For years, Google and Mozilla have battled to prevent abusive or downright malicious browser extensions from infiltrating their official repositories. Now Microsoft is entering the fray.
For the past few days, people on website forums have been complaining about the Google searches redirecting to oksearch[.]com when using Edge. Often the searches use cdn77[.]org for connectivity.
After discovering that the diversions were not an isolated incident, participants in this Reddit discussion narrowed the list of suspects to five. They are all imitations of legitimate add-ons. That means that even though the extensions bear the names of legitimate developers, they are in fact impostors with no relationship whatsoever.
The Great Suspender
Floating Player — Picture-in-Picture mode
“I had the tunnelbear extension installed, but I uninstalled it when I found out it was causing the problem,” Laurence Norah, a photographer with Finding the Universe, told me by email. It’s easy enough to see it happen – if you install one of the affected extensions in Edge, open dev-tools and hit the ‘resources’ tab, you’ll see something that shouldn’t be there, like ok-search. org or cdn77.”
His account matched images and accounts of other forum participants. Below are two screenshots:
In a statement, Microsoft officials wrote, “We are investigating the listed reported extensions and will take action as necessary to help protect customers.” The statement follows comments in this Reddit comment in which someone who identified himself as a community manager for Microsoft Edge said the company is investigating the extensions.
“The team just updated me to let me know that anyone seeing these injections should disable their extensions and let me know if you continue to see them at that time,” wrote the person who used the MSFTMissy handle. “As soon as I have news from them I will update this thread accordingly.”
The creator of the legitimate TunnelBear software and browser extensions told me that the add-on hosted on Microsoft’s official Edge store is fake. It said there is an extension in the Chrome Web Store that is also rogue.
“We are taking action to remove it from both platforms and are investigating the matter with both Google and Microsoft,” said a TunnelBear representative. “It’s not uncommon for popular, trusted brands like TunnelBear to be counterfeited by malicious actors.”
The real AdGuard VPN, for its part, issued a statement from CEO Andrey Meshkov saying, “We are taking action to remove it from both platforms and are investigating the matter with both Google and Microsoft,” a TunnelBear representative said. “It’s not uncommon for popular, trusted brands like TunnelBear to be counterfeited by malicious actors.”
NordVPN, meanwhile, issued a statement that read in part, “We noticed this rogue extension on Friday and took immediate action to have it removed.”
Neither of the remaining two legitimate developers of the genuine extensions responded to a request for comment. However, readers should remember that legitimate developers cannot be held responsible when their apps or add-ons are counterfeited.
Along with Android apps, browser extensions are one of the weak links in the online security chain. The problem is that anyone can submit them, and Google, Mozilla and now Microsoft haven’t yet come up with a system that adequately checks the authenticity of the people submitting them or the security of the code.
Search engine redirects are usually part of a scheme to generate fraudulent revenue by generating ad clicks, which is likely what is happening here. While reports indicate that the add-ons do nothing more than hijack legitimate searches, the privileges they require give them the potential to do much worse. Use rights include things like:
- Reading and changing all your data on the websites you visit
- Manage your apps, extensions and themes
- Change your privacy-related settings
Anyone who has installed any of the aforementioned Edge add-ons should uninstall it immediately. And the oft-repeated advice about browser extensions still applies here: (1) install extensions only if they offer real value or benefit, and even then (2) take the time to read reviews and check the developer for signs that an extension is fraudulent.
Post updated to add comments from TunnelBear, AdGuard, NordVPN and Microsoft.