Slashdot Mirror
Adware Vendors Buying Chrome Extensions, Injecting Ads
An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"
Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.
And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.
And that, ladies and gentlemen, is how the free market works.
The reputation of these plugins is worth money. The down side is that once the malware infected extensions are reported to Google, Google will kill them off in the browsers. They wont live long enough to make their money back. The adsheisters will quickly see their reputation vanish and their install base dwindle.
Best course of action is to disable the autoupdate. The whole notion of automatic updates just doesn't make any sense.
What makes this really bad is that it's difficult to permanently remove Chrome extensions sometimes. If I delete it, it will just show back up in a few minutes, probably because it's saved somewhere in my central account. Now with this out there...
Would anyone be surprised to learn the NSA has been doing similar tactics, strong-arming popular extension writer like ad-blockers to spy on users?
I've seen contract gigs like the following, more than once, on boards such as Guru.com. One specific contract offer wanted code that would reset the, uh, "users" homepage to a URL to be specified by the client, then make it impossible for the "user" to set any other homepage. That's it. Perhaps I'm in the wrong business. It's a lot harder than I thought to get a job as an iOS developer, but I am really good with assembly code, debugging and reverse engineering. Perhaps I should write malware for the Russian Mob.
Please mail me URLs of software employers.
FTFA : - "Chrome's extension auto-update mechanism silently pushed out the update "
Google need to disconnect their Chrome core update mechanism from the extension updates (unless ones of their own authorship). Of course, they cannot do anything about users accepting updates directly from independent extension writers.
Otherwise, Chrome is dead in the water.
The internet has ads?
I haven't seen em in years...
The commenters in arstechnica also mentioned search engine hijacking too. Maleare if you ask me?
This and advertisers circumventing adblock which was mentioned yesterday shows a war.
Is IE the only defense? Firefox has a lot more powerful API for extensions and add ons so I wonder if that is unsafe as well? However Mozilla has a greater track record in protecting freedom and privacy as an organization. Taco was an infamous extension that did what ghostery does for Firefox but a spammer bought it and ruined it.
http://saveie6.com/
to my Firefox extension and they were all kinda shady. Extension development is kinda niche to begin with, so I figured they were planning something like this. I'm just surprised it took so long for people to notice.
I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
...these malware companies buy out AdBlock. :-/
Koans and fables for the software engineer
Many people have defected from IE due to its problems with malware and adware. Firefox, but more so Chrome seemed to be safe. So now that the awesome, "safe alternative" browser is compromised, what's next? I can't imagine there an easy fix to this. Is it time to go to yet another browser?
This is almost like how pharmaceutical scientists keep having to modify and discover new antibiotics. The current batch of drugs eventually becomes less and less effective and the bacteria become resistant, prompting us to constantly evolve the offerings.
Googles bottom line is to make advertising through its networks and its platforms as seamless and easy as possible. The only reason this model would be shunned is if its not generating appropriate revenue for google. Given the unorthodox nature of the advertisements, and the fact they circumvent per-click revenue entirely, they will probably see a crackdown.
but dont take this to imply Google cares how and when you get to see advertising. If you need proof, just try to find AdBlock Plus on the play store. google unceremoniously axed it in 2010 because the platform isnt designed to do what you want in spite of the models lucrative approach to its users as a saleable product. the ad-only vendors in Chrome will be warned to include some marketable widget or product. A cud if you will for the consumer that is their cow to chew.
Good people go to bed earlier.
Be in zero doubt- Google's policies for their browser, Chrome, were specifically designed to bring about this situation. Chrome is the diametric opposite of the Firefox project. Chrome exists to groom people to understand that their computers, and how they function, actually belong to Google.
Remember, Google's current mega-project, running in partnership with the US military, is the design of the software and hardware systems required to build and deploy AUTONOMOUS ROBOTIC TANKS. Google's so-called self-driving car project is but a grooming PR exercise conditioning people to more readily accept the future of US warfare. This policy is no different in method than Tony Blair's massive roll-out of fingerprint-based biometric systems in UK schools where the parents are too passive to protest or protect the rights of their children.
