Cracking Open Chrome

Right-clicking on a visible irritant and looking for the image location (and image link?) should give that info.

I also go into about:cache frequently and look for stuff that doesn't seem necessary. I get a lot of trackers and other nuisances that way. Needless to say, it's a bit of a time-waster but informative

 

Yup! If you're happy and you know it, as the song goes.

 

This is really really old, but the answer about Firefox Modifications is here: http://ubuntuforums.org/showthread.php?t=826536. It evidently allows extension installs through Ubuntu package manager and integrating FF with the rest of the system.

 

Yeah, I'm happy, but ignorance can be bliss too.
You guys keep me on my toes, that's for sure.

 

I'm don't use it anymore, but the forum is certainly helpful:
https://adblockplus.org/forum/

 

Hey, thanks for that

I've had it disabled ever since it spotted it. I'm not really sure how it got there considering I got my install direct from Mozilla. Perhaps, they take a look at the distro's nature (Debian- or RedHat-like? Gnome- or KDE-like)? But that thread is an interesting read. Thanks once again.

 

You're very welcome

 

Simple mitigation: Chrome by default only allows extensions to be installed from trusted sources. Just like how Android by default doesn't allow extensions to be installed from 3rd party sources.

And just an FYI:

Yes, the Chrome API is tighter than Firefox's. Chrome will have "proper" adblocking though in versions 14/15.

 

If you're saying just install from the Chrome web store to avoid this threat, well, that would be fine if said extensions were looked over by the Chrome team or at least someone before they were let loose upon the public.

 

https://chrome.google.com/webstore/detail/caekfgjhgmkgdhbiaikgdbpldepnkchg?hc=hp&hcp=ftr

As you can see from this random example there's a check mark and "Verified Website" under the extension that shows it to be from a valid source.

What they could do is make it very clear when it isn't from a verified website that it may be malicious.

 

The thing about that is that "verified website" doesn't mean a lot, per Chromes own FAQ, it simply means that the extension is made by who it says it is. That leaves out whether they are harmless, up to no good, or on the "grey" side of things. You know what I mean? A website doesn't have to be infected with malware to the brim to be considered unsafe. Look at that threat talked about here, no malware is involved (not in the true sense of the word at least).

I know what you're trying to point out, I just don't think it goes far enough. Google really should be watching things more carefully, imho.

 

They do check up on extensions though and if they're found to be malicious they're removed.

It could be tighter.

 

You do realize most of the malicious apps were from the store itself right?

 

Yes, I do.

 

Well per that linked article at the start of the thread, they don't check. So it would be nice to know which is it, whether they do or don't.

 

Yeah? News to me.

 

From page two of http://www.technologyreview.com/computing/38227/ "The researchers say there's no way to block this threat because anyone can make an extension, and Google doesn't review them before they're made available to users. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS."

I'm not trying to argue, I'm just going by what is said there. It seems to be trustworthy enough *shrug*.

 

No, I understand.

I don't think they're reviewed before they're up, I thought they were reviewed after. I know it's that way for Firefox and I'd believed it to be the same for Chrome.

 

Now see, I thought Mozilla looked them over before sending them to the addons site. Kinda nice that these are sent through for the world to get their paws on, and then they check for bad behavior, right?

 

Yeah, well, it would take forever to screen every single one. People want their extensions ASAP =p

 

Well perhaps there could be some control over the kinds of addons and how many there should be Go through Mozilla's addon site and see how many of those are utterly useless (many even abandoned). I know you'd tick off some people by having that much control, but, eh, it's an idea I thought most of this screening was automated anyway?

P.S, I could easily wait a week for my precious extension to be available if I know it's been looked over to make sure it won't pwn me. Maybe I'm just too patient a person, hehe.

 

They should have addons screened in an automated process that looks for suspicious actions. If they're deemed suspicious they should get marked as such until they can be reviewed further.

Marked extensions should give a warning when users attempt to install them. Same goes for 3rd party extensions not found on the Chrome webstore.

That's how I'd do it.

 

How is this issue related to Chrome OS being *nix-based?

Anyways, the problem mentioned in the article:

... was described by myself some months ago in the Google Chrome extensions thread. Surprisingly, it didn't gain much interest.

My last sentence in that posting was:

 

In answer to your question:

A chrome extension can not read your passwords unless you give it permission to. Any and all permissions are shown when you install the extension. Malicious or not it is simply built into how extensions run, they have to state what sites they run on and what data they need to access.

 

Really? You usually get a warning that the extension has access to your tabs, browser activities and to your data on all websites. Too general and unspecific to prevent anyone from installing an extension (particularly as this applies to nearly of them).