Chrome Extension Caught Hijacking Users' Browsers (softpedia.com) 77
An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.
Firefox will be fucked by malware like this, too?! (Score:0)
So a few months ago the Firefox devs announced that Firefox would start using an extension approach compatible with that of Chrome's [mozilla.org]:
So this Chrome-inspired extension approach that Firefox will be using is supposed to mitigate "the risk of misbehaving add-ons and malware", yet this incident suggests to me that the Chrome approach may have some serious problems with malware.
How will the Firefox devs be handling these problems, so that malware attacks like this can't happen with extensions used with Firefox?
Re:Firefox will be fucked by malware like this, to (Score:0)
Re:Firefox will be fucked by malware like this, to (Score:2)
Re:Firefox will be fucked by malware like this, to (Score:5, Informative)
Right, this has nothing to do with the security of the extension repository and everything to do with yet another example of advertisers getting their hands on something and then shitting all over it. This is what advertisers do, they suck up all of the data they can, sell it, and show ads. What's missing from this story is the naming and shaming of the advertising company in question, and a condemnation from other advertisers that their industry should not engage in this kind of shady crap. I wouldn't hold my breath for those though.
At least the original author is doing his part after he realized what happened:
I'm going to alert as many users as I can that it has been compromised. I still have access to the mailing list (it was not part of the sale). Will be sending them a message with details.
Re:Firefox will be fucked by malware like this, to (Score:0)
Lot of users never discover that a extension has been sold off to another entity. We saw this with Ad Block as the original developer sold it off, and now we see approved ads being allowed. Obviously its owned now by someone interested in pushing some ads in order to make money. This is really the problem, many users install the extensions but never pay a dime for them. You either end up with developers who give up, doesn't support it, or sells it off. Leaving it in the hands of potentially a developer who is not so nice.
Re:Firefox will be fucked by malware like this, to (Score:2)
Can you give an example of an approved ad that has gotten past ad block? I've never seen this, so maybe I'm not visiting the right sites to ever see them.
Re:Firefox will be fucked by malware like this, to (Score:0)
He sold it to a company called "advault.net" according to a reddit comment. Sort of makes me wonder what he thought would happen with a name like that.
Re:Firefox will be fucked by malware like this, to (Score:1)
I assume he thought he would get a bunch of money so he can take a nice holiday, buy a new car and maybe even a new house.
It's nothing new (Score:4, Informative)
If you see this happen tell Mozilla/Google. They'll check the code, see the shenanigans and kill it. The browser will then refuse to run the code. If you're the worried sort or if you have a lot of extensions then disable auto-updates and patch as needed (I generally don't bother updating my plugin unless it breaks, which it just did
Re:It's nothing new (Score:2)
How can the browser refuse to run it if you haven't updated the browser? Having automatic updates is not a solution because automatic updates of extensions was what created the problem in the first place.
So long as you're running a newer version of FF (Score:2)
Re:So long as you're running a newer version of FF (Score:0)
Jeremy Gregorio,
Why do you say you make Firefox plug-ins (plural) when you've only made one?
Re:Firefox will be fucked by malware like this, to (Score:2)
The difference is that Firefox requires each new revision of the extension to be reviewed, so you can't just sneak in malware.
It could happen, sure, reviews aren't perfect, but it is a lot less likely, and if you're a malware author, probably not worth buying someone off for that low probability.
Re:Firefox will be fucked by malware like this, to (Score:2)
Well, having your add-ons automatically update themselves without user interaction seems to be a big part of the problem. If only those who updated found the problem they could save headaches for the rest of the world that don't update immediately like robots. Sort of the problem with Windows 10 here where a bad update can brick everyone in unison. Choice is always a good option, including the choice to not update.
Re:Firefox will be fucked by malware like this, to (Score:2)
They won't. They're changing a lot of stuff to, among other things, keep extensions and the browser binaries separate. On the one hand, that's good security which should have happened years ago; on the other, it will render a lot of extensions that are core to the Firefox experience for some users totally worthless, as the hooks they leverage will no longer be available.
All that said, they won't be policing the extension libraries any more than Google does... it all relies on user reviews. People started noticing problems with the User Agent Switcher weeks ago, and Google did nothing about it, despite pages and pages of one-star reviews. If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
Re:Firefox will be fucked by malware like this, to (Score:1)
If Firefox gets this bad, and there's every indication that it will, then it will create fertile ground for a new browser catering to the crowd that craves what Firefox used to offer: actual security and customization.
Really? I doubt it.
Firefox has sucked shit and gotten progressively worse for at least 3+ years. Chrome has never had the flexibility and customizability that made Firefox popular in the first place. So why hasn't someone taken advantage of this "fertile ground for a new browser"? The closest thing so far is Palemoon, which I've been using for about a year now. But it's just a slightly modified Firefox and there is no actual development going on -- they're completely dependent on Firefox to supply the code and then they just tweak it to give a better UI.
