Chrome Extension Caught Hijacking Users' Browsers

An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.

Re:

[Luthair]

A lot (all?) of this behaviour was already possible with the existing Firefox add-ons. Unfortunately the people actually responsible here are the people creating an extension, getting users then selling it. This isn't new, and any reasonable person should assume something shady will happen.

Re:Firefox will be fucked by malware like this, to

[amicusNYCL]

Right, this has nothing to do with the security of the extension repository and everything to do with yet another example of advertisers getting their hands on something and then shitting all over it. This is what advertisers do, they suck up all of the data they can, sell it, and show ads. What's missing from this story is the naming and shaming of the advertising company in question, and a condemnation from other advertisers that their industry should not engage in this kind of shady crap. I wouldn't hold my breath for those though.

At least the original author is doing his part after he realized what happened:

I'm going to alert as many users as I can that it has been compromised. I still have access to the mailing list (it was not part of the sale). Will be sending them a message with details.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

I assume he thought he would get a bunch of money so he can take a nice holiday, buy a new car and maybe even a new house.

It's nothing new

[rsilvergun]

I'm a Firefox add on developer and I get offers like this all the time. Shady companies have been buying extensions and putting malware in them for ages. Firefox and Chrome both have kill switches now that let them disable the extensions outside of developer builds. It's a bit of a pain since I can't throw up a beta of my plugin on my site anymore, but there's a development channel for me to use now so it's not that big of a deal.

If you see this happen tell Mozilla/Google. They'll check the code, see the shenanigans and kill it. The browser will then refuse to run the code. If you're the worried sort or if you have a lot of extensions then disable auto-updates and patch as needed (I generally don't bother updating my plugin unless it breaks, which it just did :) ).

Re:

[account_deleted]

Comment removed based on user account deletion

So long as you're running a newer version of FF

[rsilvergun]

you're set. FF now checks a signature (provided by Mozilla's private key) and won't run an addon without it. Basically you can't make Firefox addons without Mozilla's approval anymore (unless you want to run iceweasle or a developer build, but if you're that far into it you're probably OK on your own). Chrome's done the same thing for years. Firefox didn't want to because it makes managing extensions internally (e.g. for gov't contracts and the like) a nightmare.

Re:

[Derek Pomery]

The difference is that Firefox requires each new revision of the extension to be reviewed, so you can't just sneak in malware.

It could happen, sure, reviews aren't perfect, but it is a lot less likely, and if you're a malware author, probably not worth buying someone off for that low probability.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

They won't. They're changing a lot of stuff to, among other things, keep extensions and the browser binaries separate. On the one hand, that's good security which should have happened years ago; on the other, it will render a lot of extensions that are core to the Firefox experience for some users totally worthless, as the hooks they leverage will no longer be available.

All that said, they won't be policing the extension libraries any more than Google does... it all relies on user reviews. People started no

Re:

[Anonymous Coward]

If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.

Really? I doubt it.

Firefox has sucked shit and gotten progressively worse for at least 3+ years. Chrome has never had the flexibility and customizability that made Firefox popular in the first place. So why hasn't someone taken advantage of this "fertile ground for a new browser"? The closest thing so far is Palemoon, which I've been using for about a year now. But it's just a slightly modified Firefox and there is no actual development going on -- they're completely dependent on Firefox to supply the

Flash or silverlight

[goombah99]

I'm just waiting for the day when the Flash or chrome auto-install-updates feature gets redirected to a malicious server and 90% of the world gets rooted.

Re:

[Anonymous Coward]

Anything that forces automatic updates can be fucked like this. That's why Chrome and Opera are stupid for not prompting the user to update extensions or let them disable updating per extension. Windows 10 follows this same idiotic, bleeding-edge, forced update crap that can and probably will, going by Microsoft's poor history of security, end up being exploited.

Re:

[alvinrod]

I haven't paid anything for Linux (or various other open source programs) either and I haven't had any problems like this.

Just because something is freely provided at no monetary cost doesn't mean that the people providing it are unscrupulous assholes.

Re:

[Flavianoep]

Yeah, Linux is quite safe, albeit being free, but I usually make a donation to the my distro of choice just to make sure.

It's all over the place

[cshark]

There's been weirdness like I've never seen before with some of this stuff.
One of my screenshot extensions was doing something similar last night, and really weird behavior from my adblocker, which effectively knocked me offline until I could figure out what was causing it.

Not surprised at all

[wbr1]

Everytime I go to the chrome web store I see questionable apps and extensions. Close named clones, etc. It seems like the web store is curated much less actively than the android app store, and even that one gets junk through.

Just go and do a few searches and see for yourself.

No extensions....

[SQLGuru]

This is actually one of the reasons that I don't install any extensions in my browsers. If you run bare-bones, you don't get accustomed to extensions that aren't available when you use other computers......you also don't have to worry about the quality or security of the add-on.

When Firefox first came out, people raved about how good of a browser it was.....but then they rattled off a list of extensions you needed to add to make it great. Bare-bones IE was actually still better than bare-bones Firefox at

Re:

[Rob MacDonald]

if you are honestly suggesting people go on the internet, with any browser, without blocking scripts and ads via an extension, i'm going to assume the developing you do is mostly adware and malware.

Re:

[SQLGuru]

What a horribly wrong assumption.......

I'm not worried about ads because I'd rather see/ignore an ad than pay for the content on sites like Slashdot (nebulous quality). I practice safe browsing (i.e. nothing shady outside of a locked down VM, stick to known-good sites, etc.) and recommend everyone else do the same. Known malware sites and sketchy ads are blocked at the firewall so that my less-tech-savvy family are protected as well.

