In December, Google’s developer community noticed that an extension called Window Minimizer was hijacking people’s searches to earn money for a third-party search engine. The extension—a productivity shortcut for other web developers—was written by someone calling himself Ionut Botizan, who had it reroute links from Google search to a third party search engine called Ecosia, allegedly to save the rainforest (Right…). Botizan’s little trick is an variation on clickjacking, which momentarily shunts web users to a third-party site to artificially boost traffic or generate ad revenue.
Extensions run alongside Chrome, not within it, so the security onus is supposed to be on developers, who have to abide by Google’s Developer Program Policies, and on users, who must agree to each extension’s Terms of Service. Ostensibly, this frees both Google and the developer from liability. But in practice it means that Google has to play catch-up to police the thousands of Chrome extensions that are available.
On its own, Botizan’s hack was mostly harmless. But it’s worrying how easily he was able to fool other developers, the very people who should know better. For those of us who may not be so well-informed, it’s sobering to think what a truly malicious extension could do.