Why are there endless problems with malware being loaded into extensions?

On February 5, 2021, the extension ' The Great Suspender ' for Chrome disappeared from the Chrome Web Store and was forcibly uninstalled from the browser. LWN.net, a news site for the Linux and free software development communities, explains why this extension was removed and the challenges facing the open source community.

Malware in open-source web extensions [LWN.net]
https://lwn.net/SubscriberLink/846272/37d25507fa3e9cd3/

The Great Suspender extension for Chrome was a popular extension with more than 2 million users because it allows you to pause unused tabs to reduce memory consumption. However, in June 2020, the transfer of ownership from the original developer to the new owner caused suspicious behavior and was eventually identified as malware.

The problems with The Great Suspender are explained in detail in the following articles.

Pointed out that the extension 'The Great Suspender' for Chrome has become malware-GIGAZINE

When The Great Suspender was removed from the Chrome Web Store in February 2021, there was one act such as 'The tabs that were suspended at the same time as the forced uninstall of The Great Suspender disappeared and users were confused. ' The open source community, which has long warned of the dangers of The Great Suspenders, said it was heartbreaking.

According to Calm McConnell, who contributed an article to LWN.net, the root cause of the malware in The Great Suspender wasn't the sly cracker's crime or the inadvertent mistake of the developer, but the open source community. He said he was wondering, 'Who owns this code?' For many years.

The basic idea of open source is to allow the community to share the software code as a whole, rather than owning it individually. But McConnell said, 'This idea doesn't really work, because the code doesn't magically move from one member of the community to another, so the code is the owner. That means you have to run a server, have a GitHub account, sign at release, and publish your software on it. '

The problem here is when the original developer decides to give the code to someone. Sites that assume open source projects, such as GitHub, allow maintainers and contributors to come together and maintain their own projects. However, on systems that only distribute, such as the Chrome Web Store and Apple's App Store, the responsibility for code and releases is effectively in the hands of an individual.

In the case of The Great Suspender, developer Dean Oemcke was the maintainer for many years, but he decided to let go of The Great Suspender in June 2020. He expressed his intention to transfer the rights to the GitHub repository and the web store. At that time, there was talk of buying The Great Suspender in the community, but it was not realized due to the question 'Who pays for the free extension?'

Later, a new maintainer updated The Great Suspender in October 2020, but few people noticed the problem lurking there. That's because this update was just a normal release, except for the trivial things like 'not tagged on GitHub'. The Great Suspender also has a complex mechanism to control the tab process, which also contributed to the delay in the surface of the problem.

Still, a handful of community members carefully scrutinized the new updates for The Great Suspender and found that 'extensions are downloading suspicious JavaScript files.' However, the source of the file looks like Open Web Analytics , which is allowed to be used instead of Google Analytics, so the problem remains overlooked.

Nearly a month later, it was finally discovered that the file in question contained a link to another extension that contained malicious code. However, as soon as the version with the malicious code removed was released and the problematic version was not released, the investigation on the unidentified file also disappeared.

Regarding a malicious version that was temporarily distributed to nearly 2 million users, McConnell said, 'The Great Suspender's automatic update seems to have been disabled, and The Great Suspender was forcibly removed in February 2021. Until then, most users seemed to have a malicious version, which means that by the time of the October 2020 update, many users had virtually already been hacked. '

In this case, in addition to the problem that 'malicious code gets mixed in due to ambiguous ownership and responsibility of the code', there is another problem that 'malicious extension is left unattended'. McConnell thinks there is.

A few users who noticed that The Great Suspender was contaminated with malicious code immediately uninstalled The Great Suspender and switched to another extension. As a result, people who knew the problem of The Great Suspender disappeared from the discussion, and the idea that 'it will be okay because a safe version was delivered' has swept the community. .. This left the once-exposed issue with The Great Suspender abandoned until Google forced the extension to be removed.

This issue is not unique to The Great Suspender. McConnell points out that the problems of 'Nano Adblocker' and 'Nano Defender' derived from uBlock Origin, which is popular as an ad blocker, are also rooted cases.

Nano Adblocker and Nano Defender were extensions based on uBlock Origin, but the developers sold their rights and included code to collect personal information about users. You can find out more about this one by reading the following article.

It turns out that the ad blocking extension that was downloaded 300,000 times was tampering with SNS by collecting personal information without permission --GIGAZINE

At the end, McConnell said, 'Even if Nano Defender and The Great Suspender disappear from the Chrome Web Store, the underlying problem remains. As you can see from Google's four months to eliminate The Great Suspender. , Chrome's extension platform has suffered from chronic labor shortages and sluggishness for many years, 'he said, arguing that the open source community issues surrounding extensions are still ongoing.