How Web Apps Can Turn Browser Extensions Into Backdoors

"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications."

The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

So

So basically the whole "we're dropping XUL for webextensions. Because...uh...security!" thing from mozilla which crippled all my favourite extensions was pointless.

Re:So

[mukinrestak]

Yep. Anyone with a drop of decent cynicism knows that the goal is to cripple ad blocking and privacy protection and that "security" is just the excuse.

Re:So

My thoughts exactly.

Re:So

[macraig]

The goal for us is to cripple the cripplers. Having a browser-independent updated HTTPS-ready version of Proxomitron would really help.

Re:So

a hosts file

Re:So

[h33t+l4x0r]

So you think your free ad blocking extension is above suspicion? That's the dumbest thing I ever heard.

Re:So

[gl4ss]

isn't it quite obvious that a web page can communicate with a browser extension though? like really fucking obvious? further than that you could just make the extension exploit the computer directly as long as you're coding it...

Re:So

[Anubis+IV]

And mine. The timing of this story seems awfully coincidental after Google's bad PR yesterday with the proposed Chromium changes.

Re:So

Indeed. The ignorance of the general public plus the spectre of real threats mean that yelling "security" is a great way to incite fear and not have your actions questioned.

I once heard a friend explain to another friend about how DRM on his playstation was "for security" (exact quote, no details were given or requested). The lack of interest was palpable when I attempted to explain that this wasn't for user security.

Re:So

I came here to say the same thing

Re:So

"the dumbest thing I ever heard"; You must be very young...

Re:So

A hosts file is great, until browsers start forcing people to use DNS over HTTPS, bypassing the hosts file completely.

Re:So

Same with Chromium dropping some API features that are mostly exploited by spyware/adblockers.

Re:So

Oh but it is for user security, it's to prevent idiots from downloading shit from the internet with the promise of it being a free game or something.

That's why DRM keeps passing the sniff test. It prevents unsigned software from running on the system. When you break the DRM controls so you can run anything, those very same devices often get infected with malware (see Android), and spyware, because it can override OS and User controls.

I hate DRM software as much as the next person, but until kids start having to pass a basic security and copyright test in high school in order to graduate, you're not going to see anyone smarten up.

Re:So

[thomn8r]

Yep. Anyone with a drop of decent cynicism knows that the goal is to cripple ad blocking and privacy protection and that "security" is just the excuse.

But think of the children!

Re:So

Not me, count me out

Free != Open Source

So you think your free ad blocking extension is above suspicion? That's the dumbest thing I ever heard.

No, I think that my OPEN SOURCE blocking extensions (uBlock Origin and Privacy Badger) are above suspicion. Trust but verify.

Re:Free != Open Source

[h33t+l4x0r]

open source projects never get hacked or bought by malware companies, so you're right. don't be suspicious at all, ever.

What's up with sandboxing?

[fustakrakich]

Everything is supposed to run that way anyway, right? This shouldn't be an issue.

Isn't "security" always an excuse?

In any case, when people mean "security" l, they do not mean security for you, but security *from* you.

Just like how "freedom", for neocons (and SJWs), does not mean freedom from harm, but freedom *to* harm. (The Romans had two different words for that, I've been told.)

The level at which people are afraid nowadays, can only be called a collective anxiety disorder anyway.

What the hell is non-false advertising?

Has anyone ever seen such a beast?

I mean *ever*?

And wouldn't that just be a table of products, with measurable properties as columns and numbers with SI units as field values? (Like skinflint.co.uk alias geizhals.at.)

Strawman. He never said that.

He said: "Trust but verify."

In the latter case, open source is above suspicion, and in any case, it's more trustworthy than closed source, where you cannot even tell without a massive effort.

QED. You're a moron and an asshole.

Re:Strawman. He never said that.

Bullshit.

Look how often malicious repackaging and how malware shit lies dormant in nearly-abandoned OSS projects.

If you want to keep your precious adblocking tech intact, those projects need to be separated into engine components (eg something that can be loaded as an extension, or as a HTTP/HTTPS Proxy) and filter lists (eg hosts file, ip addresses and dns names to block or return zero-sized files for.)

Re:Strawman. He never said that.

[DeVilla]

OK. Case study students.

First example, Microsoft Windows 10. Everybody knows it is snooping on users in ways that many do not approve of. It has been doing so since it's release and very little has changed. No one has come up with a reliable fix.

Second example. Cisco routers have been found to have hard coded back door accounts built into them. This has happened several times. Pretty much any one with even a modest understanding of system security knows this to be poor practice. No one outside of Cisco has any way of knowing if there are any more back door accounts in Cisco's firmware nor do they have a way to know if a new back door gets introduced.

Third example. Mozilla has in several instances added features to Firefox that snooped on users in ways that many did not approve of. People went into the source code and found it. People and system distributors made forks of Firefox that disabled or removed these features. Mozilla ended up providing ways to disable these features in every case and in many cases removed or disabled these features by default or provided an affirmative opt in.

Final example for today. Canonical added a feature to Ubuntu search interface that snooped on users in ways that many did not approve of. People went into the source code and found it. Canonical immediately documented how to opt-out and disable the feature for themselves. Forks and downstream distributions of Ubuntu removed the feature.

The lesson class is not that Open Source software is invulnerable. The lesson is that it is harder to hide and force undesirable and unsafe behavior into Open Source software compared to non-Open Source software. Open Source software is not perfect. It's merely better by distributing the possibility of finding and fixing problems to a wider group than just those who would benefit from not fixing.

Web Browsers, so yesterday

Mobile Browser Apps, completely closed system. Thats where the big hoses hook up to.

Brought to you by...

The Google Chrome dev team.

Isnâ(TM)t it amazing how whenever google is trying to promote some stupid thing, we start to get stories that further support their ideas?

Re: Built It

We should build underground tomb cells to put serious felons in, and seal them off with a a giant pyramid on top. Trump can be the very first inmate. In fact, let's do what NYC did over a century ago and think like an egyptian:

https://en.m.wikipedia.org/wiki/File:New_York_Halls_of_Justice.jpg

Only I would build it MUCH bigger, with giant, intimidating statues lining the outside, and features exaggerated to make it feel very threatening. Instead of regular cell doors, it would have giant stone and steel doors with threatening heiroglyphics on both sides.

EASY TO BEAT IN FF about:config

EASY TO BEAT IN FireFox about:config:

network.dnsCacheEntries 0
network.trr.mode to 5 (SHUTS IT OFF)
network.trr.uri (set to 208.67.222.222)

* All that CRAP HTTPS does is SLOW YOU DOWN & it always gets bypassed/broken inevitably anyhow (SSL to TLS anyone? What's NEXT, for Pete's sake??)

APK

P.S.=> For the best hosts file multiplatform:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)... apk

IMPERSONATING me STILL again? apk

MacOS model's NOT done yet so you can STOP now as you IMPERSONATE me here on /. nigh constantly, ok? Good!

* Port Filters are not supported in my work on hosts (in fact, my program STOPS that error) & here's proof of it https://news.slashdot.org/comm...

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 100th time now)... apk

Can't kill THIS ad/malware/tracker blocker

APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

* ONLY 1 of its kind in GUI 4 Linux/BSD (soon 4 MacOS)!

APK

P.S.=> Protects vs. scripts/trackers (kernelmode faster vs. usermode slower NoScript vs. 3rd party script)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware download/malcript/email malicious payload... apk

Software freedom is best defense against malware

[jbn-o]

The anonymous post that included "Trust but verify." was right; only software freedom gives us the best known defense against malware. I don't agree with post moderation but if a discussion forum will have such censorious distractions, posts like that deserve far more than 0 points.

Your post, on the other hand, in which you claim that software freedom is "bullshit" ironically highlights how valuable software freedom is: separating functionality into components solves nothing if those components are implemented with non-free (user-subjugating, proprietary) software. Whatever value the separation purports to grant users is entirely lost by not respecting a user's software freedom. In fact we know that proprietary software is often malware.