Malicious Chrome Extension Can Hijack Your Browser

Users Reported About The Hijacking Of Chrome Extension

When users reported that the Better History Chrome extension started taking over their browsing experience and redirecting them to pages showing ads then Google has expelled and intervened the Better History Chrome extension from the Chrome Web Store. 

When users updated the chrome version from version 3.9.7 to 3.9.8 after they noticed the first signs of something was wrong appeared when they were impelled for an extra permission to "Read and change all your data on the websites you visit."

After that immediately users started reporting to the Google that when they clicked on an HTTP link inside a page, they would be connected directly through the lnkr.us service into their desired objectives in which 50% of all cases there were also open an extra page that showing various types of ads. 

This would allow the author not only to modified his extension but also to collect the analytics on users in which he used to sell later through such as online advertisers.

The Even author sold Better History to another company two months ago. Since March 23, 2016 users reported when this was happening. The angry users posted on the extension's GitHub repo and  the original author of extension exposed that before two months ago he sold the extension to an unidentified company since version 3.9.5.

Better History was a Chrome extension in its original version that it added extra filters to the user's security of the section of Chrome History to make it easier to view and they find the pages for accessing the user’s accounts  in the past.

Later it was discovered the new owner of extension blocked the additional changes into the extension of GitHub repository that making it look to everyone like the extension never changed whereas they added secretly malicious code.

One of these malicious things they were discovered a new script that is known as "common.js,"  that installs a proxy extension on the browser of the user that is used to connect with the directly Chrome traffic.

Although the malicious code might be present in other extensions of the code. A Reddit user says that this malicious code can also be discovered in other extensions of Google Chrome such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker.

Users reported about the extension of malware to the staff of the Google who finally detached it from the Chrome Web Store. Whereas from the other extensions assumed about the behavior of malware at the time of writing the codes only the User-Agent Switcher extension has been taken down.