The practice was first described by Amit Agarwal, developer of the "Add to Feedly" Chrome extension, who sold his add-on to a person that wanted to buy it for a 4-figure sum.
"I had no clue about the buyer and was also curious to know why would anyone pay this kind of money for such a simple Chrome extension," he wrote, adding that the transfer of ownership went smoothly.
But, it was only a month or so later that he discovered the buyer's intentions, as the add-on's users began complaining about seeing a ton of ads. As it turns out, the new owners updated the extension by adding ad-serving code to it. And, as Google also updates Chrome add-ons automatically, the users got the new version without being none the wiser.
"These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links. In simple English, if the extension is activated in Chrome, it will inject adware into all web pages," Argawal explained, adding that he now regrets selling the extension.
A month ago, Ron Amadeo also noticed that his Internet surfing has become much less enjoyable due to pop-up ads and hijacked Google searches. After a little digging around his desktop and laptop, he traced the source of the problem to a Chrome extension by the name of "Tweet This Page," which apparently was silently updated to serve ads by its new owners.
As the news about this issue spread, one of the developers of popular Chrome extension Honey shared on Reddit his and his colleagues' experiences with malware companies that have tried to buy the extension, data collection companies that have tried to buy user data, and adware companies that have tried to partner with them.
Now, while Google's policies don't forbid extension developers to insert ads in pages, they do require them to be upfront about it and not to do it on more that one portion of a page. Therefore, the company has reacted to the revelations by removing the first two mentioned add-ons from its web store.
The problem with Google's practice of automatically updating Chrome extensions is that this type of thing can happen over and over again. Users are asked to approve the update only if a new permission is asked. Obviously, the shady individuals behind these deals are careful to buy add-ons that already have the permission to "access your data on all web pages," which is the one needed to freely inject ads.
These are people to whom Google's policy on what an add-on should not do means very little, so I'm afraid that it's up to Google to find a solution to this problem.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.