Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Security

Chrome Extension Caught Hijacking Users' Browsers (softpedia.com) 77

An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.
This discussion has been archived. No new comments can be posted.

Chrome Extension Caught Hijacking Users' Browsers

Comments Filter:
  • There's been weirdness like I've never seen before with some of this stuff.
    One of my screenshot extensions was doing something similar last night, and really weird behavior from my adblocker, which effectively knocked me offline until I could figure out what was causing it.

  • by wbr1 ( 2538558 ) on Monday April 04, 2016 @01:12PM (#51839495)
    Everytime I go to the chrome web store I see questionable apps and extensions. Close named clones, etc. It seems like the web store is curated much less actively than the android app store, and even that one gets junk through.

    Just go and do a few searches and see for yourself.

  • This is actually one of the reasons that I don't install any extensions in my browsers. If you run bare-bones, you don't get accustomed to extensions that aren't available when you use other computers......you also don't have to worry about the quality or security of the add-on.

    When Firefox first came out, people raved about how good of a browser it was.....but then they rattled off a list of extensions you needed to add to make it great. Bare-bones IE was actually still better than bare-bones Firefox at

    • Re: (Score:3, Funny)

      if you are honestly suggesting people go on the internet, with any browser, without blocking scripts and ads via an extension, i'm going to assume the developing you do is mostly adware and malware.
      • by SQLGuru ( 980662 )

        What a horribly wrong assumption.......

        I'm not worried about ads because I'd rather see/ignore an ad than pay for the content on sites like Slashdot (nebulous quality). I practice safe browsing (i.e. nothing shady outside of a locked down VM, stick to known-good sites, etc.) and recommend everyone else do the same. Known malware sites and sketchy ads are blocked at the firewall so that my less-tech-savvy family are protected as well.

        Why should I rely on a browser with a specific extension when I can prote

        • How do you run a locked-down VM on your phone? What exactly is a known-good site?

        • How do you know if a site is shady or not? Can you tell whether it's been compromised? How do you know if the ad network(s) they use aren't serving up infected ads?

        • by Anonymous Coward

          You guys are arguing over nothing. The GP was saying everyone should use an ad blocker and you're saying no, everyone should use an ad blocker. It doesn't matter if its blocked at the browser or blocked at the firewall. You can't ask non-tech people to configure their firewall to block ads but you can ask them to click on this link to install an extension. The firewall is a stronger solution, but extensions will protect them when they connect to other networks.

          That said, there's no such thing as a known

      • by Sigma 7 ( 266129 )

        if you are honestly suggesting people go on the internet, with any browser, without blocking scripts and ads via an extension,

        Which is exactly what should be done. Blocking scripts and ads should be built-in to the browser and not require a third-party extension. If Netscape 2.0 can pause loading images until you press a button, then modern browsers can likewise pause Javascript, Flash, and other content until you also press a button.

        It's almost like browser programmers never heard of the Microsoft Outloo

    • You probably run the Comodo "secure" browser too huh?

  • Firefox (Score:5, Funny)

    by pablo_max ( 626328 ) on Monday April 04, 2016 @01:15PM (#51839527)

    That is why I use firefox in combination with flash and java.
    It uses so much system resources it would be impossible for any malware to do anything.

  • That sucks ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Monday April 04, 2016 @01:15PM (#51839533) Homepage

    As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits.

    That really sucks, because basically it means malicious assholes can take control of these things.

    But, I think it points to a broader problem: EULAs.

    The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".

    There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.

    Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.

    • The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".

      Dear Customer,
      Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.

    • by MobyDisk ( 75490 )

      This problem would exist even without the EULAs. The companies would just setup in some country where they can't easily be touched. Heck, they probably already are. Also: Did these extensions even have EULAs?

    • Re:That sucks ... (Score:4, Insightful)

      by Actually, I do RTFA ( 1058596 ) on Monday April 04, 2016 @02:25PM (#51840201)

      But, I think it points to a broader problem:

      I think the broader problem is auto-updating software.

  • by PPH ( 736903 ) on Monday April 04, 2016 @01:16PM (#51839535)

    Outsource it.

  • by 140Mandak262Jamuna ( 970587 ) on Monday April 04, 2016 @01:16PM (#51839537) Journal
    The original developer who built up the trust, sold out on Mar 23. It took the users some time to notice it, and in two weeks the extension is off the store. And other extensions have been spotted. So in some sense, not so bad.

    On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.

    • Hey, it's the American way! Why do you hate Capitalism?

      Buy a respected brand, rape it for all you can by outsourcing production to China and pocket all the extra money. Then find another bigger fool to buy the smoking heap when you can no longer milk any more money from the rubes with it.
  • by SeaFox ( 739806 ) on Monday April 04, 2016 @01:17PM (#51839549)

    Is Rightscorp the developer?

  • by Anonymous Coward

    It's been years since we had a decent browser. All of them are obsessed with adding extensions and bloatware.

  • Crap... have uninstalled it now. Thanks /.

    FYI. To other people. Just because google removed it from the store, it's still active in your chrome and you have to manually remove it.

    That is why when i click a link, it redirects to to some ad services. But it got nowhere since ublock origin blocked it.

    Now, to be more careful and just use minimal extensions like 5 or less, and it must be popular.

  • by Anonymous Coward

    The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.

    Updates should be selectable and come with user comments/comment voting to allow for some self policing.

  • Comment removed based on user account deletion
  • by Anonymous Coward

    This is why I take extensions I use and install them locally (sideload) and remove any "phone-home" crap in them, and remove any ties to update servers or whatever.
    Knowing JS is very handy and has real-world use. Whodda thunk it?

    Admittedly the only extensions I use are a tab manager, an iframe header blocker (so I can iframe any site again) and a custom script injector.
    Using a script injector and a web server on local machine makes for simple customization of any website without the overhead of crap like G

  • Did Google also reconsider the feature that is at the heart of this issue? People only used this extension because of how incomplete the history viewer is in Chrome.
  • by Todd Knarr ( 15451 ) on Monday April 04, 2016 @03:26PM (#51840693) Homepage

    Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.

    • by phorm ( 591458 )

      And who is going to notify the app store that the ownership has changed?

      • The developer themselves. It's already part of the process of transferring an app from one developer account to another. Google just has to modify the server portion to automatically change the identifier as part of the transfer process.

        If the developer set up a separate Google account for their developer account and they're transferring everything, they can just transfer access and in theory Google would be oblivious. In practice however the transfer involves things like changing the merchant account to us

        • by trawg ( 308495 )

          But if you buy the company, you might be buying their developer account as well - specifically to avoid the situation where app IDs change so that they can get away with this kind of behaviour.

      • The author was honest the buyer wasn't. In that case the seller is going to be the one that notifies google (if only to preserve their reputation).
  • Anyone installing an extension named "4chan Plus" gets what they deserve.

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...