Another Chrome extension horror story: coinhive and domain registration

I’m not sure if things get worse by the day when it comes to the Chrome extensions system and Store, or if things have been bad all along and are publicized more frequently in these days.

Several popular Chrome extensions were hijacked back in July and August 2017, and then updated to push ads and spam to user devices.

The first Chrome extension with an integrated Crypto Miner was launched in September 2017, and the popular Chrome extension Steam Inventory Helper started to monitor user activity.

All of these incidents had one thing in common: the anti-user updates all passed the Chrome Web Store’s automatic vetting.

chrome extension gmail domain registration

Google acknowledged the problem and stated in October 2017 that it planned to do something about it, but did not reveal what it had planned nor when it would launch the changes.

A report on Bleeping Computer highlights another malicious Chrome extension that passed the Chrome Store’s initial verification checks for browser extensions.

The extension Ldi shipped with two anti-user functions. It included a crypto miner that would use the computer’s resources to mine crypto currency for the creator of the extension. This is not the first incident of a Chrome extension shipping with a crypto miner, and it is likely that it won’t be the last, at least not until Google improves the verification process.

Ldi went a step further than that though. It used Gmail addresses of Chrome users, provided that they were signed in to the computer, to register domain names on Freenom. It parsed the email from Gmail, created bogus contact information, checks Gmail for verification emails, and opens these links automatically to complete the verification process.

What that meant is that users who installed the Chrome extension may have had domain names registered under their Gmail account. Anything done with these domains is linked to that email address which could lead to law enforcement inquiry or the closing of the Gmail account in worst case.

Closing Words

Google’s current verification system that it uses to verify Chrome extensions before they are made available on the company’s Chrome Store is flawed as malicious or invasive extensions manage to sneak past it regularly.

This does not only affect new extensions that are uploaded to the Chrome Web Store, but also extensions that are updated. The hijacking incidents in July and August have shown that this is not limited to brand new extensions but may also happen to established extensions with tens of thousands of users.

This is made worse by Chrome’s lack of preferences in regards to extension updates. Extensions are updated automatically, and there are no preferences to change the behavior.

My recommendation on how to deal with it is to be very careful when it comes to Chrome extensions, to permissions that they request, and to avoid being signed in to Gmail or other accounts in Chrome all the time as extensions may abuse this as well.


Article Name

Another Chrome extension horror story: coinhive and domain registration


Read how a malicious Chrome extension called Ldi mined crypto currency and registered domain names on behalf of the Chrome user’s Gmail email address.


Martin Brinkmann


Ghacks Technology News


About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Powered by WPeMatico


Smart Home