Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads.
First signs that something was wrong appeared when users updated from version 3.9.7 to 3.9.8 after they were prompted for an extra permission to “Read and change all your data on the websites you visit.”
Soon after that, users started reporting that when they clicked on an HTTP link inside a page, they would be redirected through the lnkr.us service to their desired destination, which in 50% of all cases would also open an extra page showing various types of ads. This allowed the author to monetize his extension, but also to collect analytics on users, which he could later sell to online advertisers.
Author sold Better History to another company two months ago.
Users reported this happening since March 23, 2016. Confronted by angry users on the extension’s GitHub repo, the extension’s original author revealed that he sold the extension to an unnamed company two months ago, since version 3.9.5.
Better History, in its original version, was a Chrome extension that added extra filters to the user’s Chrome History section to make it easier to view and find pages accessed in the past (screenshot below).
As it was later discovered, the extension’s new owners stopped adding changes to the extension’s GitHub repository, making it look to everyone like the extension never changed, but they secretly added malicious code ever since they bought the add-on.
One of the things they introduced was a new script called “common.js,” which installs a proxy extension on the user’s browser, used to redirect Chrome traffic.
Malicious code might be present in other extensions
Reddit user Scarazer says that this malicious code can also be found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker.
Soon after the revelations about Better History came out, users bound together and reported the extension as malware to Google’s staff, who eventually removed it from their store.
From the other extensions suspected of malicious behavior, at the time of writing, only the User-Agent Switcher extension has been taken down.