News about extensions containing malware making their way to the Chrome Web Store is not exactly unheard of. That said, it's still quite rare to see malicious extensions masquerading on the storefront under the guise of a big tech company such as Microsoft. However, that's exactly what happened recently, with numerous users downloading a fake "Microsoft Authenticator" extension from the store without realizing that it's not actually published by Microsoft.
Store listing of fake Microsoft Authenticator | Image via ghacks
For those unaware, Microsoft Authenticator allows you to securely access your accounts using codes for multi-factor authentication. However, it is important to note that the capability is only available for mobile devices and is not present on the web.
A fake Microsoft Authenticator extension somehow still slipped past Google's validation process and made its way to the Chrome Web Store. Interestingly, the publisher name was "Extensions" instead of "Microsoft", but this didn't raise any red flags either.
The listing was spotted by ghacks, which noted that the illegitimate extension has been on the store since April 23, although it appears to have been removed now. As of yesterday, it had hundreds of downloads with a three-star rating. The extension redirected users to a website hosted in Poland and asked them to create an account, which means that it was a clearly malicious piece of software to harvest credentials from unsuspecting users.
Although Google has now removed the extension, it's still a bit worrying that it remained in the store for almost a month and garnered hundreds of downloads. Google declined to comment on the failure of its validation process but in a statement to The Register, Microsoft emphasized that it has never released an extension for Microsoft Authenticator and encouraged users to report such issues to the Chrome Web Store team.