Over one million Chrome users discovered their "Save image as Type" extension had been forcibly disabled overnight, with Google flagging the popular tool for malware and scrubbing it from the Chrome Web Store entirely. The extension, which offered a straightforward feature—right-click any image and save it as PNG, JPG, or WebP—had earned a 4.2-star rating from more than 1,700 reviews before its abrupt removal.
The incident raises uncomfortable questions about Google's extension vetting process. This wasn't a fly-by-night operation that slipped through the cracks. Google had previously featured "Save image as Type" on the Chrome Web Store, effectively giving it an editorial stamp of approval that likely contributed to its million-plus user base.
The Affiliate Code Hijacking Scheme
User investigations on Reddit revealed the extension's actual behavior: affiliate link manipulation across hundreds of e-commerce sites. Rather than stealing passwords or harvesting personal data, the extension operated a more subtle scheme that redirected potential commissions away from legitimate affiliates.
Reddit user AdamConwayIE examined the extension's stored data and uncovered its connection to Karmanow, a service configured to target over 578 websites. The mechanism was clever—the extension loaded sites in hidden iFrames with its own affiliate codes, effectively replacing any existing affiliate parameters in the user's browser. When users clicked through to retailers like Amazon or Best Buy, the extension's operators would receive the commission instead of the original referrer.
This type of affiliate fraud sits in a gray area of malicious behavior. Users don't directly lose money or have accounts compromised, but they unknowingly become tools for commission theft. Content creators, deal sites, and legitimate affiliates lose revenue they've earned through their work, while the extension developer profits from parasitic behavior.
A Year-Long Pattern Google Missed
The most troubling aspect isn't that the extension turned malicious—it's that the behavior was documented publicly for over a year before Google acted. The Microsoft Edge version of the same extension was flagged on Reddit for identical affiliate hijacking more than 12 months ago. XDA Developers reported that the Chrome version had similar documentation dating back just as far.
This timeline suggests a significant gap in Google's monitoring systems. The company maintains automated scanning for extensions and claims to review updates, yet a featured extension with a million users operated a documented fraud scheme for at least a year. Either Google's detection systems failed to identify the behavior, or reports from users didn't trigger adequate review processes.
The Extension Review Problem
Chrome's extension ecosystem hosts hundreds of thousands of tools, making comprehensive manual review impractical. Google relies on a combination of automated analysis, user reports, and periodic audits. But extensions can behave differently after installation than during initial review, and developers can push updates that introduce malicious code to previously clean extensions.
The "Save image as Type" case demonstrates how extensions with legitimate core functionality can hide revenue-generating schemes that don't trigger obvious security flags. Affiliate link manipulation doesn't require suspicious permissions like accessing all website data or reading clipboard contents—it can operate within seemingly reasonable permission boundaries.
What Users Should Do Now
If you had "Save image as Type" installed, Chrome has already disabled it. You should manually remove it from your extensions list to fully uninstall it. While the affiliate hijacking scheme doesn't appear to have compromised passwords or personal data, it's worth reviewing your other installed extensions.
Look for extensions you don't actively use or can't remember installing. Check the permissions each extension requests—if an image-saving tool asks for access to all your browsing data, that's a red flag. Stick to extensions from verified developers when possible, though this incident shows even featured extensions aren't guaranteed safe.
For the specific functionality "Save image as Type" provided, Chrome's built-in "Save image as" option works for most use cases, though it doesn't offer format conversion. Users who need format flexibility might consider desktop tools like XnConvert or online converters rather than browser extensions, reducing the attack surface in their browser.
The Broader Extension Trust Problem
This incident fits a troubling pattern in browser extension security. Extensions offer powerful capabilities that enhance browser functionality, but that same power creates opportunities for abuse. Unlike mobile app stores where Apple and Google maintain tighter control, browser extensions operate with significant access to user activity and can modify web pages in real-time.
The economics of extension development create perverse incentives. Building and maintaining a quality extension requires ongoing work, but most users expect extensions to be free. Developers turn to monetization strategies like affiliate programs, advertising, or data collection—and the line between legitimate monetization and malicious behavior can blur quickly.
Google's response to remove and disable the extension is appropriate, but the year-long delay raises questions about whether the company dedicates sufficient resources to extension security. With Chrome commanding roughly 65% of the browser market, the Chrome Web Store functions as critical infrastructure for millions of users. The platform needs monitoring systems capable of detecting behavioral changes in existing extensions, not just screening new submissions.
What Happens Next
Google hasn't indicated whether "Save image as Type" could return to the Chrome Web Store if the developer removes the affiliate hijacking code. Given the deliberate nature of the scheme—targeting 578 sites through a third-party service—this wasn't an accidental bug but an intentional monetization strategy. That makes reinstatement unlikely unless the extension changes hands entirely.
For Chrome users, this serves as a reminder that extension permissions matter and that popularity doesn't guarantee safety. The million-user install base and 4.2-star rating created a false sense of security. Moving forward, Google needs to demonstrate that its extension review process can catch these schemes before they reach seven-figure user counts, not after a year of documented abuse.