GOOGLE GROOMS. Read that again, and THINK! Google grooms. Google's prior project- to build the hardware and software systems used for NSA full surveillance programs- is now considered just default background activity at Google HQ. It still gets much of Google's attention, as Google works on things like face recognition and speech-to-text algorithms for the NSA to improve data indexing, data mining and data searching, but Google has vastly more evil intentions for the near future.
And note the usual vile shills here putting out the propaganda PRAISING the auto-update systems that ensure the user has as little control over their computers as possible. These vile shills jump with joy when Yahoo infects (quite deliberately) THREE MILLION non-US machines with malware, because dumb punters think their best security lies in trusting the big names, rather than using something like ad-block.
Auto-updates are specifically designed to load new NSA back-doors onto your computer. And as you have read in Snowden's documents, the more the NSA hacks, the more the NSA seeks even more ways to hack- the NSA needs ever MORE updates with ever greater numbers of attack vectors per update.
The sane user needs a good firewall, ad-block, and a little bit of common sense. The sane user CANNOT trust the concept of automatic updates, and must choose which systems they trust to update this way. The naive user can ONLY be protected with disposable sandboxes, regular back-up of essential data, and the ability to re-initialise their entire computer system when serious malware breaks through.
The author was about to try wiping the OS and reinstalling. But when he installed Chrome, it would have auto-installed the extension on the clean new OS. Just lovely.
and google is your friend
Well, there's at least two - Adblock Plus and Adblock Edge, which is a fork. So it would take a few more dollars to both buy them both AND re-license it with a mean lawyer who takes out the forking permission rights!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
unless you like getting ads rammed up your ass
Adsuck works well.
What good is increased security against theoretical security flaws in Windows that tend to be very difficult to take advantage of when one of the updates completely wrecks the OS? I work in a repair shop and we have non-booting machines coming in constantly due to botched automatic updates. Funny enough, the machines that we kill updates on and install Firefox and Avast don't seem to raise any more problems until a hardware failure happens or a user does something stupid like download "Paris Hilton Sucks Cocks.jpg.exe" which no security software will stop anyway. Even if the OS suicide doesn't ever happen, updates cause lots of fragmentation and scattering of OS files, reducing performance in ways that can only be partly recovered from. Why does Windows get slower over time? Answer: runtime installers and Windows updates.
tl;dr: Updates hurt more than they supposedly help.
but also the out-right ripoffs of popular ones like adblock.... in this regard, firefox addons > chrome 'store' by a mile. chrome may render faster but fuck this shit, google. go away already.
Specifically, can we assume that any extension loaded into Firefox via the official extensions repository, is open-source, and that someone from Mozilla is checking the extension before an update is released?
Mose extensions, add ons and tool bars are crap... Even before the advertisers and malware guys hack their way in.
Enjoy your hot wet sex video!!!!!
I have noticed that quite a few of the free and freemium utilities out there that have been mysteriously "corrupted." For instance reputable utilities for removing or repairing PUA infestations that suddenly start including trojan payloads of their own. Others have been gutted to the point of near or complete uselessness and only act as nagware to purchase a former and quite often shady competitor's payware version instead.
Any sufficiently advanced influence is indistinguishable from control.
Underlying code of IE extensions too can be updated silently. Ignore browser use stats. Overall Chrome extensions have more users than IE extensions. There are more Chrome extensions that IE extensions. It's a bigger market. If you are shopping for extensions to convert which do you buy? The ones with the most users.
Do evill only if it pays more.
I just went through my chrome extensions. When you go to Settings then Extensions, (on a chromebook anyway) there is a permissions link for each extension. I checked through mine and found a calculator I installed had access to all my tabs and my browsing history, clearly something a calculator does not need. So I clicked the trashcan icon. It's gone. I searched for a new calculator (I like on that goes up next to the box where the web address is. I clicked on a couple to install them. When you click on one that has special permissions, chrome warns you before installing. I found one that has only one special permission, to access the clipboard. I think this is reasonable, since I often paste numbers into a calculator.
