Slashdot Mirror
Adware Vendors Buying Chrome Extensions, Injecting Ads
An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"
And that, ladies and gentlemen, is how the free market works.
The reputation of these plugins is worth money. The down side is that once the malware infected extensions are reported to Google, Google will kill them off in the browsers. They wont live long enough to make their money back. The adsheisters will quickly see their reputation vanish and their install base dwindle.
What makes this really bad is that it's difficult to permanently remove Chrome extensions sometimes. If I delete it, it will just show back up in a few minutes, probably because it's saved somewhere in my central account. Now with this out there...
I've seen contract gigs like the following, more than once, on boards such as Guru.com. One specific contract offer wanted code that would reset the, uh, "users" homepage to a URL to be specified by the client, then make it impossible for the "user" to set any other homepage. That's it. Perhaps I'm in the wrong business. It's a lot harder than I thought to get a job as an iOS developer, but I am really good with assembly code, debugging and reverse engineering. Perhaps I should write malware for the Russian Mob.
Please mail me URLs of software employers.
FTFA : - "Chrome's extension auto-update mechanism silently pushed out the update "
Google need to disconnect their Chrome core update mechanism from the extension updates (unless ones of their own authorship). Of course, they cannot do anything about users accepting updates directly from independent extension writers.
Otherwise, Chrome is dead in the water.
The internet has ads?
I haven't seen em in years...
The commenters in arstechnica also mentioned search engine hijacking too. Maleare if you ask me?
This and advertisers circumventing adblock which was mentioned yesterday shows a war.
Is IE the only defense? Firefox has a lot more powerful API for extensions and add ons so I wonder if that is unsafe as well? However Mozilla has a greater track record in protecting freedom and privacy as an organization. Taco was an infamous extension that did what ghostery does for Firefox but a spammer bought it and ruined it.
http://saveie6.com/
The whole notion of automatic updates just doesn't make any sense.
Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.
For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.
Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.
Three Squirrels
to my Firefox extension and they were all kinda shady. Extension development is kinda niche to begin with, so I figured they were planning something like this. I'm just surprised it took so long for people to notice.
I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
...these malware companies buy out AdBlock. :-/
Koans and fables for the software engineer
Many people have defected from IE due to its problems with malware and adware. Firefox, but more so Chrome seemed to be safe. So now that the awesome, "safe alternative" browser is compromised, what's next? I can't imagine there an easy fix to this. Is it time to go to yet another browser?
This is almost like how pharmaceutical scientists keep having to modify and discover new antibiotics. The current batch of drugs eventually becomes less and less effective and the bacteria become resistant, prompting us to constantly evolve the offerings.
Yeah no security risk at all to not autoupdate a platform that executes code
http://saveie6.com/
Automatic updates, by themselves, are an awful security practice. They mean that whoever writes the updates can install (intentionally or unintentionally) damaging code on all users' machines without the knowledge or choice of the user.
Automatic updates are a good security practice only if the user is willing to give their unconditional trust to the author for the entire time that the updater is running. This is not always the case. The possibility of an ownership transfer is one reason why it is not. Another is that I may not trust some companies to fully test their software before pushing it, so I don't want their updates until it is confirmed that the update doesn't brick my machine or break essential functionality.
Googles bottom line is to make advertising through its networks and its platforms as seamless and easy as possible. The only reason this model would be shunned is if its not generating appropriate revenue for google. Given the unorthodox nature of the advertisements, and the fact they circumvent per-click revenue entirely, they will probably see a crackdown.
but dont take this to imply Google cares how and when you get to see advertising. If you need proof, just try to find AdBlock Plus on the play store. google unceremoniously axed it in 2010 because the platform isnt designed to do what you want in spite of the models lucrative approach to its users as a saleable product. the ad-only vendors in Chrome will be warned to include some marketable widget or product. A cud if you will for the consumer that is their cow to chew.
Good people go to bed earlier.
The author was about to try wiping the OS and reinstalling. But when he installed Chrome, it would have auto-installed the extension on the clean new OS. Just lovely.
The whole notion of automatic updates just doesn't make any sense.
Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.
For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.
Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.
And your theory holds true...right up to the point where those trusted sources (Google, Microsoft, or even Canonical) start pushing their own ad(genda), along with their mal(genda) and spy(genda).
And besides, those trusted sources don't even have to install anything on my computer for me to not trust them at all. It isn't what they do ON my system that worries me as much as what they do with my data gathered via the intertubes that they'll sell off to the highest bidder, or hand over to the government on a whim.
