Ads, malware, and the update vulnerability
Yesterday I wrote about a Chrome extension, “Webpage Screenshot Capture,” that was generating JollyWallet pop-up ads whenever I visited an e-commerce website.
This morning, coincidentally, I came across an Ars Technica article entitled “Adware vendors buy Chrome Extensions to send ad- and malware-filled updates.” Someone more tech savvy than I will have to decide whether JollyWallet is an example of what Ars is talking about, but it certainly sounds like it to me.
The article points out that Chrome’s auto update of extensions, while convenient, is a vulnerability that advertisers are learning to exploit. They buy existing extensions from the original authors and then use the updates of those extensions to push out ads and malware. Users have no idea the undesirable content is coming from an extension they installed possibly months before.
I just spoke with my son (a developer) about this, and all kinds of light bulbs came on. He says the Ars author was too limited in his thinking and points out that the problem would not apply just to Chrome extensions and its auto updates. It is a vulnerability any time you update any app or program on your computer or mobile device. Most of us, when an update is offered for one of our apps, don’t read the fine print; we just click to allow or install the update.
Theoretically, and limited only by what they are willing to spend, advertisers and malware distributors could buy any app or program, unbeknownst to its users, and start pushing out their content via updates.