The Chromium base of the completely renewed Edge browser enables the use of Chrome extensions in Microsoft’s Edge and thus makes the work of developers easier. The downside is that the official Edge webstore ( microsoftedge.microsoft.com) , which is currently still marked as a beta version, is also with an increasing volume of malicious or potentially unwanted add-on code has to fight – an approach to Chrome, Firefox and Co. in a negative sense. The company deleted five add-ons from the store last weekend: Users had observed unwanted advertisements.

Update 23. 11., 15: 35: In the meantime, a reader has pointed out other possible cases of undesirable advertising redirects. The relevant add-ons are still online: We have added a corresponding section to this message at the end.

Contaminated copies of popular originals The disguised as NordVPN, Adguard VPN, TunnelBear VPN, The Great Suspender and Floating Player – Picture-in-Picture Mod Extensions brought the (stolen) functions of their well-known models with them. The code is likely to come from Chromes Web Store, since of the add-ons mentioned so far only the floating player is apparently available directly from Microsoft’s Edge Store. For example, the NordVPN team explicitly refers in an installation manual for the extension in Edge to the Chrome Web Store as a download source for Edge as well.

The unwanted additional function of copies According to several user reports on the social news website Reddit, users were redirected to advertisements when they clicked Google search results. As Ars Technica reported, the domains oksearchcom and cdn 77 org is used. By temporarily deactivating the relevant add-ons, users could assign the undesired behavior. It is not known whether the code contained other malicious functions.

Add-ons in the store for around two months An Edge community manager has confirmed Microsoft’s deletion of the fake add-ons. The TunnelBear, AdGuard and NordVPN teams also admitted the incidents; the other manufacturers have not yet commented.

Copies of the now no longer available Edge Store pages with the add-ons that can be called up via the Internet archive “Wayback Machine” Fakes show that some of these have been online for around two months: some of the apps were last updated at the end of September.

In a comment from 17. October 1658 on the fake NordVPN download site (copy from Wayback Machine) reported a user for having contacted the NordVPN team; he had been confirmed that it was not the official extension. It is unclear why the deletion only took place a few days ago. heise Security has checked with NordVPN and Microsoft in this regard, answers are still pending.

(Image: Screenshot / Collage, web.archive.org)

Delete copies quickly Users who have downloaded the named extensions from one of the following (no longer accessible) store pages have fallen victim to the fraud and should uninstall them quickly.

Adguard VPN The Great Suspender Floating Player – Picture-in-Picture Mode NordVPN TunnelBear VPN In addition, the Ars Technica article on the incidents points to a fake TunnelBear extension in the Chrome webstore that is still available.

At Great Suspender the situation may be a little different than with the other add-ons: One (started almost three weeks ago) Discussion in the project repository at GitHub indicates that the new maintainer of the project is not trustworthy and that the redirects for advertising were probably built in by him on purpose. Accordingly, users should consider uninstalling across browsers.

Update 23. 11., 15: 35:

Note on further advertising redirects Shortly after the publication of this message, a reader informed us about possible further cases of undesired advertising redirects with the same domains and documented his observations with a screenshot. Accordingly, he was able to observe the redirects of all three extensions from the developer “Express VPN” (presumably to camouflage based on the actually existing ExpressVPN).

We have the redirects not individually validated – to prevent unlawful copies of the add-ons Wayback Machine (in the original from the Internet Archive) , Go Back With Backspace (actually from Google) and friGate CDN (actually from fri-gate.org) is in any case. Removal is highly recommended. The reader concerned has communicated his observations to Microsoft via the button provided for this purpose (“Report abuse”).

The reader’s observation: The add-ons load a script from https [:] // 1658 […]. rsc.cdn 77. […], which in turn causes the redirect to oksearch.org.

(Image: Screenshot)

(ovw)