Google pulls crypto-mining Chrome extension Archive Poster

Google removed Archive Poster from the Chrome Web Store the other day after reports emerged that the extension abused user devices to mine crypto-currency.

Archive Poster's main function improved Tumblr, a popular blogging site. It allowed users to run actions -- reblog, queue, draft or like -- from blog archives.

Archive Poster had more than 105,000 active users and a near perfect rating before Google pulled the extension from the official Chrome Web Store.

Bleeping Computer reports that the extension's behavior changed in early December when users started to leave one-star comments which confirmed that the extension was mining crypto-currency after the latest update.

The extension used the Coinhive JavaScript miner which mins Monero in the background while Google Chrome is running.

This all happened without the need to request extra permissions to run mining operations in Chrome. The extension loads a file from an external URL that contains the Coinhive mining code.

Users of the extension reported it to Google for malicious behavior with reports going back to early December 2017.

A user reported the extension on the official Google Chrome Help forum asking for assistance from Google. The user was told that he should "get in touch with the extension developer for further assistance", or "report the extension".

It took Google almost a month to remove a misbehaving Chrome extension from the Web Store that abused Chrome user devices to mine crypto-currency.

Affected users can remove the extension from the web browser on chrome://extensions/.

This is not the first incident of its kind. The first Chrome extensions with JavaScript crypto-mining functionality was exposed back in September 2017.

Update: PC Mag reports that Essence Lab, the company responsible for the extension, stated that it was hijacked.

Closing Words

It is bad enough that crypto-mining extensions and other malicious extensions land in the official Chrome Web Store regularly. Google uses an automated system to determine whether extensions are safe or not. This system is flawed, as reports about malicious browser extensions for Google Chrome come to light regularly.

The only other defense, if you want to call it that, is user reports. We have seen this again and again: a malicious extension slips by and lands in the Store, users download it and start to report it eventually.

Google removes the extension eventually, but never immediately from the Store. Malicious code can also be added to existing extensions, for example when extensions get hacked, or when companies buy popular browser extensions.

Google needs to change its verification system to avoid that users of the Chrome browser lose trust in the whole extension ecosystem of the browser.

Mozilla changed its system recently from a manual inspection system that vets Firefox extensions before they land in the Store to a publish first and test manually later system.