On August 1st, when users updated Web Developer, an extension allowing them to use various web developer tools, advertisements started being inserted into websites. Confused users tried to contact the developers about this issue and it was revealed that the extension was hijacked when the developer revealed his credentials during a phishing attack. This affected only those using Google Chrome, and the extension for other browsers was safe. The extension has more than a million users and all of them could have been exposed to malicious adware.
Developer fell for a phishing attack
The developer, Chris Pederick, admits to falling for a phishing attack, which led to his extension being compromised. In a blog post, he explains that he received an email claiming that Web Developer does not comply with Chrome store policies and that an update is needed. He pressed on a link provided in the email and then put in his login credentials to login into what he thought was his developer account. What actually occurred was hackers got the information needed in order to access his account and upload their malicious adware.
He did not realize what has happened until the next day when he woke up to users reporting about unusual logging and adware. After changing his passwords, he logged into the developer account and was greeted with a version of the extension he did not release. The 0.4.9 version was released to the userbase of around 1 million in the time it took the developer to realize what is going on, and users started seeing advertisements on web pages. In the span of around 2 hours, the malicious extension was taken out and a safe one was uploaded.
Users are advised to update to the 0.5 version as soon as possible
“I am still looking into exactly what the malicious code was doing, but it is strongly advised that if you had Web Developer for Chrome installed that you change your password to any site that you logged into on Wednesday, August 2nd as a precaution, particularly Cloudflare which looks as though it may have been explicitly targeted. It has also been suggested that Cloudflare users revoke their API key if they visited the Cloudflare dashboard yesterday as this may have been compromised as well,” Web Developer’s maker warns users.
If you somehow managed to miss this whole thing occurring and realize you have the malicious version, you are advised to update as soon as possible.
Chrome extension developers warned about future phishing attacks
Before Web Developer, another Google Chrome extension, Copyfish, was hijacked by hackers, who also released an update that inserted advertisements into websites. The developers of the extension fell for a phishing attempt as well.
With successful phishing attacks on two major Chrome extensions, Google has sent out emails to other developers, warning them about possible attacks, BleepingComputer reports. This is likely not the last successful attack, and developers need to be extra attentive if they want to avoid compromising their own extensions.