issues, here are the steps to follow: 
  • Did you recently install a new extension? If so, disable it (Chrome Menu > More Tools > Extensions)
  • If that doesn't solve the problem, turn off ALL of your extensions. 
  • Turn them on one at a time until the problems start again. The last extension you enabled is the culprit. Delete it.
Have you had issues with an extension virus? How did you figure out the problem? What steps did you take to fix the issue? 

Be safe out there everyone! 


  1. Do you know if extension viruses are reported anywhere? It would be nice to have a place to reference before bad things begin to happen.

    1. This is a pretty new development. Everyone is trying to figure out how to best approach the problem. There is an extension called "extension update notifier" that will let you know when an extension has an update:


Thanks for contributing to my blog. I enjoy being a part of the conversation and do my best to respond to comments and questions that are posted.