Skip to content
Naked Security Naked Security

Chrome extension was secretly redirecting users to ad pages

Somebody bought it and stuck in malicious code to redirect a user's traffic through a proxy, show them ads and snoop on their web browsing.

Google has banned the popular Better History Chrome extension after users complained that it hijacked their browsing sessions.

Looks like it was a money-making scheme. The extension was redirecting users’ HTTP traffic through a proxy service before taking them to their desired destinations, showing them an extra page with ads in 50% of the kidnapped sessions.

Not only did that garner advertising revenue for the extension’s owners; it also allowed them to snoop on users’ web traffic, collecting analytics that could later be sold to online advertisers.

Commenters brought the extension’s misbehaviour to the attention of its original author on GitHub over the weekend.

Turns out, he sold Better History a few months ago, he said: since version 3.9.5.

The owner said on Reddit that he sold the extension to a company called that didn’t seem skeevy:

I checked around and they seemed legit and had a decent site. (you need to disable ad block when hitting… but of course.. do not do that)

Things started to go wrong when users were prompted to update from version 3.9.7 to 3.9.8. That’s when the extension asked for an extra permission to “Read and change all your data on the websites you visit.”

Pre-sale, in its unadulterated form, Better History added extra filters to Chrome users’ History section to make it easier to view and find previously accessed pages, as shown in this screenshot posted by Softpedia.

Better History’s new owners introduced a script called “common.js” that installed a proxy extension on users’ browsers that redirected Chrome traffic.

They were flying under the radar: stopped adding changes to the extension’s GitHub repository so that it wasn’t evident that it had been slipping in malicious code.

Reddit user Scarazer wrote that he’d found the same malicious code infecting a number of other Google Chrome extensions, including Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker.

As of Tuesday afternoon, the only extension in that list that had been removed from Google’s Chrome web store was 4chan Plus. Google also banned Better History after users encouraged each other to write reviews reporting it.

Image of Chrome logo courtesy of Rose Carson /


I’ve been having an issue since last week with Chrome where it keeps adding an extension(s?) that wants to automatically direct me to sites that Malwarebytes is identifying as malicious (not going to bother listing the actual sites here). The extensions show up as a button with lower case “f” and/or “c” in the top-right, next to the customizer menu button. As of 4/6/16, I keep deleting the extension and resetting Chrome and yet it keeps coming back after some time. Malwarebytes also finds and removes Crossrider every time it happens. Don’t know if this is related, but it’s driving me insane.


Sophos (as with most AV companies) has a free scan tool you should try, to see what is installing the extensions. Stinger is also a favorite of mine for double checking.


There’s a list of links to our free tools about half-way down every page, including Sophos Home (full-time anti-virus for Windows and Mac), the Virus Removal Tool (Windows) and Sophos Anti-Virus for Linux (free for work or home).


You could try running AdwCleaner. It finds stuff Malwarebytes may be missing. I use both btw, and since they are both on-demand scan tools, they don’t fight each other (unless you run them at the same time I suppose).
Actually, I’d say delete the extension from within Chrome, log-out of your Google account ( chrome://settings/ ), uninstall Chrome, ideally with something like Iobit Uninstaller or Ccleaner that does a much better job then the built-in windows tool (yes, really.), run Malwarebytes custom scan with everything checked (expect it to take a couple of hours, but you should still be able to use your PC in the meantime), then run Adwcleaner, reboot as required, run Internet Explorer AKA the best browser to get Chrome :P , install Chrome then try to use it without logging in your Google account for a day or two. If the damn PUP is still gone, try to login to your Google account (again, chrome://settings/ ), and see what happens. Quite simple process that’s worth trying.
For good measure, make sure that your OS, drivers and apps are all updated. Good luck!

P.S.: I realize that I mentioned products that are not Sophos’ own, but I’m merely trying to help Will :)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!