Beware Phishing in Chrome Web Store.
1,070 views
Skip to first unread message
David
Dec 10, 2024, 7:51:11 PM12/10/24
to Chromium Extensions
I just wanted to alert people to a more sophisticated phishing email than usual that we got that stated a Chrome Extension policy violation of the form:
"Unnecessary details in the description"
The link in this email looks like the webstore but goes to a phishing website that will try to take control of your chrome extension and likely update it with malware.
Hopefully if anyone googles this violation message they will come here and see this message and not give access!
"Unnecessary details in the description"
The link in this email looks like the webstore but goes to a phishing website that will try to take control of your chrome extension and likely update it with malware.
Hopefully if anyone googles this violation message they will come here and see this message and not give access!
Dev
Dec 11, 2024, 2:52:27 AM12/11/24
to Chromium Extensions, David
Thank God David, you saved us. I have updated many things in my extension and i was going to submit it for review.
I received email from below email id with exact format of chrome store. Can someone please confirm, if this is spam only?
David
Dec 11, 2024, 6:23:06 AM12/11/24
to Chromium Extensions, Dev, David
Hi Dev
Yes that is the email we got and were likewise confused. The domain forextensions.com is not an official one for the chrome webstore. It is definitely spam. The button on it links to an app called "Policy Chrome Extension" that wants permissions to access your chrome developer account.
Make sure you haven't given access to an app called "Policy Chrome Extension" on your google account security settings (Google Account > Security > Your connections to third-party apps & services)
Thanks
David
Aidan Nulman
Dec 11, 2024, 2:00:59 PM12/11/24
to Chromium Extensions, David, Dev
Thanks as well from our team at jam.dev! A colleague received this one and it threw a bunch of us for a loop :)
hrg...@gmail.com
Dec 11, 2024, 2:05:35 PM12/11/24
to Chromium Extensions, Aidan Nulman, David, Dev
I cannot find any app or extension called "Policy Chrome Extension".
Could you please provide a link so we can see what the app is doing?
Many thanks.
newdev
Dec 12, 2024, 2:21:15 AM12/12/24
to Chromium Extensions, hrg...@gmail.com, Aidan Nulman, David, Dev
I received an email from forextensions.com and almost got scammed because the sender's address was hidden by Outlook when I first checked the email on my phone.
I tried creating a temporary account to test it.
Once you notice any issues, you can remove the "Privacy Policy Extension" permissions at https://myaccount.google.com/connections.
Juraj M.
Dec 30, 2024, 10:06:38 AM (11 days ago) 12/30/24
to Chromium Extensions, newdev, hrg...@gmail.com, Aidan Nulman, David, Dev
Mine went to spam because the sender could not be verified, but I have to say, pretty good looking phishing!
Especially since the rejection reason looks so familiar, it's like I've seen it already multiple time for multiple of my extension! (because I did!)
But the "Go To Policy" link is still a dead giveaway - there is no way google would use some "checkpolicy.site" domain.
John Tuckner
Jan 6, 2025, 4:36:48 AM (4 days ago) Jan 6
to Chromium Extensions, Juraj M., newdev, hrg...@gmail.com, Aidan Nulman, David, Dev
Would someone mind sharing the 'client_id' from the OAuth consent page?
Cameron Eckelberry
Jan 6, 2025, 3:16:01 PM (4 days ago) Jan 6
to Chromium Extensions, John Tuckner, Juraj M., newdev, hrg...@gmail.com, Aidan Nulman, David, Dev
Is there a way we can limit these malicious Chrome apps from gaining access to our web store accounts?
Can any member be affected by it? Or only admins?
Patrick Kettner
Jan 6, 2025, 5:07:05 PM (3 days ago) Jan 6
to Cameron Eckelberry, Chromium Extensions, John Tuckner, Juraj M., newdev, hrg...@gmail.com, Aidan Nulman, David, Dev
To be clear, the apps are disabled as soon as they are discovered. Extensions that were impacted have already been contacted.
What happened here is that developers were tricked into granting oauth permission to the chrome web store api. As a domain admin, you can take some steps to limit the impact from something like this through the Google Admin console. I am by no means an gapps expert, but some things you can do to lock this down
1. Make sure your team is aware of the ongoing attack, and to not grant oauth usage to apps unless absolutely certain they are needed (the Chrome Web Store team will not be asking someone to grant us access to their account by our own API)
2. Review the currently granted apps to ensure nothing malicious exists - https://admin.google.com/ac/appslist/additional
3. Use the OAuth Token Audit logs to check if any access has been granted to the chromewebstore scope - https://admin.google.com/ac/sc/investigation?ref=reporting
4. Set up a new custom alert rule that listens to access being granted to the chromewebstore scope - https://admin.google.com/ac/ax
5. If it makes sense for your team, configure your domain to use trusted apps only - In App Access Control, enable Trust Internal or Domain-Listed Apps Only.
patrick
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a4543497-c8d0-4f5c-8505-9e564b6b4268n%40chromium.org.
Cameron Eckelberry
Jan 8, 2025, 4:26:46 PM (2 days ago) Jan 8
to Chromium Extensions, Patrick Kettner, Chromium Extensions, John Tuckner, Juraj M., newdev, hrg...@gmail.com, Aidan Nulman, David, Dev, Cameron Eckelberry
Appreciate the suggestions, thanks Patrick!
ghucz...@gmail.com
Jan 9, 2025, 5:50:30 AM (23 hours ago) Jan 9
to Chromium Extensions, Patrick Kettner, Chromium Extensions, John Tuckner, Juraj M., newdev, hrg...@gmail.com, Aidan Nulman, David, Dev, Cameron Eckelberry
Hi Patrick
Re your excellent suggestion of "set up a new custom alert rule that listens to access being granted to the chromewebstore scope - https://admin.google.com/ac/ax".
Could you please give some guidance?
There seems no option to filter by scope in the Rule Tool at: https://admin.google.com/ac/ax
However, the scope filter option does exist in the Audit and Investigation tool (but not useful as can't alert) at: https://admin.google.com/ac/sc/investigation
Screenshots of both tools attached.
Many thanks
Greg
Re your excellent suggestion of "set up a new custom alert rule that listens to access being granted to the chromewebstore scope - https://admin.google.com/ac/ax".
Could you please give some guidance?
There seems no option to filter by scope in the Rule Tool at: https://admin.google.com/ac/ax
However, the scope filter option does exist in the Audit and Investigation tool (but not useful as can't alert) at: https://admin.google.com/ac/sc/investigation
Screenshots of both tools attached.
Many thanks
Greg
Reply all
Reply to author
Forward
0 new messages