The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google

Guess they'll let anyone in here


The trustworthiness of Google's Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks.

The legit Microsoft Authenticator generates one-time codes for multi-factor authentication, and lately gained password-manager-like features.

However, it’s only available as a smartphone app, and not as a Chrome extension. When someone submitted a dodgy Chrome add-on called Microsoft Authenticator to the browser's store, one would hope Google would have given it more than a cursory glance and checked that it was legit. Instead, the bogus extension was accepted into the store.

The add-on looked fairly convincing; it had Microsoft's logo, at least hundreds of downloads, and a three-star rating. Rather than declare its developer as Microsoft Corporation, though, the software simply said it was offered by "Extension," according to GHacks.

It would have been nice if Google had checks and systems in place to catch extensions masquerading with a company in its name – in this case, Microsoft – when it wasn't actually submitted by that company.

Further inspection using analysis tool CRXcavator revealed the add-on's code contained a suspicious URL that took the browser to a website hosted in Poland.

Indeed, it's said the extension tried to phish netizens by redirecting them to a fake login page and asking for account credentials. Some reported the application sucked up high amounts of CPU resources and perhaps mined cryptocurrencies in the background.

Google declined to comment on the record about how this add-on slipped through the net. The extension has now been pulled. Users who installed the Chrome add-on will receive a warning that the software has been disabled at Google's end.

"Microsoft has never had a Chrome extension for Microsoft Authenticator," the Windows giant told The Register. "The company encourages users to report any suspicious extensions to the Chrome Web Store." ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021