This article is more than 1 year old
The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google
Guess they'll let anyone in here
The trustworthiness of Google's Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks.
The legit Microsoft Authenticator generates one-time codes for multi-factor authentication, and lately gained password-manager-like features.
However, it’s only available as a smartphone app, and not as a Chrome extension. When someone submitted a dodgy Chrome add-on called Microsoft Authenticator to the browser's store, one would hope Google would have given it more than a cursory glance and checked that it was legit. Instead, the bogus extension was accepted into the store.
The add-on looked fairly convincing; it had Microsoft's logo, at least hundreds of downloads, and a three-star rating. Rather than declare its developer as Microsoft Corporation, though, the software simply said it was offered by "Extension," according to GHacks.
It would have been nice if Google had checks and systems in place to catch extensions masquerading with a company in its name – in this case, Microsoft – when it wasn't actually submitted by that company.
- FYI: There are thousands of Chrome extensions with so, so many fake installations to trick you into using them
- Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims' passwords
- Google's clever-clogs are focused on many things, but not this: The Chrome Web Store. Devs complain of rip-offs, scams, wait times
- Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm
- Another day, another Google cull: Chocolate Factory axes 49 malicious Chrome extensions from web store
- Google burns down more than 500 private-data-stealing, ad-defrauding Chrome extensions installed by 1.7m netizens
- Google's Chrome Web Store under fire for shoddy service and cryptic policies
- Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown 'due to the scale of abuse'
Further inspection using analysis tool CRXcavator revealed the add-on's code contained a suspicious URL that took the browser to a website hosted in Poland.
Indeed, it's said the extension tried to phish netizens by redirecting them to a fake login page and asking for account credentials. Some reported the application sucked up high amounts of CPU resources and perhaps mined cryptocurrencies in the background.
Google declined to comment on the record about how this add-on slipped through the net. The extension has now been pulled. Users who installed the Chrome add-on will receive a warning that the software has been disabled at Google's end.
"Microsoft has never had a Chrome extension for Microsoft Authenticator," the Windows giant told The Register. "The company encourages users to report any suspicious extensions to the Chrome Web Store." ®