For years, Google and Mozilla have struggled to prevent violent or outright malicious browser extensions from infiltrating their official archives. Now Microsoft is taking up the fight.
Over the last few days, people in site forums have complained that Google searches have been redirected to oksearch[.]com when using Edge. Often the searches use cdn77[.]org for connection.
After discovering that the redirects were not an isolated incident, participants in this Reddit discussion won the list of suspects down to five. All are knockoffs of legitimate additions. This means that while the extensions bear the names of legitimate developers, they are in fact unrelated fraud.
The Great Suspender
Floating Player ̵
“I had installed the tunnel bar extension, but I removed it once I found out it was the cause of the problem,” Laurence Norah, a photographer at Finding the Universe, told me via email. It’s easy enough to see happen – if you install one of the affected extensions in Edge, open dev tools and tap the ‘sources’ tab, you’ll see something that shouldn’t be there as ok-search. org or cdn77. ”
His account was consistent with photos and accounts from other forum participants. Below are two screenshots:
In a statement, Microsoft officials wrote: “We are investigating the reported reported extensions and will take steps as needed to protect our customers.” The statement follows comments in this Reddit comment where someone who identifies himself as a community manager for Microsoft Edge said the company is in the process of investigating the extensions.
“The team just updated me to tell me that anyone who sees these injections should turn off their extensions and tell me if you continue to see them at that time,” wrote the person using the MSFTMissy handle. “When I have any news from them, I update this thread accordingly.”
The maker of the legitimate TunnelBear software and browser extensions told me that the add-on hosted in Microsoft’s official Edge store is a fake. That said, there is an extension in the Chrome Webshop that is also fraudulent.
“We are taking steps to get these removed from both platforms and investigate the matter with both Google and Microsoft,” said a TunnelBear representative. “It’s not uncommon for popular, trusted brands like TunnelBear to be falsified by malicious actors.”
None of the remaining four legitimate developers of the real extensions responded to a request for comment. However, readers should keep in mind that legitimate developers cannot be held responsible when their apps or add-ons are fake.
Along with Android apps, browser extensions are one of the weak links in the online security chain. The problem is that anyone can submit them, and Google, Mozilla, and now Microsoft has not come up with a system that adequately monitors the authenticity of the people who send them, or the security of the code.
Search engine redirects are typically part of a scheme that generates fake revenue by cleaning up ad clicks, and this is what is likely to happen here. While reports show that add-ons do nothing but hijack legitimate searches, the privileges they need allow them to do much worse. Usage rights include things like:
- Reading and modifying all your data on the websites you visit
- Managing your apps, extensions and themes
- Changing your privacy settings
Anyone who has installed any of the above Edge add-ons should remove them immediately. And the often repeated advice about browser extensions still applies here: (1) install extensions only when they provide real value or benefit, and even then (2) it takes time to read reviews and check the developer for signs that an extension is fraudulent .
Posts updated to add comments from TunnelBear and Microsoft.