Well, there's at least two - Adblock Plus and Adblock Edge, which is a fork. So it would take a few more dollars to both buy them both AND re-license it with a mean lawyer who takes out the forking permission rights!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Specifically, can we assume that any extension loaded into Firefox via the official extensions repository, is open-source, and that someone from Mozilla is checking the extension before an update is released?
download "Paris Hilton Sucks Cocks.jpg.exe"
Citation needed.
Would anyone be surprised to learn the NSA has been doing similar tactics, strong-arming popular extension writer like ad-blockers to spy on users?
That's why I use a hosts file.
Where's that guy that aways talks about hosts files on here?
Patience... He's typing now. The clipboard only holds so much.
I disagree auto update got a bad rap because MS and others pushed updates that had nothing to do with security or system fixs. So MS and others created this problem with non tech people, now we all live with it because ..ya just cant trust anyone to do the right thing, use auto update for security and OS bug fixs ONLY.
Jack of all trades,master of none
I have noticed that quite a few of the free and freemium utilities out there that have been mysteriously "corrupted." For instance reputable utilities for removing or repairing PUA infestations that suddenly start including trojan payloads of their own. Others have been gutted to the point of near or complete uselessness and only act as nagware to purchase a former and quite often shady competitor's payware version instead.
Any sufficiently advanced influence is indistinguishable from control.
Underlying code of IE extensions too can be updated silently. Ignore browser use stats. Overall Chrome extensions have more users than IE extensions. There are more Chrome extensions that IE extensions. It's a bigger market. If you are shopping for extensions to convert which do you buy? The ones with the most users.
Stop being an ass, especially when you've got the definitions backwards. Birthday is the day of the year. Birthdate (or DOB=date of birth ) is the actual date in history you were born.
http://forum.wordreference.com/showthread.php?t=2597655
So you sit down and check on the health of your machine, you go through logs reading on what is vulnerable, and then you manually apply security patches.
How is this relevant in a discussion about what is best for a normal user again?
The normal user can barely be trusted to check in their car for a scheduled service let alone go through security updates one at a time. Like it or not the number of security threats caused by malicious updates is infinitesimal compared to the number of security threats caused by bugs which haven't been patched.
Doesn't Paris Hilton's active sex life fall in the same category as water is wet and the sky looks blue? Do we need a citation for everything?
Have you ever tried to disable Chrome / Chromium auto-update? I had to find the 'task' and make sure it does not run, there is no other way to block. This is beyond the capability of a majority of users. It seems Google wants the auto-update to run no matter what.
Other than 'feature bloat' - and may be closing few security issues - there are no great advantages to a newer browser anymore, at least on the desktops.
Tat Tvam Asi
One new thing is Mozilla pushing updates at me while I am using their product. As It is Saturday night, and I work in IT, i found my self working. Ok. Happens. While I am working feverishly on browser-access-to-console stuff, my browser locks up. Oh.. I was suppposed to know it was time for an update? Another is Java. Was take a remote/virtual training when the Java powered screen scraper (which worked great!! thanks NX for the Fedora compatible version!) decided that the JVM was not current (1.7_45 vs 1.7_51) and quit. SO I lost 20 minutes of class while I scrambled for a fix. Any cloud/Interweb based service could change how it works at any second,. Is this acceptible to businesses that think the sugary sweet cloud is so dreamy, but in reality its so far from a secure and predictable platform. Now this blatant demonstration of how the unwiting user is riding a rollercoaster in the dark, and fed chuff by and advertising machine that feels obligated to clamp ones eyes open like that scene from Clockwork Orange. The latest is now Verizon's Anti-Neutrality powers - http://www.csmonitor.com/Business/Saving-Money/2014/0116/Net-neutrality-ruling-How-Verizon-decision-affects-consumers Used to be that the Internet was a path to good information, it seems as comfortable/predictable/business-ready as a funhouse..... thats not too fun. Can we start a new internet?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
Whenever I see adds on a webpage, I inspect the elements, see what is serving the adds and add it to my router's block list. Bam no more adds.
Mean what you say...say what you mean.
Do these developers who sell the extensions even get paid? Or do they get scammed too?
and this is exactly why I don't allow auto updates. I take the time to read up on the vulnerabilities but as I tend to run Gentoo,
You got me, as soon as you said GENTOO. Ok another self flagellating penguin. Either that or a frustrated MSCE that moved over to Linux a few years back just to really experience some excruciating pain instead of hearing others scream in agony all the time to tech support about WINDOWS UPDATE. Oh the irony.
