Microsoft Authenticator Chrome Extention is not from MS and is phishing

How about the related one that claims to be from Microsoft, but uses msftliveapps@gmail.com?<p><a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-autofill&#x2F;fiedbfgcleddlbcmgdigjgdfcggjcion?hl=en-US" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-autofill...</a><p>I literally can’t tell real from fake on these shitty platforms.<p>Edit: Or this using msandapp.chrome@gmail.com:<p><a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-news-new-tab&#x2F;lklfbkdigihjaaeamncibechhgalldgl?hl=en-US" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-news-new...</a><p>The average person has no chance :-(

CRXcavator is a pretty useful tool for scoping out Chrome extensions like this: <a href="https:&#x2F;&#x2F;crxcavator.io&#x2F;report&#x2F;mabdjppmcjpjploliggpbonahnjjlgkf&#x2F;1.1.0?platform=Chrome" rel="nofollow">https:&#x2F;&#x2F;crxcavator.io&#x2F;report&#x2F;mabdjppmcjpjploliggpbonahnjjlgk...</a><p>Similarly, Urlscan.io is pretty useful for scoping out sketchy links like the one in the extension&#x27;s html: <a href="https:&#x2F;&#x2F;urlscan.io&#x2F;result&#x2F;d95c1113-a446-4c94-8b1f-dd7d5305313c&#x2F;" rel="nofollow">https:&#x2F;&#x2F;urlscan.io&#x2F;result&#x2F;d95c1113-a446-4c94-8b1f-dd7d530531...</a>

If everyone that reads this simply takes the time to report it, the HN community should be able to get this extension down fairly quicly, right?<p><a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;report&#x2F;mabdjppmcjpjploliggpbonahnjjlgkf" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;report&#x2F;mabdjppmcjpjplolig...</a>

It is a very simple extension. No effort to hide the malicious URL.<p>See the source: <a href="https:&#x2F;&#x2F;crxcavator.io&#x2F;source&#x2F;mabdjppmcjpjploliggpbonahnjjlgkf&#x2F;1.1.0?file=popup.html&amp;platform=Chrome" rel="nofollow">https:&#x2F;&#x2F;crxcavator.io&#x2F;source&#x2F;mabdjppmcjpjploliggpbonahnjjlgk...</a><p>The malware link: hxxp:&#x2F;&#x2F;przekierowanie2.chrome_augustow.pl&#x2F;?123-Microsoft525896

The chrome web store is overrun with phishing apps like these, I think it&#x27;s safe to say Google have given up.

Slightly offtopic but I think the problem of rogue addons applies to firefox as well. I wish it were possible in firefox to limit which addons can be loaded on a per-container basis. The extensions I want loaded on banking websites, social media and youtube are completely different. And limiting them per-container makes it a relatively simple mental model to reason about.

Archiving the extension author&#x27;s email address before it&#x27;s taken down: harperrodriguez31@gmail.com<p>The same account has published another extension: <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;iartbook-digital-painting&#x2F;pndkaoeigpfhjkjblpmneppaffijeoof?hl=en-US" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;iartbook-digital-p...</a><p>[edit] both have now been nuked - about 2 hours since this was posted.

I find it rather surprising that anyone with a gmail address can publish an extension that appears to be from Microsoft.

I wonder why there&#x27;s no ONE employee who could read all names of extensions and just click &quot;accept&quot; &quot;reject&quot; whenever they apply<p>I bet it&#x27;d reduce amount of scams significantly

I love that it&#x27;s made by: &quot;Extensions&quot;

Can we also take a moment to assign partial blame to Microsoft for this situation? Their authentication is a shambles, they try to force you to use their app rather than other 2FA providers and heavily steer you towards having to install Microsoft apps.<p>And that&#x27;s if you&#x27;re lucky and they arbitrarily don&#x27;t mandate a phone number and an email address for a corporate account. Oh and the email address can&#x27;t be the primary corporate domain that owns the account because of course what we need is personal emails to authenticate business accounts.<p>Lord help you if you were ever an early adopter of an onmicrosoft.com domain. You will remain in purgatory until you wipe your accounts and start again.

If you get this information to a tech journalist who makes a story about it, it&#x27;ll probably be delisted much quicker.

Not entirely related, but is there a simple way to run an application like a web browser in a sandbox on Windows? Sometimes I find myself wanting to install a dodgy extension or software, but I don&#x27;t know how to test it safely without using something like virtual box as a sandboxed enviroment. I kinda want something where I can just right-click an .exe and run it in a sandbox.

The one thing I hate about the Apple store is also its best feature when dealing with crap like this.<p>As a consumer, business entity verification &amp; savagely-enforced PKI&#x2F;codesigning does make for a much safer app ecosystem. As a developer and small business owner, Apple is a fucking nightmare to build apps for. I much rather build Android&#x2F;Windows&#x2F;Web platform because its so much easier to iterate in our shop.<p>All of that said, could we at least consider requiring some basic domain verification process around these things so that it is possible in theory to determine who endorsed a specific app or extension? If a gmail account &amp; some &quot;reputation&quot; is all it takes to trickle to the top of the store, I think we are missing several important security controls.

Really surprising that something so blatant would get past the playstore checks..If i remember correctly, there was a vetting process on the first updload of an app anyway, not sure about extensions.<p>Brand&#x2F;Company names could easily be flagged as a &#x27;needs review&#x27; for example.

Who approved this in the listing? Should Microsoft sue them.. that would be a start

Pretty low effort too. It&#x27;s just a popup with a button that links to hxxp:&#x2F;&#x2F;przekierowanie2-chrome.augustow.pl&#x2F;?123-Microsoft525896 , which then redirects to hxxps:&#x2F;&#x2F;extensions-install.com&#x2F;?123-Microsoft525896<p>The form itself doesn&#x27;t look particularly MS-like, and the grammar is pretty bad.

Naive question. How does one know this is malicious before installing it?<p>I think this would fool me if it wasn&#x27;t for this thread. The only thing that seems off to me is the lack of information, and hovering over the contact developer shows a gmail address.<p>I wouldn&#x27;t have looked at the comments in the reviews as I know what the Microsoft Authenticator does, as I use it constantly on my mobile device. So in this instance, I could have seen myself finding this link, clicking Add to Chrome without much thought.<p>I can surely see how an average user would fall for this and it&#x27;s frightening.

I&#x27;m still amazed that people install (outside of very specific development or page manipulation use cases) Chrome extensions.<p>Are these more common on Chromebooks or some other platform I don&#x27;t regularly use?

I’ve always been concerned with the chrome store in regard to chrome extensions. While I do know some level of scrutiny is applied to new brand new extensions uploaded to their store platform, my concern has always lied in a developers ability to update an existing extension, which is then almost universally updated on all clients upon which that extension as it’s installed.<p>I have seen extension updates (updates not releases) get approved much too quickly to be properly vetted on the stores side.

The pitch from companies offering &quot;stores&quot; like these (Apple, Google, Microsoft) is that they&#x27;re for the protection of users. Apple can&#x27;t stop scams, Google can&#x27;t stop scams, Microsoft can&#x27;t stop scams. It&#x27;s time we saw these stores for their true purpose: platform control, vendor lock-in, and in the case of pay stores, recurring services revenue. They were never about protecting users.

Looks like it&#x27;s been taken down - either enough HN people reported it, or a Googler raised an issue internally and got it taken care of.

A simple solution would be to allow any domain to sign up and show he email extension like company.com or helloworld.co.uk etc…… I remember seeing this app when I had searched for the Saas Pass Authenticator &amp; Password Manager in the past. (worked on the 2FA design of the saas pass browser extension). I naturally assumed it was an official Microsoft extension.

yeah, the chrome marketplace is the wild west. probably the easiest way to get hacked is to install some extensions from there, like this one <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-autofill&#x2F;fiedbfgcleddlbcmgdigjgdfcggjcion?hl=en-US" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;microsoft-autofill...</a> that is from &quot;Microsoft Corporation&quot; but has a gmail contact address. the android app store is probably not much better. google just doesn&#x27;t care about the users. they invest in good tech and launch shiny products that get some market share and then leave the users to deal with the automated replies while engineers go to build the next shiny thing.

So glad Google has to vet the extensions... they seem to do a pretty good job of stopping scams that way.<p>Do people like walled gardens just so they have someone to blame when this kind of thing happens? They obviously don&#x27;t work.

Developer&#x27;s email harperrodriguez31@gmail.com I don&#x27;t think Microsoft engineers uses gmail. It could be their real name?

Does anyone have the .crx file to inspect?

Putting this here because Google won&#x27;t remove it even though it has been reported multiple times.

Report it for illegal activity instead of posting a negative review, will have a bigger impact.

Link is dead, they removed it

Microsoft lawyer should file a DMCA for abusing trademark, then it should be resolved quickly

classic google app store: they never give a fxxk about their users

Imo, it&#x27;s not a good idea to directly link to the extension as one might accidentally hit the &quot;Add to chrome&quot; button. (e.g. when coming from the homepage and not peeking into the thread here)