Of the remaining extensions that I have installed that have special permissions, they are reasonable, for example an extension to take pictures can use the camera, a video chat extension can use the camera and microphone.
My main point is, it is actually very easy to uninstall a chrome extension, it is easy to find extensions with special permissions (and there are not that many that have them).
Have you ever tried to disable Chrome / Chromium auto-update? I had to find the 'task' and make sure it does not run, there is no other way to block. This is beyond the capability of a majority of users. It seems Google wants the auto-update to run no matter what.
Other than 'feature bloat' - and may be closing few security issues - there are no great advantages to a newer browser anymore, at least on the desktops.
Tat Tvam Asi
One new thing is Mozilla pushing updates at me while I am using their product. As It is Saturday night, and I work in IT, i found my self working. Ok. Happens. While I am working feverishly on browser-access-to-console stuff, my browser locks up. Oh.. I was suppposed to know it was time for an update? Another is Java. Was take a remote/virtual training when the Java powered screen scraper (which worked great!! thanks NX for the Fedora compatible version!) decided that the JVM was not current (1.7_45 vs 1.7_51) and quit. SO I lost 20 minutes of class while I scrambled for a fix. Any cloud/Interweb based service could change how it works at any second,. Is this acceptible to businesses that think the sugary sweet cloud is so dreamy, but in reality its so far from a secure and predictable platform. Now this blatant demonstration of how the unwiting user is riding a rollercoaster in the dark, and fed chuff by and advertising machine that feels obligated to clamp ones eyes open like that scene from Clockwork Orange. The latest is now Verizon's Anti-Neutrality powers - http://www.csmonitor.com/Business/Saving-Money/2014/0116/Net-neutrality-ruling-How-Verizon-decision-affects-consumers Used to be that the Internet was a path to good information, it seems as comfortable/predictable/business-ready as a funhouse..... thats not too fun. Can we start a new internet?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
We need a extension to blacklist these adware & malware extensions. When someone finds then they report it and get added to the Blacklist Extension that can warn the user so they can uninstall it or prevent it from being used in the first place.
Whenever I see adds on a webpage, I inspect the elements, see what is serving the adds and add it to my router's block list. Bam no more adds.
Mean what you say...say what you mean.
Do these developers who sell the extensions even get paid? Or do they get scammed too?
No, Firefox isn't safer. Mozilla sold out last year.. This came up when Wips bought up a number of plug-ins, including BlockSite, and installed spyware with a ransomware "opt-in" feature. (Opt in, or we block Flickr, etc.)
Mozilla policy: "These features (spyware, etc.) cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."
Jorge Villalobos, Mozilla management-level employee: That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.
63 add-ons from Wips were found by a search last year.
Advertisers, ad-blockers selling blacklist, ad-blockers selling whitelist, anti-malware scanning ad-blockers which sells whitelist, ad-blockers bundled with anti-malware scanning other anti-malwares which scans ad-blockers which sells whitelist, ......
It's going to be interesting.
Adverts is just a different kind of spam email. Therefore before long, the same techniques will be applied to it and Bayesian self learning filters will take care of it.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Chrome **does** warn about new permissions, in fact it's more than that - it just disables them, and leaves you a message - "Such and such extensions requires new permissions, so it has been disabled.", and it's up to you to go and re-enable it.
by asking users about updates after an ownership change.
If it's opt in, you're an idiot for complaining. This is how it's supposed to work.
"advertisers circumventing adblock which was mentioned yesterday shows a war." - by Billly Gates (198444) on Saturday January 18, 2014 @07:26PM (#46001803)
A.) Hosts can't be stopped by ClarityRay -> http://ask.slashdot.org/comments.pl?sid=4681541&cid=46003517 but adblock can be. I was the submitter of that article currently ~ 700++ views & growing...
(Adblock's days ARE numbered & it's only a matter of time clarityray gets implemented largescale by websites - Especially when pageviews $ IS their motivator on that account - BANK on it...)