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
"Sky looks blue"
Citation needed
No, Firefox isn't safer. Mozilla sold out last year.. This came up when Wips bought up a number of plug-ins, including BlockSite, and installed spyware with a ransomware "opt-in" feature. (Opt in, or we block Flickr, etc.)
Mozilla policy: "These features (spyware, etc.) cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."
Jorge Villalobos, Mozilla management-level employee: That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.
63 add-ons from Wips were found by a search last year.
Are you trying logic on a paranoid rant with bursts of all-caps for emphasis? You must be delusional as well. Industrial strength antipsychotics are the only viable counterargument to that.
Adverts is just a different kind of spam email. Therefore before long, the same techniques will be applied to it and Bayesian self learning filters will take care of it.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
There is a reason I set windows to notify me of updates, but not download them or install them until I tell it to... ;)).
and then of course it gives a list, and I can look at what the updates are, decide if I don't want any of them (like *not* doing the "Windows Genuine Advantage Notification" update
Anyone who lets the 'system' automatically download and patch things on them without any idea of when it's doing it, or what it's doing, is pretty stupid... exactly for this reason, auto-updating plugins with spammed/compromised ones.
That's why you'd never do this on a production server (or desktop)... just what you need, come in 8AM tomorrow morning to find everything broken/all kinds of problems, and you have no idea what went on even until after an hour of digging you discover an 'automatic update' happened overnight and applied something that broke all your stuff. (And Murphy says, of course, that it will happen at the most critical moment - like when you have that delivery deadline and suddenly you're in a panic wasting time trying to fix the thing that 'automatically broke').
Chrome **does** warn about new permissions, in fact it's more than that - it just disables them, and leaves you a message - "Such and such extensions requires new permissions, so it has been disabled.", and it's up to you to go and re-enable it.
I should be getting my car serviced now?
Gentoo isn't actually that bad, though it does require a little more understanding of how the system works than something like Ubuntu. It does have a fairly decent package management system though, and because most of what you're using is compiled it tends to be a fairly fast system to use.
Each to their own. For me, computers have gotten fast enough that I don't really care about a few milliseconds here or there, and am currently using a Ubuntu derivative now for ease of package management (and because this particular one has a DE that I can't find elsewhere yet, as it's too new). But I did use Slackware for nearly 15 years before I decided I wanted something that was less involved for the package management. That's the beauty of the system -- you can do what you want with it, and there's many many different paths to accomplishing the same goal.
And some automatic updates are badly borked, and screw up everything six ways from Thursday.
Wouldn't that be Tuesday?
Or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader
I hate to break it to you, but updating your Java plugin is NOT sound security practice.
Completely disabling and uninstalling your Java plugin is sound security practice; the Reader plugin should be turned off as well.
It doesn't matter, how up to date you think you are ---- the latest Java has more security holes than a sieve in it. Yeah; some of them will eventually be found, and exploited, and malware deployed. Then 3 months later, Oracle will come out with the next quarterly update, to fix the bug that has been getting exploited in the wild for 3 months.
All the folks running JAVA6 will still be SOL, because only Enterprises can afford the ridiculous Oracle extended support prices. Meanwhile the majority of Java applications people are using require Version6, and will not work with JAVA7 or newer.
Meanwhile.... Updating to the latest patch release of JAVA7 does not automatically remove or disable JAVA6.
Meanwhile.... when the typical user installs the Java update; there is always some offer for Adware or some random Toolbar or browser, that will get installed, because the user is just clicking next -- and not looking for the obscure box to uncheck.
Automatic updates from well-established trusted companies are one thing.
For others.... I would rather see Google automatically "shut off" these extensions, and only turn them on or update when requested by the user.
Google is not in any position to judge what addons of their system need, or don't need updates
These folks have no business installing random bits of extension addon bits in their browser. They are armed and dangerous, with any extension installation feature.
Also Google is not equipped to make this decision for them for each plugin --- Google employees do not curate the updates, before they get forced: check the release notes for the update, and manually approve it.
What was that Google said about ChromeOS not "torturing it's users with malware threats. Turns out ChromeOS can run local code (extensions and "packaged apps") and with this comes the malware.
Actually, I use Adblock Plus. I've never tried Adblock Edge; I guess I'll look into it.
But still, whatever plug-in we're talking about, there's always the chance that the owner can be bought out. For, in the words of the most beloved children's entertainer of our times: They drove a dump truck full of money up to my house! I'm not made of stone!
Koans and fables for the software engineer
It's "opt in or else". If you don't opt in, it messes up your browser and is hard to uninstall.
I don't feel that you made an accurate comparison. You car is made by $X manufacturer but in this case all the aftermarket addons which you have purchased at a myriad of other locations (i.e. window tint, car stereo, cup holders, car chargers) will also pop in and make their own changes.
So in this case the store that sold you your Clarion deck will stop by and fix your stereo but also leave a GPS tracker or mute your system to play their own wares.
Updating Chrome is one thing because Google doesn't want to mess with the PR nightmare when someone finds out their update streams popups like mad but some one off developer who makes a LOL Cat extension probably isn't making any money to begin with will have no problems bending one way or another for a couple of quick bucks. Both get equal say over the clock cycles on your system. Does that really make sense to you?
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Conduit and those amazing javascript injected price checkers are killing the internet. I have had at least 10 family members, friends and work colleagues come to me the last year in order to remove conduit from their PC. And they varied widely in browser of choice: Chrome, IE and Firefox.
Conduit, Search protect, and price grabbers need to be put to court soon so they can stop making money from distributing malware and browser hijackers.
Gentoo isn't actually that bad, though it does require a little more understanding of how the system works than something like Ubuntu. It does have a fairly decent package management system though, and because most of what you're using is compiled it tends to be a fairly fast system to use.
Each to their own. For me, computers have gotten fast enough that I don't really care about a few milliseconds here or there, and am currently using a Ubuntu derivative now for ease of package management (and because this particular one has a DE that I can't find elsewhere yet, as it's too new). But I did use Slackware for nearly 15 years before I decided I wanted something that was less involved for the package management. That's the beauty of the system -- you can do what you want with it, and there's many many different paths to accomplishing the same goal.
Ya same thing here oddly enough. I still yearn for the simplicity and stability of Slackware. Trouble is I do audio recording (high bit rate) and there is no stock setup for compiling audacity, jack and ardour in rt prio modes in Slackware. I had it working a few times but talk about self punishment. First recompile the kernel with a rt optimization and 1000hrz, then setup so that alsa audio has rt prio with a config file change. Reset user privileges to allow for software with higher privileges to all work correctly. Could be a fantastic system but I didn't want to create my own distro so I switched to those who already did it.
and therein lies the problem if there are security updates, or critical fixes you have to be the distro manager for all your chosen software. BUT AT LEAST WITH LINUX IT IS POSSIBLE. I am now of the opinion that if you create a distro which is stable enough, secure enough IE can updated browsers independently of everything else by doing it in a non system wide way and just from a home directory, then can and bottle up the thing for your hardware and dupe it so that you can just re-install exactly the same thing without having to go through the agony of updating software at all. This is exactly what I do now with Debian. I freeze a good install and just use firefox current installed and updated independently of /usr. WORKS LIKE A HOT DAM and is very secure as long as my core c libs are current which they are. I have gotten over 4 years out of a Debian audio setup that way and am still on the 2 series kernel. But am going to do up a separate 3 series shortly WHEN I HAVE THE TIME!
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
The comparison is fair, you're just hung up on what is important to update. I'm talking about updates in general replying to a person who was talking about the process he uses to deal with security updates. Whether that update is %insert small plugin% or %insert critical OS flaw%, the problem could lead to equally serious issues for the user if exploited.
I'm like the OP, in the sense of the car I go as far as changing my own oil, and checking the vehicle log-book to find out what my next service will actually entail, however I'm not the general driver, the general driver can't even get their service done at the right time.
Ignore the analogy and just think about the mentality for a moment. Would a person who can barely cope with paying someone else to look after something sit through and manually work through a list of security publications and system updates? Hell no. Yet this is the general type of users we're talking about, and it is precisely this reason why auto-updates are necessary in a general case.
This is a good example of how the free market works. The utopian "if you build it, they will come" part works fine, but then the whole thing is fucked up by a few greedy assholes. it is those greedy assholes that force regulation- but the Ayn Rand Kochsuckers prefer to purge their simple little minds of the evil inherent in Man.
"Automatic updates are a good security practice only if the user is willing to give their unconditional trust to the author for the entire time that the updater is running. "
most users are willing to give unconditional trust to the first popup that asks for it. I would far rather that be the OS or browser company than a malware vendor.
But most of us don't want to pay twice as much for the same hardware. We are funny that way.