Slashdot Mirror
Chrome Extension Caught Hijacking Users' Browsers (softpedia.com)
An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.
So a few months ago the Firefox devs announced that Firefox would start using an extension approach compatible with that of Chrome's:
So this Chrome-inspired extension approach that Firefox will be using is supposed to mitigate "the risk of misbehaving add-ons and malware", yet this incident suggests to me that the Chrome approach may have some serious problems with malware.
How will the Firefox devs be handling these problems, so that malware attacks like this can't happen with extensions used with Firefox?
People thought all these wonderful extension were being made by people out of the goodness of their hearts?! Oh boy. Wait till you hear why Google made Chrome in the first place!
Oh dear god. The fact that there is a need for "4chan Plus" leaves me proud of the Internet's freedoms and yet still terribly scared for humanities future.
There's been weirdness like I've never seen before with some of this stuff.
One of my screenshot extensions was doing something similar last night, and really weird behavior from my adblocker, which effectively knocked me offline until I could figure out what was causing it.
This signature has Super Cow Powers
Just go and do a few searches and see for yourself.
Silence is a state of mime.
This is actually one of the reasons that I don't install any extensions in my browsers. If you run bare-bones, you don't get accustomed to extensions that aren't available when you use other computers......you also don't have to worry about the quality or security of the add-on.
When Firefox first came out, people raved about how good of a browser it was.....but then they rattled off a list of extensions you needed to add to make it great. Bare-bones IE was actually still better than bare-bones Firefox at the time [as a developer, I have and use all of the major browsers --- each without extensions]. If you compare them that way, you'd be surprised at how your ranking would change.
That is why I use firefox in combination with flash and java.
It uses so much system resources it would be impossible for any malware to do anything.
These same creeps also took over all-in-one-gestures over two years ago, it took me the better part of three days debugging broken jquery scripts reported by a client to track it down...
That really sucks, because basically it means malicious assholes can take control of these things.
But, I think it points to a broader problem: EULAs.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.
Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.
Lost at C:>. Found at C.
Outsource it.
Have gnu, will travel.
On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
You mean like this "related" news story from the same site? http://news.softpedia.com/news...
Is Rightscorp the developer?
A lot (all?) of this behaviour was already possible with the existing Firefox add-ons. Unfortunately the people actually responsible here are the people creating an extension, getting users then selling it. This isn't new, and any reasonable person should assume something shady will happen.
They won't. They're changing a lot of stuff to, among other things, keep extensions and the browser binaries separate. On the one hand, that's good security which should have happened years ago; on the other, it will render a lot of extensions that are core to the Firefox experience for some users totally worthless, as the hooks they leverage will no longer be available.
All that said, they won't be policing the extension libraries any more than Google does... it all relies on user reviews. People started noticing problems with the User Agent Switcher weeks ago, and Google did nothing about it, despite pages and pages of one-star reviews. If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
Dear Customer,
Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.
Have gnu, will travel.
It's been years since we had a decent browser. All of them are obsessed with adding extensions and bloatware.
Links that go to the web store are broken
Crap... have uninstalled it now. Thanks /.
FYI. To other people. Just because google removed it from the store, it's still active in your chrome and you have to manually remove it.
That is why when i click a link, it redirects to to some ad services. But it got nowhere since ublock origin blocked it.
Now, to be more careful and just use minimal extensions like 5 or less, and it must be popular.
Right, this has nothing to do with the security of the extension repository and everything to do with yet another example of advertisers getting their hands on something and then shitting all over it. This is what advertisers do, they suck up all of the data they can, sell it, and show ads. What's missing from this story is the naming and shaming of the advertising company in question, and a condemnation from other advertisers that their industry should not engage in this kind of shady crap. I wouldn't hold my breath for those though.
At least the original author is doing his part after he realized what happened:
I'm going to alert as many users as I can that it has been compromised. I still have access to the mailing list (it was not part of the sale). Will be sending them a message with details.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The difference is that Firefox requires each new revision of the extension to be reviewed, so you can't just sneak in malware.
It could happen, sure, reviews aren't perfect, but it is a lot less likely, and if you're a malware author, probably not worth buying someone off for that low probability.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.
Updates should be selectable and come with user comments/comment voting to allow for some self policing.
Hey, it's the American way! Why do you hate Capitalism?
Buy a respected brand, rape it for all you can by outsourcing production to China and pocket all the extra money. Then find another bigger fool to buy the smoking heap when you can no longer milk any more money from the rubes with it.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
Really? I doubt it.
Firefox has sucked shit and gotten progressively worse for at least 3+ years. Chrome has never had the flexibility and customizability that made Firefox popular in the first place. So why hasn't someone taken advantage of this "fertile ground for a new browser"? The closest thing so far is Palemoon, which I've been using for about a year now. But it's just a slightly modified Firefox and there is no actual development going on -- they're completely dependent on Firefox to supply the code and then they just tweak it to give a better UI.
I would love to see someone create a browser that has the features and UI that made Firefox popular, without all the extra, pointless bullshit. But that is looking to be less and less likely. It's too much work and nobody (including me) has the time (or in my case the skill) to take on such a big project and do it for free. The vast majority of work on major open source projects is now done by people who are getting paid. Which is completely understandable, but also sad, because it means that browsers are doomed to be controlled by companies who only care about selling advertising and don't give a shit about what users really want.
There is an Extensions Update Notifier extension made by Googler FranÃois Beaufort that notifies you when extensions are updated, and optionally can disable any extension that has been auto-updated until you manually re-enable it.
I use this with Firefox because there are *still* big name sites that think a user agent with "Linux" for the OS means their website won't work, so they block functionality. Are the makers of User Agent Switcher addons the same for both browsers?
Ulterior behaviour of any description always throws away users, it's in the basic principles of marketing.
The purpose of existence is to make money.
This is why I take extensions I use and install them locally (sideload) and remove any "phone-home" crap in them, and remove any ties to update servers or whatever.
Knowing JS is very handy and has real-world use. Whodda thunk it?
Admittedly the only extensions I use are a tab manager, an iframe header blocker (so I can iframe any site again) and a custom script injector.
Using a script injector and a web server on local machine makes for simple customization of any website without the overhead of crap like Greasemonkey and the like.
Depending on automated updates not shitting on your machine is a silly thing. Even when it comes to OSes. (as evidenced by Microsofts hilariously awful updates that BSOD millions of machines regularly because they decided the userbase were better testers than actual testers)
I mean, look at that one site that removed a module for a popular JS library and took down so many of these crappy library-heavy websites. Stupidity at its finest.
Local copies > cloud / networked crap, always.
Did Google also reconsider the feature that is at the heart of this issue? People only used this extension because of how incomplete the history viewer is in Chrome.
I'm just waiting for the day when the Flash or chrome auto-install-updates feature gets redirected to a malicious server and 90% of the world gets rooted.
Some drink at the fountain of knowledge. Others just gargle.
Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.
Lot of users never discover that a extension has been sold off to another entity. We saw this with Ad Block as the original developer sold it off, and now we see approved ads being allowed. Obviously its owned now by someone interested in pushing some ads in order to make money. This is really the problem, many users install the extensions but never pay a dime for them. You either end up with developers who give up, doesn't support it, or sells it off. Leaving it in the hands of potentially a developer who is not so nice.
Anything that forces automatic updates can be fucked like this. That's why Chrome and Opera are stupid for not prompting the user to update extensions or let them disable updating per extension. Windows 10 follows this same idiotic, bleeding-edge, forced update crap that can and probably will, going by Microsoft's poor history of security, end up being exploited.
Anyone installing an extension named "4chan Plus" gets what they deserve.
In a band? Use WheresTheGig for free.
He sold it to a company called "advault.net" according to a reddit comment. Sort of makes me wonder what he thought would happen with a name like that.
I'm a Firefox add on developer and I get offers like this all the time. Shady companies have been buying extensions and putting malware in them for ages. Firefox and Chrome both have kill switches now that let them disable the extensions outside of developer builds. It's a bit of a pain since I can't throw up a beta of my plugin on my site anymore, but there's a development channel for me to use now so it's not that big of a deal.
:) ).
If you see this happen tell Mozilla/Google. They'll check the code, see the shenanigans and kill it. The browser will then refuse to run the code. If you're the worried sort or if you have a lot of extensions then disable auto-updates and patch as needed (I generally don't bother updating my plugin unless it breaks, which it just did
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The author was honest the buyer wasn't. In that case the seller is going to be the one that notifies google (if only to preserve their reputation).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I assume he thought he would get a bunch of money so he can take a nice holiday, buy a new car and maybe even a new house.
I just love how all the browser makes were all blaming browser Plug-ins like Flash and java for 99% of the malware, but yet it's really the browser Extensions that are the true carriers of malware, lol. So now instead of just worrying about 2 separate technologies to patch, google, FF, and MS have to weed through thousands if not millions.
How's that for Karma
Well, having your add-ons automatically update themselves without user interaction seems to be a big part of the problem. If only those who updated found the problem they could save headaches for the rest of the world that don't update immediately like robots. Sort of the problem with Windows 10 here where a bad update can brick everyone in unison. Choice is always a good option, including the choice to not update.
Can you give an example of an approved ad that has gotten past ad block? I've never seen this, so maybe I'm not visiting the right sites to ever see them.
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = FAR more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.
* My program protects hosts vs. ANY usermode hijack against hosts & even vs. kernelmode ones (via updating).
APK
P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk
you're set. FF now checks a signature (provided by Mozilla's private key) and won't run an addon without it. Basically you can't make Firefox addons without Mozilla's approval anymore (unless you want to run iceweasle or a developer build, but if you're that far into it you're probably OK on your own). Chrome's done the same thing for years. Firefox didn't want to because it makes managing extensions internally (e.g. for gov't contracts and the like) a nightmare.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Pale Moon isn't dependant upon Firefox any more. It uses a fork of Gecko called Goanna and is fully its own browser now.