Bogus MS Authenticator add-on in Chrome

I posted this over at Thurrott as well, but though it was important enough to repeat here:

Just a quick heads-up to any Chrome users who downloaded the “Microsoft Authenticator” add-on for Chrome… It doesn’t come from Microsoft, it comes from the developer “Extension” and redirects to a site in Poland to try and get users to sign in to a phishing site. It also used high CPU, so possibly a crypto-miner as well.

Microsoft has never released a Chrome Add-on for their Authenticator, it is built into Edge, or is a stand-alone app on Android (and iOS?).

If you downloaded it, you might want to change all passwords stored in Authenticator and rescind and renew all OTP codes for the Authenticator app.

Google gave no comment, on how the add-on managed to get published in the store in the first place.

As with the Play Store, Apple’s App Store or downloading directly from the web, double and triple check the site / author of the application/app/add-on before installing. If the name doesn’t match up with the company behind the app/add-on, don’t install it, before double checking to ensure that it is legitimate – some companies have apps written for them by other companies, so there are legitimate times, where a web developer or software developer writes an app or add-on for another company and publishes it themselves (but should never be the case for companies like Microsoft, Amazon, Facebook etc.).

For web software or sites in general, before I log on or download something, I always ensure the certificate is from a trusted source – although most AV packages these days perform a “man-in-the-middle” attack on all browsers, so you cannot verify the certificate is legitimate, because the certificates for every site are illegitimate!

Thanks, made me think that I don’t actually use extensions and it wouldn’t even cross my mind to go and look in the extension store if I was looking for an authenticator app. Lastpass is about the only one I have used - am I missing out on something ?

Well there could be a risk, with LastPass doing it all, of “everything in one basket.” I would check out Authy if I were you

Yes and no, there are some very good extensions for improving the browsing experience, but like apps on a phone or applications on a PC, you still have to be careful about where they come from. Just because they are in a store isn’t a guarantee that they are legitimate, Apple & Google do their best, but a lot of dodgy apps still slip through - they usually have 10s of thousands of apps being added or updated every day.

I use relatively few add-ons, I use 1Password and, depending on my browser, uBlock Origin, for example. But every time I set up a new browser, I double check I am installing the right version. The same for the app stores or locally on my PC.

I certainly wouldn’t use something like an authenticator within the browser. The whole point is that it is separate from the app or device you are using.

I definitely wouldn’t use 2fa on the same device and I also don’t use lastpass for both first and second factors.

I use the Steve Gibson method of backing up my OTP seed QR codes!

My point here is that I haven’t found any browser extension that are useful other than lastpass and ublock (although I don’t want either if them across all my browsers)