I would love to see someone create a browser that has the features and UI that made Firefox popular, without all the extra, pointless bullshit. But that is looking to be less and less likely. It's too much work and nobody (including me) has the time (or in my case the skill) to take on such a big project and do it for free. The vast majority of work on major open source projects is now done by people who are getting paid. Which is completely understandable, but also sad, because it means that browsers are doomed to be controlled by companies who only care about selling advertising and don't give a shit about what users really want.
Re:Firefox will be fucked by malware like this, to (Score:0)
Pale Moon isn't dependant upon Firefox any more. It uses a fork of Gecko called Goanna and is fully its own browser now.
Flash or silverlight (Score:2)
I'm just waiting for the day when the Flash or chrome auto-install-updates feature gets redirected to a malicious server and 90% of the world gets rooted.
Re:Firefox will be fucked by malware like this, to (Score:1)
Anything that forces automatic updates can be fucked like this. That's why Chrome and Opera are stupid for not prompting the user to update extensions or let them disable updating per extension. Windows 10 follows this same idiotic, bleeding-edge, forced update crap that can and probably will, going by Microsoft's poor history of security, end up being exploited.
Get What You Pay For (Score:0, Informative)
People thought all these wonderful extension were being made by people out of the goodness of their hearts?! Oh boy. Wait till you hear why Google made Chrome in the first place!
Re:Get What You Pay For (Score:3)
Just because something is freely provided at no monetary cost doesn't mean that the people providing it are unscrupulous assholes.
Re:Get What You Pay For (Score:2)
4chan Plus (Score:0)
Oh dear god. The fact that there is a need for "4chan Plus" leaves me proud of the Internet's freedoms and yet still terribly scared for humanities future.
Re:4chan Plus (Score:0)
Oh dear god. The fact that there is a need for "browsers that sends all the users data to parent company" leaves me proud of the Internet's freedoms and yet still terribly scared for humanities future.
It's all over the place (Score:2)
There's been weirdness like I've never seen before with some of this stuff.
One of my screenshot extensions was doing something similar last night, and really weird behavior from my adblocker, which effectively knocked me offline until I could figure out what was causing it.
Not surprised at all (Score:3)
Just go and do a few searches and see for yourself.
Re: Not surprised at all (Score:0)
A walled garden is only as safe as its gardeners....
No extensions.... (Score:1)
This is actually one of the reasons that I don't install any extensions in my browsers. If you run bare-bones, you don't get accustomed to extensions that aren't available when you use other computers......you also don't have to worry about the quality or security of the add-on.
When Firefox first came out, people raved about how good of a browser it was.....but then they rattled off a list of extensions you needed to add to make it great. Bare-bones IE was actually still better than bare-bones Firefox at the time [as a developer, I have and use all of the major browsers --- each without extensions]. If you compare them that way, you'd be surprised at how your ranking would change.
Re:No extensions.... (Score:0)
HERP DERP
I run a browser which was built explicitly to provide functionality via user-created add ons and I find that without these add ons (which were conceived of as the way to build in non-basic functionality), I only have basic functionality!
You're retarded.
Re:No extensions.... (Score:3, Funny)
Re:No extensions.... (Score:1)
What a horribly wrong assumption.......
I'm not worried about ads because I'd rather see/ignore an ad than pay for the content on sites like Slashdot (nebulous quality). I practice safe browsing (i.e. nothing shady outside of a locked down VM, stick to known-good sites, etc.) and recommend everyone else do the same. Known malware sites and sketchy ads are blocked at the firewall so that my less-tech-savvy family are protected as well.
Why should I rely on a browser with a specific extension when I can protect EVERY browser (including mobile and tablets) with a single configuration update?
Re:No extensions.... (Score:2)
How do you run a locked-down VM on your phone? What exactly is a known-good site?
Re: No extensions.... (Score:2)
How do you know if a site is shady or not? Can you tell whether it's been compromised? How do you know if the ad network(s) they use aren't serving up infected ads?
Re:No extensions.... (Score:1)
You guys are arguing over nothing. The GP was saying everyone should use an ad blocker and you're saying no, everyone should use an ad blocker. It doesn't matter if its blocked at the browser or blocked at the firewall. You can't ask non-tech people to configure their firewall to block ads but you can ask them to click on this link to install an extension. The firewall is a stronger solution, but extensions will protect them when they connect to other networks.
