This is why browser extension permissions are so important. Users see "VPN" and think privacy, but this extension was doing the exact opposite.
100k installs means this was happening at scale for months or years. Browser stores need better security screening for extensions, especially ones that claim to protect privacy.
Always read extension permissions carefully. If a VPN needs access to all your browsing data, that's a red flag.
No, because they don't enforce their rules against obfuscation.
Even if there was it wouldn't help you - extensions regularly get sold to scammers who can push whatever update they want. I documented an extension with a few hundred thousand install base, that got sold and turned into malware. Overnight went from tens of lines of code un obfuscated to 10k+ lines obfuscated. Then they flooded the extensions review pages with fake reviews to burry complaints. I got a ticket open thru a contact which to Google's credit they investigated but they decided it wasn't violating enough policies to take any action.
The source is part of the package, at worst minified, obfuscated, pulling code from external sources. You can inspect it yourself by unpacking the extension installation package and browsing the JavaScript.
selinkocalar|6 months ago
bix6|6 months ago
rKarpinski|6 months ago
No, because they don't enforce their rules against obfuscation.
Even if there was it wouldn't help you - extensions regularly get sold to scammers who can push whatever update they want. I documented an extension with a few hundred thousand install base, that got sold and turned into malware. Overnight went from tens of lines of code un obfuscated to 10k+ lines obfuscated. Then they flooded the extensions review pages with fake reviews to burry complaints. I got a ticket open thru a contact which to Google's credit they investigated but they decided it wasn't violating enough policies to take any action.
loa_in_|6 months ago
azalemeth|6 months ago
ElijahLynn|6 months ago
rs186|6 months ago
thrown-0825|6 months ago