Why should I rely on a browser with a specific extension when I can prote

Re:

[SydShamino]

How do you run a locked-down VM on your phone? What exactly is a known-good site?

Re: No extensions....

[cyber-vandal]

How do you know if a site is shady or not? Can you tell whether it's been compromised? How do you know if the ad network(s) they use aren't serving up infected ads?

Re:

[Anonymous Coward]

You guys are arguing over nothing. The GP was saying everyone should use an ad blocker and you're saying no, everyone should use an ad blocker. It doesn't matter if its blocked at the browser or blocked at the firewall. You can't ask non-tech people to configure their firewall to block ads but you can ask them to click on this link to install an extension. The firewall is a stronger solution, but extensions will protect them when they connect to other networks.

That said, there's no such thing as a known

Re:

[Sigma 7]

if you are honestly suggesting people go on the internet, with any browser, without blocking scripts and ads via an extension,

Which is exactly what should be done. Blocking scripts and ads should be built-in to the browser and not require a third-party extension. If Netscape 2.0 can pause loading images until you press a button, then modern browsers can likewise pause Javascript, Flash, and other content until you also press a button.

It's almost like browser programmers never heard of the Microsoft Outloo

Re:

[The-Ixian]

You probably run the Comodo "secure" browser too huh?

Firefox

[pablo_max]

That is why I use firefox in combination with flash and java.
It uses so much system resources it would be impossible for any malware to do anything.

Re:Firefox

[U2xhc2hkb3QgU3Vja3M]

You should mine Dogecoins with your CPU while at the same time mining Bitcoins with your GPU, that's the only way to be sure.

Re:

[Anonymous Coward]

I already have his computer mining bitcoin for me.

That sucks ...

[gstoddart]

As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits.

That really sucks, because basically it means malicious assholes can take control of these things.

But, I think it points to a broader problem: EULAs.

The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".

There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.

Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.

Oblig Bad Car Analogy

[PPH]

The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".

Dear Customer,
Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.

Re:

[MobyDisk]

This problem would exist even without the EULAs. The companies would just setup in some country where they can't easily be touched. Heck, they probably already are. Also: Did these extensions even have EULAs?

Re:That sucks ...

[Actually, I do RTFA]

But, I think it points to a broader problem:

I think the broader problem is auto-updating software.

Don't Be Evil

[PPH]

Outsource it.

Caught it in two weeks.

[140Mandak262Jamuna]

The original developer who built up the trust, sold out on Mar 23. It took the users some time to notice it, and in two weeks the extension is off the store. And other extensions have been spotted. So in some sense, not so bad.

On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.

1. Build a brand, then 2. Rape it

[Thud457]

Hey, it's the American way! Why do you hate Capitalism?

Buy a respected brand, rape it for all you can by outsourcing production to China and pocket all the extra money. Then find another bigger fool to buy the smoking heap when you can no longer milk any more money from the rubes with it.

The obvious question is...

[SeaFox]

Is Rightscorp the developer?

Re:

[Flavianoep]

Is Rightscorp the developer?

Or can they use the same principle to hijack suspected pirates' browsers. [slashdot.org]

All modern browsers are junk

[Anonymous Coward]

It's been years since we had a decent browser. All of them are obsessed with adding extensions and bloatware.

Have installed user-agent switcher extension!

[Anonymous Coward]

Crap... have uninstalled it now. Thanks /.

FYI. To other people. Just because google removed it from the store, it's still active in your chrome and you have to manually remove it.

That is why when i click a link, it redirects to to some ad services. But it got nowhere since ublock origin blocked it.

Now, to be more careful and just use minimal extensions like 5 or less, and it must be popular.

Disable Auto Update??

[Anonymous Coward]

The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.

Updates should be selectable and come with user comments/comment voting to allow for some self policing.

Re:

[account_deleted]

Comment removed based on user account deletion

Locally installed.

[Anonymous Coward]

This is why I take extensions I use and install them locally (sideload) and remove any "phone-home" crap in them, and remove any ties to update servers or whatever.
Knowing JS is very handy and has real-world use. Whodda thunk it?

Admittedly the only extensions I use are a tab manager, an iframe header blocker (so I can iframe any site again) and a custom script injector.
Using a script injector and a web server on local machine makes for simple customization of any website without the overhead of crap like G

Did they reconsider the history feature?

[idontusenumbers]

Did Google also reconsider the feature that is at the heart of this issue? People only used this extension because of how incomplete the history viewer is in Chrome.

Change app identifiers

[Todd Knarr]

Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.

Re:

[phorm]

And who is going to notify the app store that the ownership has changed?

Re:

[Todd Knarr]

The developer themselves. It's already part of the process of transferring an app from one developer account to another. Google just has to modify the server portion to automatically change the identifier as part of the transfer process.

If the developer set up a separate Google account for their developer account and they're transferring everything, they can just transfer access and in theory Google would be oblivious. In practice however the transfer involves things like changing the merchant account to us

Re:

[trawg]

But if you buy the company, you might be buying their developer account as well - specifically to avoid the situation where app IDs change so that they can get away with this kind of behaviour.

It's not a bad idea

[rsilvergun]

The author was honest the buyer wasn't. In that case the seller is going to be the one that notifies google (if only to preserve their reputation).

I hate to blame the victim, but...

[helixcode123]

Anyone installing an extension named "4chan Plus" gets what they deserve.