The developer of a popular Chrome extension has warned users to update to the latest version after hackers were able to hijack the plugin to inject ads and potentially run malicious scripts on the browser.
Chris Pederick, author of the Web Developer for Chrome extension, alerted subscribers on Wednesday afternoon that he had fallen victim to a phishing scam that had scalped his admin credentials. Hackers were then able to update the extension to version 0.4.9 with a bundled script command and send it out to more than one million users.
The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded %uD83D%uDE1E
— Chris Pederick (@chrispederick) August 2, 2017
Pederick kept a detailed account of the attack on his twitter feed, in which he has since urged users to update to v0.5 of the extension immediately. Although not every machine with the extension seems to have been affected, it is thought the hackers could have raked in a considerable amount in ad revenue during the short attack window.
Weird thing is I could only get 2 machines out of 10 to generate the ads. All had 0.4.9 on them. pic.twitter.com/ZG0L1h75qT
— %u1566[ *%u0301 %uFE4F *%u0300 ]%u2283-]%u2550%u2500%u2500 (@SEOMalc) August 2, 2017
I did...and like an idiot I fell for it %uD83D%uDE1E I could give excuses of being very busy and tired right now, but it's nothing but my own fault.
%u2014 Chris Pederick (@chrispederick) August 2, 2017
The cause of the attack is thought to be a phishing email he received, which has also been tied to other attacks on web extensions. The Copyfish extension, which allows for image and video extraction from a web page, was also hit by a similar attack last weekend after receiving an email from someone claiming to be a member of the Google team.
The email, which is thought to be the same used against Pederick, described an issue with the extension that would result in it being taken offline, and directed the authors to a genuine looking ticket page, which tracked the progress of the issue.
Copyfish authors noted that an IP address was logged during the attack which suggests it came from a Macbook located somewhere in Russia.