Slashdot Mirror
Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com)
From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
like I cant use lynx with selenium you know
and qa is mad costly
for years. This is nothing new. Plus, PhantomJS is popular for attacking web sites.
In the long run, isn't click-fraud just malicious to advertisers? Consider this a distributed defence system against adverts and sign me up!
I think we have that already - it's called a service or daemon
There has to be an upside. So I'll ask, why are features such as this being added? What value to they bring to the computer user?
I'm not a web developer. Can someone explain to me how this "headless" feature is useful for developers?
You are welcome on my lawn.
While this feature sounds very useful for developers
No it doesn't. What makes this useful? I can't think of a use case...
Indeed, what is it's purpose in general? Is there some issue I'm unaware of there trying to solve? Improve speed of opening a browser? what?!!
What checkbox? I don't see anything on the v59.0.3071.104 settings page that relates to headless. It is not "enable running background apps when google chrome is closed", as that has been available for a long time and is probably unrelated. Headless mode is started via command line option: "--headless". Care to explain where the setting to disable this is ?
emerge -C chrome firefox
emerge opera
(or your distro's equivalent).
bonus: opera runs all kinds of java remote console crap for those of us that need to access remote servers' console from time to time, while chrome and firefox both have issues with certain brands (e.g. cisco), but I digress.
I really would refuse to run any browser that offers headless mode. Except for some very narrow use cases, I cannot think of a single good reason to fire up a browser in headless mode, or even support that in a world riddled with malware, and would not knowingly have such software installed on any system I'm responsible for.
...attention.
Because honestly, if not even the adblockers will be able to do something about that, then it's bye bye Firefox on my part - I've been a loyal "customer" for the longest time, but hey - this gives the other lesser known browsers on the market some much needed attention, are you listening "insert-unknown-up-and-coming-popular-browser-team"?
What this world is coming to - is for you and me to decide.
Ah, so the miscreants already have to be able to get processes running on your machine before they can do this. They can't just do a "window.open" type command and somehow specify that it be headless. Sure, there are a lot of compromised machines that have malware that could spawn a new executable and pass --headless. But it means the majority of us with clean boxes don't have to worry about our machines being involved.
The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud.
My first reaction to this is, I don't see why I should be concerned. Malware authors had the option of including a headless browser of their own to enable this, and now they can use the already-installed browser instead. So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.
The people who use the convenience of a fully-scripted browser to trick adservers into thinking humans clicked the ads, are probably not going to opt to forego that convenience.
To use an absurdly extreme example, you're saying, "bank robber, you could simply deposit money into the bank and then make normal withdrawals instead of robbing." You should expect most bank robbers to decline your suggestion, and I think the people who commit click-fraud will be similarly uninterested in your "don't do that" advice.
"Believe me!" -- Donald Trump
Unless the app is an actual web browser, restrict it to communication with a single domain via TLS.
So great, Chrome is a browser. but when running as an embedded browser or headless, it should only be able to communicate with a single domain associated with the app it is running in.
If someone really wants to make a browser app, they can bundle it with a browser engine instead of embedded WebView, or at least make it a permission request to communicate with other domains.
" When Focus is running in the background, we'll remind you through a notification and you can easily tap to erase your ..." https://blog.mozilla.org/blog/...
Fell for the hyper babble I guess, thread did get me noscripts(.net).
...attention.
Because honestly, if not even the adblockers will be able to do something about that, then it's bye bye Firefox on my part - I've been a loyal "customer" for the longest time, but hey - this gives the other lesser known browsers on the market some much needed attention, are you listening "insert-unknown-up-and-coming-popular-browser-team"?
If I get it right the headless version uses the defult profile o installing or enabling such extensions in that profile would do the trick
In that case you're already on the other side of the airtight hatchway, to quote Raymond Chen.
You could just use wget or curl or whatever, or pack your own handler. The one thing this enables is that your outbound firewall may already have exceptions for Chrome/Firefox.
Some guy named Clifford Stoll would like to talk to you about a $0.75 accounting discrepancy in the computer usage accounts.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
this is all you need
Hosts = part of the IP stack (outside browsers). For the best hosts file APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have in the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
Caught my W10pro computer using the internet and consuming much CPU a few nights back. Turns out Chrome had fired up a bunch of instances with no windows occurring. when i killed the processes off, adblock popped up complaining.
The problem is it's a way to keep the people with the compromised machines from becoming aware that they have compromised machines.
This space intentionally left blank
Why would a (usually visual) web interface ever be created without a visual user interface? You can't see anything. You can't click on links. You can't hear sounds.
It's like having a (dead tree) book that is not intended to be read. The pages are glued together and the book itself is encased in a lead box.
Yeah like they can't spawn a new window and render it off screen? Headless, not headless... as long as grandma can watch her cat videos on youtube... she doesnt care what havoc her laptop wreaks on the rest of us.
This is inevitable with the current trend of having the web browser be a thick client.
