This morning I have read about four extensions, all of which have now been removed from the Chrome Store and which should have been automatically disabled if installed to Chrome: “Live HTTP Headers”, “Tab Manager”, “Appspector” and “Give Me CRX”.
The common thread is the extensions started injecting code into webpages pointing to “s3.eu-central-1.amazonaws.com/forton/*****.js”. The goal seems to have been to inject advertising into web pages visited.
This is not the first time Chrome extensions have been sold and new advertising / tracking behavior added by the new owner without warning. Yes, the Chrome extensions prompt for updated permission to run when the behavior was changed, but it is not clear to the average user what the implications of those new permissions are. For example, a prompt that says an application will “read and change all your data on the websites you visit” or “access your data on all websites” does not make it clear that it is also going to transmit that data to somewhere else, or inject advertising.
The new owners were seemingly able to update those apps, and get them installed onto users computers, without Google identifying and stopping the new behaviors in time – new behaviors that were apparently judged bad enough for the apps to be removed from the Chrome Web Store.