Youtube Queue Chrome extension booted out of store for search engine hijacking, revealing Google's lax dev checks

Google has removed a Chrome extension called Youtube Queue from its official online store for violating its program policies following complaints it was hijacking users' web searches.

However, another extension called Croowila Videos Player that shares similar suspect code remains available.

Via Twitter on Monday, a Microsoft principal program manager Eric Lawrence explained that the JavaScript in both extensions "abuses [the] webRequestBlocking API and redirects [the] user's search query from HTTPS website to unexpected search engine laden with ads using unsecured HTTP."

On Reddit and other internet forums, multiple gripes about the Youtube Queue extension have surfaced. Reviews posted on the removed Chrome Web Store page suggest the add-on, used by several thousand people, went bad around June 7 this year.

Youtube Queue, not to be confused with YouTube Queue or YOUTUBE QUEUE or Queue for Youtube, was supposed to help you line up YouTube videos one after the other - though it hijacked web search queries and sent netizens instead to a search service called Croowila and a web page identified as Information Vine to display ads. It also transmitted globally unique identifiers (GUIDs) attached to each of its users so they could be individually tracked on the web.

But even Google had trouble identifying those responsible for the Youtube Queue extension, a testament to the Chrome Web Store's lax security procedures and oversight that allows confusingly similar extension names.

Alerted to the issue, the ad giant contacted [email protected], listed as the email address for the add-on, and two other email addresses affiliated with googlegroups.com and gmail.com, to inform those responsible for the software about its ejection from the Chrome Web Store.

"Dear Developer," Google's message reads, "Your Google Chrome item, 'Youtube Queue,' with ID: pgeplakfmipjphmlpnfbeldbficaeack did not comply with our program policies and was removed from the Google Chrome Web Store."

But according to Bill Auerbach, who created legacy processor toolchain biz Softools, Inc, which operates on the softools.com domain, his company's support address was listed on the Youtube Queue page seemingly without authorization nor any verification by Google. He provided The Register with a copy of the Google email he received.

"The support address listed with the app is incorrect," he said in an email to The Register. "We have nothing to do with it. We've been contacted by Google about a bad app/plug-in and told them the address is wrong. They've already pulled the app."

Google did not respond to a request for comment.

The Register contacted Abhishek Deora, a developer whose name can be found in the Youtube Queue extension code to try to understand how things went wrong. Deora's GitHub contains a project called "youtube_queue_extension" that, at the time this story was filed, include a link to the removed Chrome Web Store listing. However, the GitHub repo lacks the search redirection code.

In an email, Deora explained, "I have recently sold the extension to softools. After selling it these issues starting coming but I am no longer the owner." (Auerbach suggested inquiring to softools.net in the UK, but there's no reason to believe that company had anything to do with the adware extension either.)

Deora said he had created a new version of the extension called "Queue Tube" after seeing all the complaints from users. It doesn't include the search redirection of the banned version.

The Register has sent an inquiry to the individual said to have purchased the Youtube Queue extension code from Deora, apparently an Israeli with experience in malware research and computer security, but we've not heard back. The Youtube Queue developer information in the Chrome Web Store listing included an address in Tel Aviv, Israel, though it could be inaccurate like the errant softools.com email link.

The deceptive code attempts to remain inconspicuous by redirecting only once per browsing session. For Youtube Queue, it can be found in src/js/background.js. For Croowila Videos Player, the background.js file in the extension's root directory is almost identical. Both rely on the Chrome Extensions API chrome.webRequest.onBeforeRequest to intercept and redirect search queries.

A source familiar with the issue told The Register that buying a popular extension and altering the code to allow abuse has become a common attack vector, along with hacking developer accounts, which is one of the reasons Google has been pushing 2FA for developers. ®

Software News

Nov 20
C# and XAML devs get path to what UWP promised but never delivered
Nov 20
Linux was a 'cancer' but Microsoft is now defending it
Nov 20
Coalition aims to help users spot and remove covert trackers
Nov 19
As well as managed nodes for K8s and new FireLens container logging service
Nov 18
Who, Me?... thanks to today's entrant in the Who, Me? hall of shame
Nov 16
The case that just won't die
Nov 15
Change rolled back, but it's not a good look for Google