That makes sense and also explains why that Reddit thread had users describing multiple extensions as the source of the same problem.
So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.
If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.
Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.
Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.
So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.
If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.
Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.
Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.