Security vendor Imperva’s research labs have found a browser extension that claims to block ads, but actually injects them into Chrome or Opera.
That code snippet talks to remote servers and downloads a payload that Imperva claims is connected to operators of an ad-injection scam.
That scam, Silland and Masas observe, pipes in ads other than those from legitimate sources that would otherwise appear on a web page. Some of those ads include affiliate links – whoever is behind this extension could be skimming commissions from netizens that click on injected ads.
- Thousands of internet-connected databases contain high or critical CVEs, says report by cloud security biz
- Firefox to adopt Chrome's new approach to extensions – sans the part that threatens ad blockers
- Google Chrome's crackdown on ad blockers and browser extensions, Manifest v3, is now available in beta
Google has often said it takes the security of Chrome extensions seriously, and vets them to stop all sorts of naughtiness. It looks like those processes have not worked brilliantly on this occasion – even though this scheme has the potential to rob Google of revenue. Opera's fateful decision to offer compatibility with Chrome extensions means it gets smeared by association.
Imperva has some issues, too. As The Register read its post to compile this story, we noticed that Imperva.com offers to install software called "Cyber Security Leader". The company’s site also includes a Chatbot that creates notifications in a Chrome tab.
It's not just bad actors that mess with browsers. ®
Update: Imperva's been in touch to explain that it has "created a chrome application for the Imperva.com website, which allows users to install the Imperva.com homepage as an app either on their desktop or their mobile device."
The firm claims the application is innocuous and "lets the user browse previously visited pages even if they are offline and creates efficiencies by improving the overall load time of each page."