They form part of everyday web surfing – but some add-ons harbor a dark secret.

Browser extensions – they can enhance the user experience, improve security, and make certain aspects of web surfing generally easier.

Some are an essential piece of kit for maintaining privacy, others can filter offensive material – or any mention of Donald Trump – and eliminate it.

But what happens when an add-on goes rogue?

Browser extensions have been known to be bought or hacked and injected with malware, often without any warning to the user.

There have also been reports of fake extensions masquerading as popular programs, which actually contain malicious coding used to spy on a users’ privacy, or compromise their security.

And with reports earlier this year that 100,000 Google Chrome extensions were infected by cybercriminals, users need to be more security conscious than ever.

Buyout

Take, for example, the web extension Stylish, which was recently discovered to be spying on browsing habits.

This software, which allows a website’s UI to be changed, was tracking users’ history after being injected with spyware when it was acquired by a new owner.

The developer sold the extension on to an unknown party in 2016, who then sold it to web data analytics firm SimilarWeb in 2017.

It was at this point that it reportedly became “riddled” with the spyware, allowing it to monitor unsuspecting users.

There were calls for Stylish to be banned, mainly from the original users who weren’t aware it was being used in this way.

But Stylish wasn’t the first extension to be bought and littered with malware, signifying a worrying trend.

Back in July 2017, the Chrome extension Particle – which allowed users to change YouTube’s UI – was sold to a developer who immediately injected it with adware.

Users were asked to accept new permissions allowing the add-on to “read and change data on websites visited” and to “manage apps, extensions, and themes”, prompting fears that it had become adware.

These fears were realized, leading the original developer to claim he had checked out the buyer and there were no “red flags” – though he also signed a non-disclosure agreement, barring the buyer’s name from being released.

The creators of Particle and Stylish weren’t the first to be tempted with a huge buyout, and who could blame them?

But it was the users who inevitably paid the price.

James Kettle, security researcher at PortSwigger Web Security, told The Daily Swig: “‪All software is based on trust, and this is being seriously undermined by shady companies targeting greedy or gullible developers with tempting offers.”‬‬‬‬

Hijack

In 2017, the Chrome extension for Copyfish was hijacked when a developer was tricked into handing over important details by unknown malicious actors.

The employee was sent a phishing email claiming to be from Google, warning that the software was about to be taken offline.

They followed a link in the email and entered the password for the team’s developer account – unknowingly handing over access to the malicious party.

Afterwards, the extension was updated to a rogue version which inserted ads and spam into websites.

The hackers also lifted the code and moved it from the developer account, blocking access for the creators.

Hidden

But sometimes the threat lurks not in the extensions themselves, but in fake programs posing as trusted companies.

Fake browser extensions, which are masked to closely resemble legit add-ons, have tricked thousands into downloading malware on their devices.

You might remember the sham AdBlock Plus extension, which was downloaded by close to 37,000 people before it was spotted and pulled offline.

The software reportedly flooded users with adverts and opened extra tabs in their browsers without permission.

Although the Chrome Web Store vets apps before they’re approved, this fake add-on seemingly slipped through the net – leading the thousands of unlucky users to believe it was trustworthy.

Paul Johnston, researcher at PortSwigger, told The Daily Swig: “Despite the improvements Chrome have made with sandboxed extensions and providing a vetted store, the extension ecosystem remains a prime target for scammers.”