Chrome Extension Caught Hijacking Users' Browsers (softpedia.com) 77
An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.
Re: (Score:2)
Re:Firefox will be fucked by malware like this, to (Score:5, Informative)
Right, this has nothing to do with the security of the extension repository and everything to do with yet another example of advertisers getting their hands on something and then shitting all over it. This is what advertisers do, they suck up all of the data they can, sell it, and show ads. What's missing from this story is the naming and shaming of the advertising company in question, and a condemnation from other advertisers that their industry should not engage in this kind of shady crap. I wouldn't hold my breath for those though.
At least the original author is doing his part after he realized what happened:
I'm going to alert as many users as I can that it has been compromised. I still have access to the mailing list (it was not part of the sale). Will be sending them a message with details.
Re: (Score:2)
Can you give an example of an approved ad that has gotten past ad block? I've never seen this, so maybe I'm not visiting the right sites to ever see them.
Re: (Score:1)
I assume he thought he would get a bunch of money so he can take a nice holiday, buy a new car and maybe even a new house.
It's nothing new (Score:4, Informative)
If you see this happen tell Mozilla/Google. They'll check the code, see the shenanigans and kill it. The browser will then refuse to run the code. If you're the worried sort or if you have a lot of extensions then disable auto-updates and patch as needed (I generally don't bother updating my plugin unless it breaks, which it just did
Re: (Score:2)
How can the browser refuse to run it if you haven't updated the browser? Having automatic updates is not a solution because automatic updates of extensions was what created the problem in the first place.
So long as you're running a newer version of FF (Score:2)
Re: (Score:2)
The difference is that Firefox requires each new revision of the extension to be reviewed, so you can't just sneak in malware.
It could happen, sure, reviews aren't perfect, but it is a lot less likely, and if you're a malware author, probably not worth buying someone off for that low probability.
Re: (Score:2)
Well, having your add-ons automatically update themselves without user interaction seems to be a big part of the problem. If only those who updated found the problem they could save headaches for the rest of the world that don't update immediately like robots. Sort of the problem with Windows 10 here where a bad update can brick everyone in unison. Choice is always a good option, including the choice to not update.
Re: (Score:2)
They won't. They're changing a lot of stuff to, among other things, keep extensions and the browser binaries separate. On the one hand, that's good security which should have happened years ago; on the other, it will render a lot of extensions that are core to the Firefox experience for some users totally worthless, as the hooks they leverage will no longer be available.
All that said, they won't be policing the extension libraries any more than Google does... it all relies on user reviews. People started no
Re: (Score:1)
If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
Really? I doubt it.
Firefox has sucked shit and gotten progressively worse for at least 3+ years. Chrome has never had the flexibility and customizability that made Firefox popular in the first place. So why hasn't someone taken advantage of this "fertile ground for a new browser"? The closest thing so far is Palemoon, which I've been using for about a year now. But it's just a slightly modified Firefox and there is no actual development going on -- they're completely dependent on Firefox to supply the
Flash or silverlight (Score:2)
I'm just waiting for the day when the Flash or chrome auto-install-updates feature gets redirected to a malicious server and 90% of the world gets rooted.
Re: (Score:1)
Anything that forces automatic updates can be fucked like this. That's why Chrome and Opera are stupid for not prompting the user to update extensions or let them disable updating per extension. Windows 10 follows this same idiotic, bleeding-edge, forced update crap that can and probably will, going by Microsoft's poor history of security, end up being exploited.
Re: (Score:3)
Just because something is freely provided at no monetary cost doesn't mean that the people providing it are unscrupulous assholes.
Re: (Score:2)
It's all over the place (Score:2)
There's been weirdness like I've never seen before with some of this stuff.
One of my screenshot extensions was doing something similar last night, and really weird behavior from my adblocker, which effectively knocked me offline until I could figure out what was causing it.
Not surprised at all (Score:3)
Just go and do a few searches and see for yourself.
No extensions.... (Score:1)
This is actually one of the reasons that I don't install any extensions in my browsers. If you run bare-bones, you don't get accustomed to extensions that aren't available when you use other computers......you also don't have to worry about the quality or security of the add-on.
When Firefox first came out, people raved about how good of a browser it was.....but then they rattled off a list of extensions you needed to add to make it great. Bare-bones IE was actually still better than bare-bones Firefox at
Re: (Score:3, Funny)
Re: (Score:1)
What a horribly wrong assumption.......
I'm not worried about ads because I'd rather see/ignore an ad than pay for the content on sites like Slashdot (nebulous quality). I practice safe browsing (i.e. nothing shady outside of a locked down VM, stick to known-good sites, etc.) and recommend everyone else do the same. Known malware sites and sketchy ads are blocked at the firewall so that my less-tech-savvy family are protected as well.
Why should I rely on a browser with a specific extension when I can prote
Re: (Score:2)
How do you run a locked-down VM on your phone? What exactly is a known-good site?
Re: No extensions.... (Score:2)
How do you know if a site is shady or not? Can you tell whether it's been compromised? How do you know if the ad network(s) they use aren't serving up infected ads?
Re: (Score:1)
You guys are arguing over nothing. The GP was saying everyone should use an ad blocker and you're saying no, everyone should use an ad blocker. It doesn't matter if its blocked at the browser or blocked at the firewall. You can't ask non-tech people to configure their firewall to block ads but you can ask them to click on this link to install an extension. The firewall is a stronger solution, but extensions will protect them when they connect to other networks.
That said, there's no such thing as a known
Re: (Score:3)
Which is exactly what should be done. Blocking scripts and ads should be built-in to the browser and not require a third-party extension. If Netscape 2.0 can pause loading images until you press a button, then modern browsers can likewise pause Javascript, Flash, and other content until you also press a button.
It's almost like browser programmers never heard of the Microsoft Outloo
Re: (Score:2)
You probably run the Comodo "secure" browser too huh?
Firefox (Score:5, Funny)
That is why I use firefox in combination with flash and java.
It uses so much system resources it would be impossible for any malware to do anything.
Re:Firefox (Score:4, Funny)
You should mine Dogecoins with your CPU while at the same time mining Bitcoins with your GPU, that's the only way to be sure.
Re: (Score:1)
I already have his computer mining bitcoin for me.
That sucks ... (Score:5, Insightful)
That really sucks, because basically it means malicious assholes can take control of these things.
But, I think it points to a broader problem: EULAs.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.
Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.
Oblig Bad Car Analogy (Score:3)
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
Dear Customer,
Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.
Re: (Score:3)
This problem would exist even without the EULAs. The companies would just setup in some country where they can't easily be touched. Heck, they probably already are. Also: Did these extensions even have EULAs?
Re:That sucks ... (Score:4, Insightful)
I think the broader problem is auto-updating software.
Don't Be Evil (Score:3)
Outsource it.
Caught it in two weeks. (Score:5, Informative)
On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.
1. Build a brand, then 2. Rape it (Score:2)
Buy a respected brand, rape it for all you can by outsourcing production to China and pocket all the extra money. Then find another bigger fool to buy the smoking heap when you can no longer milk any more money from the rubes with it.
The obvious question is... (Score:5, Funny)
Is Rightscorp the developer?
Re: (Score:3)
Is Rightscorp the developer?
Or can they use the same principle to hijack suspected pirates' browsers. [slashdot.org]
All modern browsers are junk (Score:1)
It's been years since we had a decent browser. All of them are obsessed with adding extensions and bloatware.
Have installed user-agent switcher extension! (Score:1)
Crap... have uninstalled it now. Thanks /.
FYI. To other people. Just because google removed it from the store, it's still active in your chrome and you have to manually remove it.
That is why when i click a link, it redirects to to some ad services. But it got nowhere since ublock origin blocked it.
Now, to be more careful and just use minimal extensions like 5 or less, and it must be popular.
Disable Auto Update?? (Score:2, Insightful)
The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.
Updates should be selectable and come with user comments/comment voting to allow for some self policing.
Re: (Score:1)
Locally installed. (Score:1)
This is why I take extensions I use and install them locally (sideload) and remove any "phone-home" crap in them, and remove any ties to update servers or whatever.
Knowing JS is very handy and has real-world use. Whodda thunk it?
Admittedly the only extensions I use are a tab manager, an iframe header blocker (so I can iframe any site again) and a custom script injector.
Using a script injector and a web server on local machine makes for simple customization of any website without the overhead of crap like G
Did they reconsider the history feature? (Score:2)
Change app identifiers (Score:5, Interesting)
Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.
Re: (Score:2)
And who is going to notify the app store that the ownership has changed?
Re: (Score:2)
The developer themselves. It's already part of the process of transferring an app from one developer account to another. Google just has to modify the server portion to automatically change the identifier as part of the transfer process.
If the developer set up a separate Google account for their developer account and they're transferring everything, they can just transfer access and in theory Google would be oblivious. In practice however the transfer involves things like changing the merchant account to us
Re: (Score:2)
But if you buy the company, you might be buying their developer account as well - specifically to avoid the situation where app IDs change so that they can get away with this kind of behaviour.
It's not a bad idea (Score:2)
I hate to blame the victim, but... (Score:2)