That said, there's no such thing as a known-good site. It doesn't exist. Better History Chrome was a known good extension until it was sold and an update suddenly turned it into malware. The same does happen to sites online. Any site can be hacked and turn from good to bad between a page refresh. The site itself could be hacked, your ISP could be hacked, your computer/router could be hacked, or the DNS entry could go bad. The New York Times news website has served malware to visitors on multiple instances. The entire Internet is shady. There is no way to know what you'll get from an address until you actually get it.
Re:No extensions.... (Score:3)
Which is exactly what should be done. Blocking scripts and ads should be built-in to the browser and not require a third-party extension. If Netscape 2.0 can pause loading images until you press a button, then modern browsers can likewise pause Javascript, Flash, and other content until you also press a button.
It's almost like browser programmers never heard of the Microsoft Outlook worms spreading through HTML e-mails in 1996, nor about boot sector viruses that automatically execute when you leave a floppy in the drive.
Re:No extensions.... (Score:2)
You probably run the Comodo "secure" browser too huh?
Firefox (Score:5, Funny)
That is why I use firefox in combination with flash and java.
It uses so much system resources it would be impossible for any malware to do anything.
Re:Firefox (Score:4, Funny)
You should mine Dogecoins with your CPU while at the same time mining Bitcoins with your GPU, that's the only way to be sure.
Re:Firefox (Score:1)
I already have his computer mining bitcoin for me.
old news (Score:0)
These same creeps also took over all-in-one-gestures over two years ago, it took me the better part of three days debugging broken jquery scripts reported by a client to track it down...
That sucks ... (Score:5, Insightful)
That really sucks, because basically it means malicious assholes can take control of these things.
But, I think it points to a broader problem: EULAs.
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
There need to be real privacy laws, with real penalties, and real restrictions about what you can do with it once you've collected it.
Shit like this should be illegal. And if people won't make it illegal (because lawmakers are on the payroll of large corporations who want this), then some of the black hats should be looking to burn you to the ground for being such douchebags.
Oblig Bad Car Analogy (Score:3)
The notion that a product can be sold, have the EULA changed giving the new company the ability to ignore any limitations they don't like, and then have it be "too bad, it's in the license".
Dear Customer,
Thank you for bringing your Mercedes SLS in for it's periodic maintenance. Per our Terms Of Use, you can pick up your Toyota Prius at the dealer maintenance facility at any time of your convenience.
Re:That sucks ... (Score:3)
This problem would exist even without the EULAs. The companies would just setup in some country where they can't easily be touched. Heck, they probably already are. Also: Did these extensions even have EULAs?
Re:That sucks ... (Score:4, Insightful)
I think the broader problem is auto-updating software.
Re: That sucks ... (Score:0)
I think the broader problem is the fucking assholes of the world.
Don't Be Evil (Score:3)
Outsource it.
Caught it in two weeks. (Score:5, Informative)
On the other hand the permissions model seems to be broken. So many users give the apps all the permissions it asks for. Once a permission is granted, it is often difficult to go back and turn off permissions. I don't know how to make it easy to use and to let the user have the flexibility of control.
1. Build a brand, then 2. Rape it (Score:2)
Buy a respected brand, rape it for all you can by outsourcing production to China and pocket all the extra money. Then find another bigger fool to buy the smoking heap when you can no longer milk any more money from the rubes with it.
Re:Caught it in two weeks. (Score:0)
this has been an on-going problem with chrome extensions for a number of years now. once-legit extensions sold or transferred (or at least appear to be) to another party who then loads malware in to be auto-updated/installed by the entire user base. not just confined to chrome addons either, problem exists in android apps, too.
Re:Caught it in two weeks. (Score:0)
Android apps, facebook pages, websites...
Anything that has traffic and can drive ads can suffer this problem.
Re:Caught it in two weeks. (Score:0)
It's not just the new owner that trashed the permissions. The old owner, the one who cashed out, shouldn't just be able to walk away with the cash and start a few new apps to start building trust anew. Heck, as far as we know the new owner is the old owner's "brother".
The obvious question is... (Score:5, Funny)
Is Rightscorp the developer?
Re:The obvious question is... (Score:0)
Re:The obvious question is... (Score:3)
Is Rightscorp the developer?
Or can they use the same principle to hijack suspected pirates' browsers. [slashdot.org]
Re:The obvious question is... (Score:0)
It could be :))))
All modern browsers are junk (Score:1)
It's been years since we had a decent browser. All of them are obsessed with adding extensions and bloatware.
Re:All modern browsers are junk (Score:0)
They are obsessed with adding pointless crap that nobody wants, and, removing stuff that people actually do want. And it's not just browsers. There's some sort of weird mental illness affecting a lot of programmers across all types of software.
Re:All modern browsers are junk (Score:0)
Speaking as a programmer, I can't say it's all of us. The stupid shit I do on occasion is by order of my superiors, and they know how I feel about it.
