Dishonest Chrome Extensions Are Hijacking User Search Results

Last updated September 20, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Careful Chrome users always check the permissions before they install an extension on their browser, but what if the extension was to blatantly lie about it? Lying can take many forms, some more deceptive than others.

For example, not being 100% honest in the permissions prompt, or presenting privacy-violating actions as innocuous as possible is misleading and fraudulent, but this is what many extension developers are doing. They use such wording that Google won’t be able to bash them for outright lying, but they still get to trick the users and do their thing.

warning1_PopStop

Source: Malwarebytes

According to Malwarebytes, there are several Chrome extensions out there that like to change the user’s searches on the following domains:

These extensions present the sole permission of “Read your browsing history” on the installation prompt. This clearly doesn’t indicate hijacking the search results, but in the vague sense of the phrase, the functionality is included in the denoted permission. In some cases, like in the Niux APP extension, the plugin is presenting one permission upon installation and then gives an additional warning via a pop-up later on.

main_NiuxAPP

Source: Malwarebytes

Those that don’t tell the entire truth at any stage are making it harder for the user to figure out what’s hijacking their search results in the first place. Of course, removing extensions and testing out what happens isn’t that hard, but it’s a nuisance nonetheless. Most importantly, it shows that as far as Google’s reviewing process goes, we’re not quite there yet.

The developers actually include these permissions on the manifest file of the extension, but they’re not showing them to the user. This helps them pass automated reviews while still getting away with not disclosing the full spectrum of their functionality to the user. As for why they’re doing it, profit is the answer.

manifest

Source: Malwarebytes

Our advice to you would be to limit yourself to the extensions you absolutely need, check an adequate number of user reviews (not just the most recent ones) on the Chrome add-ons store, and install extensions one by one. This way, when the browser’s behavior changes into something weird or unexpected, you will be able to tell which add-on is the culprit.

If new headers appear, search domains change to “gooogle” or “s3arch,” and the results look like what you’d get if you were using an intranet, then one of your extensions is not playing along nicely.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: