Slashdot Mirror
Chrome Extension Caught Hijacking Users' Browsers (softpedia.com)
An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.
Just go and do a few searches and see for yourself.
Silence is a state of mime.
That is why I use firefox in combination with flash and java.
It uses so much system resources it would be impossible for any malware to do anything.
That really sucks, because basically it means malicious assholes can take control of these things.
But, I think it points to a broader problem: EULAs.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.
Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.
Lost at C:>. Found at C.
Outsource it.
Have gnu, will travel.
On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Is Rightscorp the developer?
They won't. They're changing a lot of stuff to, among other things, keep extensions and the browser binaries separate. On the one hand, that's good security which should have happened years ago; on the other, it will render a lot of extensions that are core to the Firefox experience for some users totally worthless, as the hooks they leverage will no longer be available.
All that said, they won't be policing the extension libraries any more than Google does... it all relies on user reviews. People started noticing problems with the User Agent Switcher weeks ago, and Google did nothing about it, despite pages and pages of one-star reviews. If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
Dear Customer,
Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.
Have gnu, will travel.
I haven't paid anything for Linux (or various other open source programs) either and I haven't had any problems like this.
Just because something is freely provided at no monetary cost doesn't mean that the people providing it are unscrupulous assholes.
Right, this has nothing to do with the security of the extension repository and everything to do with yet another example of advertisers getting their hands on something and then shitting all over it. This is what advertisers do, they suck up all of the data they can, sell it, and show ads. What's missing from this story is the naming and shaming of the advertising company in question, and a condemnation from other advertisers that their industry should not engage in this kind of shady crap. I wouldn't hold my breath for those though.
At least the original author is doing his part after he realized what happened:
I'm going to alert as many users as I can that it has been compromised. I still have access to the mailing list (it was not part of the sale). Will be sending them a message with details.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
if you are honestly suggesting people go on the internet, with any browser, without blocking scripts and ads via an extension, i'm going to assume the developing you do is mostly adware and malware.
The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.
Updates should be selectable and come with user comments/comment voting to allow for some self policing.
Which is exactly what should be done. Blocking scripts and ads should be built-in to the browser and not require a third-party extension. If Netscape 2.0 can pause loading images until you press a button, then modern browsers can likewise pause Javascript, Flash, and other content until you also press a button.
It's almost like browser programmers never heard of the Microsoft Outlook worms spreading through HTML e-mails in 1996, nor about boot sector viruses that automatically execute when you leave a floppy in the drive.
Did Google also reconsider the feature that is at the heart of this issue? People only used this extension because of how incomplete the history viewer is in Chrome.
Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.
I'm a Firefox add on developer and I get offers like this all the time. Shady companies have been buying extensions and putting malware in them for ages. Firefox and Chrome both have kill switches now that let them disable the extensions outside of developer builds. It's a bit of a pain since I can't throw up a beta of my plugin on my site anymore, but there's a development channel for me to use now so it's not that big of a deal.
:) ).
If you see this happen tell Mozilla/Google. They'll check the code, see the shenanigans and kill it. The browser will then refuse to run the code. If you're the worried sort or if you have a lot of extensions then disable auto-updates and patch as needed (I generally don't bother updating my plugin unless it breaks, which it just did
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/