"More options will confuse people" is what I'm always told...
The last two... (Score:0)
Links that go to the web store are broken
Have installed user-agent switcher extension! (Score:1)
Crap... have uninstalled it now. Thanks /.
FYI. To other people. Just because google removed it from the store, it's still active in your chrome and you have to manually remove it.
That is why when i click a link, it redirects to to some ad services. But it got nowhere since ublock origin blocked it.
Now, to be more careful and just use minimal extensions like 5 or less, and it must be popular.
Disable Auto Update?? (Score:2, Insightful)
The fact that they can auto update so silently without any easy way to disable that seems like the largest security hole.
Updates should be selectable and come with user comments/comment voting to allow for some self policing.
Extensions Update Notifer (Score:0)
User Agent Switcher (Score:0)
Re:User Agent Switcher (Score:0)
It looks to me like User Agent Switcher for Firefox is not the same as User-Agent Switcher for Chrome. Different developers, it appears, with similar sounding program names, like PDFCreator (good) and PDF Creator (bad).
Comment removed (Score:1)
Locally installed. (Score:1)
This is why I take extensions I use and install them locally (sideload) and remove any "phone-home" crap in them, and remove any ties to update servers or whatever.
Knowing JS is very handy and has real-world use. Whodda thunk it?
Admittedly the only extensions I use are a tab manager, an iframe header blocker (so I can iframe any site again) and a custom script injector.
Using a script injector and a web server on local machine makes for simple customization of any website without the overhead of crap like Greasemonkey and the like.
Depending on automated updates not shitting on your machine is a silly thing. Even when it comes to OSes. (as evidenced by Microsofts hilariously awful updates that BSOD millions of machines regularly because they decided the userbase were better testers than actual testers)
I mean, look at that one site that removed a module for a popular JS library and took down so many of these crappy library-heavy websites. Stupidity at its finest.
Local copies > cloud / networked crap, always.
Did they reconsider the history feature? (Score:2)
Change app identifiers (Score:5, Interesting)
Thought: app stores need to change the app's identifying number when ownership changes hands. The app store can then notify users at the next update and let them choose whether to update and switch to the new version or reject the update. That'd put an end to this mess.
Re:Change app identifiers (Score:2)
And who is going to notify the app store that the ownership has changed?
Re:Change app identifiers (Score:0)
This exactly. It would be one thing if it was a single app that was sold, since they woudl have to pull it from the current developer and put it under the new one, but if the developer itself was bought out, Google woudn't be notified of anything.
Re:Change app identifiers (Score:2)
The developer themselves. It's already part of the process of transferring an app from one developer account to another. Google just has to modify the server portion to automatically change the identifier as part of the transfer process.
If the developer set up a separate Google account for their developer account and they're transferring everything, they can just transfer access and in theory Google would be oblivious. In practice however the transfer involves things like changing the merchant account to use the new owner's bank accounts and credit cards, granting access to new individual Google accounts and closing down the access by the previous owner, that kind of thing. Google's tech should be good enough to flag that kind of activity when they haven't been notified of the account changing hands and send an inquiry. One addition to the terms of service, saying that transferring the actual Google account without notifying Google is grounds for suspending the developer account and all apps associated with it until the matter's been resolved, and it becomes very much in the interest of the buyer to make sure the notification happened. Even something as simple as tying an organizational account to an "owner" account (eg. you can set up a separate Google account to link the developer account to, but your personal account gets listed as "owning" that separate account and retains permanent control over it) and treating any transfer of that link to a different account as a change of ownership would probably work 99% of the time. The buyer probably wouldn't go for the seller retaining total control and the ability to kick the buyer out at any time, and the seller probably doesn't want to lose their personal Gmail and other services tied to their personal account.
Re:Change app identifiers (Score:2)
But if you buy the company, you might be buying their developer account as well - specifically to avoid the situation where app IDs change so that they can get away with this kind of behaviour.
It's not a bad idea (Score:2)
I hate to blame the victim, but... (Score:2)
Browser extensions = inferior vs. hosts files (Score:-1)
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%... [bing.com]
Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = FAR more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.
* My program protects hosts vs. ANY usermode hijack against hosts & even vs. kernelmode ones (via updating).
APK
P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk
Karma (Score:0)
I just love how all the browser makes were all blaming browser Plug-ins like Flash and java for 99% of the malware, but yet it's really the browser Extensions that are the true carriers of malware, lol. So now instead of just worrying about 2 separate technologies to patch, google, FF, and MS have to weed through thousands if not millions.
How's that for Karma
Browser extensions = inferior vs. hosts (Score:0)
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%... [bing.com]
Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = FAR more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.
* My program protects hosts vs. ANY usermode hijack against hosts & even vs. kernelmode ones (via updating).
APK
P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk