Bogus MS Authenticator in Chrome Store…


Just a quick heads-up to any Chrome users who downloaded the “Microsoft Authenticator” add-on for Chrome… It doesn’t come from Microsoft, it comes from the developer “Extension” and redirects to a site in Poland to try and get users to sign in to a phishing site. It also used high CPU, so possibly a crypto-miner as well.

Microsoft has never released a Chrome Add-on for their Authenticator, it is built into Edge, or is a stand-alone app on Android (and iOS?).

If you downloaded it, you might want to change all passwords stored in Authenticator and rescind and renew all OTP codes for the Authenticator app.

Google gave no comment, on how the add-on managed to get published in the store in the first place.

As with the Play Store, Apple’s App Store or downloading directly from the web, double and triple check the site / author of the application/app/add-on before installing. If the name doesn’t match up with the company behind the app/add-on, don’t install it, before double checking to ensure that it is legitimate – some companies have apps written for them by other companies, so there are legitimate times, where a web developer or software developer writes an app or add-on for another company and publishes it themselves.

For web software or sites in general, before I log on or download something, I always ensure the certificate is from a trusted source – although most AV packages these days perform a “man-in-the-middle” attack on all browsers, so you cannot verify the certificate is legitimate, because the certificates for every site are illegitimate!

Comments (11)

11 responses to “Bogus MS Authenticator in Chrome Store…”

  1. madthinus

    A reminder that the App stores is about money and not quality.

  2. Paul Thurrott

    This has already been removed from the Chrome Web Store.

    • wright_is

      Yes, but anyone who had downloaded it and used it is still going to need to be informed and they will then need to reset all their passwords and OTPs.

      • Truffles

        I'd have assumed that the computer decline to load a program that had had its key removed from the store. Or is that just an Apple thing?

        • wright_is

          It was downloaded by a lot of people, before Google was made aware of the problem. That means that a lot of people did download it and use it and would have logged themselves into the fishing site with their Microsoft credentials and would therefore have given the phisher complete access to their password store.

          Once it was revoked, it should have failed to load again, not much help to someone who had already lost all their passwords...

  3. anoldamigauser

    Isn't the argument for having a single store to gatekeep apps that they will insure the quality and safety of the apps? I mean that is what they use the 30% vig for, right?

    • wright_is

      They don't have enough people checking, as much as possible if done through automation and AI, which is never as good as a real person doing the checks, something like a Microsoft app coming from a company named Extension is immediately obvious to a human, but not to a machine.

    • jimchamplin

      The Chrome Web Store I don’t think is curated that much.

    • Truffles

      Apple published these stats the other day (this should display as an image, cross fingers). The scale is pretty amazing, though I assume the vast majority is automated:

      Key stats of actions Apple took to prevent fraud on the App Store in 2020.

    • lvthunder

      No one is perfect. App reviewers are people too. And people make mistakes.