The trend is to put as much code as possible, i.e. thick client, in Javascript. Now, suppose one wants to leverage that code as middleware? Taa daa! Headless mode. We've been down this road before with client/server, thick/thin clients.
What makes Javascript particularly impossible to reproduce is the fast moving, every changing set of libraries. This will put pressure on the business logic sitting in all the Javascript to become middleware so as to capitalize on ones investment. As they say, what's old is new again.
I predict within the next 2 years headless browsers as middleware will be common place.
Even stupider is Firefox "policy" which now *refuses* to load Google's page because it claims the "domain certificate is misconfigured". You can't add an exception, period. In other words, there is NO WAY to browse Google with Firefox now.
Now I may be wrong, but I think those dudes at Google know a thing or two about web stuff, so I guess using Firefox for my day-to-day stuff is now a no-go. Brilliant, Firefox, just fucking brilliant.
Just cruising through this digital world at 33 1/3 rpm...
Why do they not deploy a browser for normal users and another for developers instead of a mashup program with too many configurations.
Adware is something that shows ads to you, by adding them or by replacing other ads by them. This has something to do with ads, but that is not sufficient to make this adware. If we define malware as something you would not agree to have on your computer, this is plain old malware, and I'd argue not one of the worst sorts.
Part of me is actually happy that the ad industry is facing problems with fraudulent clicks, even if I would not want this on my own computers. (Having said that, I might want something that clicks ads randomly.)
Microsoft had a COM interface (IHtmlWebBrowser) nearly 20 years ago. When .NET came around, they offered the same headless functionality in the form of the WebBrowser object. The concept isn't new, the only thing that's new is that Chrome and Firefox are finally copying an old IE feature!
XVFB, and the idea of running things "headlessly," including Firefox has been around for a long time. They are just codifing it into the browsers.
Its a good thing. Sure, put in an about:config preference to disable it maybe??? Otherwise, people have are complaining have no idea how beneficial the feature is.
That's why modern OS like Win8.1 and Win10 consumes 1,400 MB (1.4GiB) upon startup. While my current setup, a WinXP, consumes only 65 MB upon restart complete with graphics driver and WiFi/ LAN drivers. Just 21 times RAM usage compared to XP. In other words XP uses only 4% of Win8.1 RAM usage. Now don't point out that RAM is very cheap these days, this is not about cheap RAM, this is about ATTACK SURFACE and more bugs hidden in 1.4GiB than 65MB, in addition to being heavily tested by users worldwide for more than 10 years.
This is exactly what we need to have a more secure OS. Make a lot of useless crap running on the background while we are playing minesweeper. Did we just forget about SMBv1 running in the background by default even on standalone workstations?
Correct me if I’m wrong but if I have malware on my machine that’s capable of starting up my web browser in headless mode (a.k.a. arbitrary executable), well I probably have much more serious issues to address ASAP!
Correct me if I'm wrong
OK
You're wrong.
You're corrected.
All it takes is a 3rd-party banner-ad or something similar and usually innocuous on a normally-trustworthy website that's been hijacked to run a short piece of script to open a headless instance and have it happily continue to run and remain 'open' and 'clicking' ads long after you've closed the visible instance you were using.
Or maybe doing something else. Depends on what the attacker wants. Maybe subscribing you to a bunch of MLP/furry/yiff-porn E/snail-mail lists and 'hookup' services.
So many possibilities...
I don't trust checkboxes, anyway. I hardly trust anything anymore -- open source or not.
Firefox has a checkbox for offline storage that reads, "Tell me when a website asks to store data for offline use". The problem is, the browser will only inform you if the data being saved is larger than a specific amount, and the browser allows data to be written in small chunks. As a result, if you enable this feature, the browser will happily save lots of offline data without ever informing you, let alone asking your permission. I had this checkbox turned on (it's off by default) and I would still regularly find dozens of megs of offline data saved. To "properly" enable the checkbox, you have to go to about:config and change multiple settings, including the exact cutoff limits. The GUI checkbox doesn't do squat.
All browsers, even Firefox, are resorting to these silly tactics to keep you from actually controlling what the browser can do. Don't get me started about how Opera used to regularly break the feature to disable updates (and constantly changed the command-line options), in an attempt to force updates even if you didn't want them.
I see you still hide as unidentifiable ac projecting your own self-awareness that YOU = the village idiot "ne'er-do-well".
APK
P.S.=> Grow up & get over your own bs issues loser - & yes, you're a total loser + truly cowardly little worm, nothing more (one I've obviously "upset" somehow - odds are, in a tech debate probably about hosts, where I've torn your sorry ass apart before in no doubt)... apk
Advertisers want clicks, I do not want to see their shit. So my headless firefox is allowed to click (with a separate profile because of tracking cookies and so on) and I can support the websites which cry because of my adblocker.
If anyone objects, he should stop crying. Either they want me to load their ad or they do not want me to.