The Chrome extension 'Save Image as Type', used by millions to save WebP images as JPG or PNG, was removed by Google after being identified as malware. The tool, which requested broad permissions to access browsing data, contained malicious code. This case exposes the risk of granting unlimited access to third-party extensions.
The risk of 'cookie stuffing' and excessive permissions 🚨
The detected malicious technique is 'cookie stuffing', where the extension injected affiliate cookies without consent to generate fraudulent income. With permissions for all_urls, it could read and modify data on any visited site. This turns the extension into a master key that can access active sessions, forms, and sensitive information in email or online banking.
Your image converter now works as an affiliate 😒
It turns out that while you were struggling to convert that WebP to PNG to upload it to the forum, the extension had an undeclared second job. Without you knowing, it was there, in the background, juggling affiliate cookies to get an extra commission. An image conversion service with unsolicited marketing extra. At least it was multifunctional.