gHacks reports
The makers of the popular Chrome and Firefox extension Copyfish [which does optical character recognition (OCR) and language translation] announced yesterday that the Chrome version of the extension was hijacked.
[...] an attacker managed to steal the Google password of a team member using phishing on July 28th, 2017.
[...] The Chrome extension was [then] updated to version 2.8.5 [...] the next day, something that the company did not realize directly. The attacker, who held the password and email address for the developer account, pushed a manipulated extension to the Chrome store.
Since Chrome [extensions] update automatically without user interaction, the majority of users of the extension received the updated version.
[...] Reports began to come in on July 30, 2017 that Copyfish for Chrome was displaying ads and spam on websites.
[...] [The Copyfish developers have] no access to the extension at this point in time. They cannot update it, and the attackers may push out another version of the extension to the userbase. Since Chrome extensions update automatically, it can only be prevented by removing the extension for Chrome for the time being.
[...] This is done by loading chrome://extensions/ in the browser's address bar and activating the trash icon next to the extension.
Additional coverage at BleepingComputer and Forbes
(Score: 2, Insightful) by Anonymous Coward on Tuesday August 01 2017, @02:24AM (2 children)
This is but one of the many, many reasons why automatic updates are dangerous, and why mandatory automatic updates are a terrible idea.
Think this is bad? Wait'll someone gets something like this in Windows 10... assuming, of course, they haven't already.
(Score: 3, Touché) by Arik on Tuesday August 01 2017, @02:46AM
Yeah, I think they did that already, it's called Windows 10.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by darkfeline on Wednesday August 02 2017, @03:24AM
For most people automatic updates are very good, because the choice is between one of these credential thefts occurring every half decade, or getting compromised by a known-and-fixed vulnerability every few days because no one updates, ever.
Join the SDF Public Access UNIX System today!