Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.
The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copy Fish, a browser extension that performs optical character recognition, also had their account hijacked.
In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google’s official Chrome Web Store. Both Pederick and the Copyfish developers said the fraudulent updates did nothing more than inject ads into the sites users visited. The Copyfish developers provided this account that provided a side-by-side comparison of the legitimate and altered code. Pederick has so far not provided documentation of the changes that were pushed out to the more than one million browsers that have downloaded the Web Developer extension.