Matt Frisbie’s “Let’s build a Chrome extension that steals everything.” is an excellent overview of the risks we face by trusting Chrome Extensions. He builds malicious Chrome extension that steals personal information. It’s worth a read if you’re interested in privacy, extension development, or both.
My experience with malicious browser extensions is different. I was looking at headline analyzers to see if there was anything useful. While Searching “headline analyzer,” Google led me to an SEO-optimized HubSpot content marketing article called “9 Great Tools to Help You Write & Edit Blog Posts Better.” #8 on the list linked out to a Headline Analyzer by CoSchedule. This page requires signup and directs users to a Chrome extension. Without thinking, I agreed to the permission “Read and change all data on websites.” The Chrome extension installed a Bitcoin miner.
The authors of this mal-extension used SEO-optimized blog spam, Google’s lack of antimalware tools, and my misplaced trust to successfully install a cryptocurrency miner on my machine without my consent. Bravo.
I reported this to Google, and as of Feb 2023, this extension still exists and still successfully downloads a Bitcoin miner.