---
B.) Adblock also can't do as much as hosts giving you:
1. - Added speed (speed up favorite sites + adblocking)
2. - Added "layered-security"/"defense-in-depth" (blocking malicious content in ads OR botnet C&C servers + fastflux utilizing botnets recycling/reusing malicious content domains they have)
3. - Added reliability (vs. fastflux & dynamic dns utilizing botnets + downed or redirect poisoned DNS servers)
4. - Added anonymity (to an extent only on the latter vs. DNS request logs).
5. - TOTAL immediate local control of hosts content easily (text edit on simple easily understood line item entries vs. regular expressions work) vs. an addon maker's LAG in doing so!
---
C.) Hosts also don't LIMIT YOU to 1 browser only (or just PC's even - they work on smartphones too) - hosts work on ANY webbound program or Operating System w/ a BSD derived IP stack (unlike browser addons & their messagepassing overheads in slower ring 3/rpl 3/usermode use vs. hosts in kernelmode/ring 0/rpl 0 (much faster)).
APK
P.S.=> How to build the BEST POSSIBLE HOSTS FILE for added speed, security, reliability, & even anonymity (from 12 reputable & reliable sources in the security community)?
* Well... you know -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 Courtesy of "yours truly" & 100% free...
... apk
What was that Google said about ChromeOS not "torturing it's users with malware threats. Turns out ChromeOS can run local code (extensions and "packaged apps") and with this comes the malware.
Actually, I use Adblock Plus. I've never tried Adblock Edge; I guess I'll look into it.
But still, whatever plug-in we're talking about, there's always the chance that the owner can be bought out. For, in the words of the most beloved children's entertainer of our times: They drove a dump truck full of money up to my house! I'm not made of stone!
Koans and fables for the software engineer
It's "opt in or else". If you don't opt in, it messes up your browser and is hard to uninstall.
Conduit and those amazing javascript injected price checkers are killing the internet. I have had at least 10 family members, friends and work colleagues come to me the last year in order to remove conduit from their PC. And they varied widely in browser of choice: Chrome, IE and Firefox.
Conduit, Search protect, and price grabbers need to be put to court soon so they can stop making money from distributing malware and browser hijackers.
"a cosmonaut"?
I think you need an edit there!
This is a good example of how the free market works. The utopian "if you build it, they will come" part works fine, but then the whole thing is fucked up by a few greedy assholes. it is those greedy assholes that force regulation- but the Ayn Rand Kochsuckers prefer to purge their simple little minds of the evil inherent in Man.
"Automatic updates are a good security practice only if the user is willing to give their unconditional trust to the author for the entire time that the updater is running. "
most users are willing to give unconditional trust to the first popup that asks for it. I would far rather that be the OS or browser company than a malware vendor.
But most of us don't want to pay twice as much for the same hardware. We are funny that way.
Of what's in the post I replied to. Ghostery: Stooping to NEW lows.
"... Then they laugh @ you. Then they fight you. Then you win..." - Ghandi
You trolls lost the fight against me LONG ago: Right @ the start in fact, so - prove otherwise, & disprove my points on hosts files, instead.
Clue-New NEWS/Newsflash - Crap you're doing is ONLY "tipping your hand"/showing me your 'tell' as to the quote above (I know it, you know it, & anyone reading with 1/2 a brain does also...)
* :)
(Fact: You're unable to disprove points I make in favor of custom hosts files giving users of them added speed, security, reliability, & even anonymity - all you have now is your LAME trolling + technically unjustifiable downmods to *try* to weakly "hide" my posts + their points you can't disprove -> http://ask.slashdot.org/commen... - nothing more).
APK
P.S.=> Bottom-Line? Thanks - It's very apparent/obvious you're 1 of 3 types of people:
1.) Malware maker or botnet master
2.) Advertiser
3.) Maker of an INFERIOR competitor to my app
Take your pick - either way? You FAIL (based on your illogical off-topic effete TROLLS' "retaliation/reaction") - Your fav. color MUST be "transparent"- since I see RIGHT thru you...
... apk