Chrome Web Store falls to Brazilian whacks

Discussion in 'malware problems & news' started by vasa1, Mar 26, 2012.

Thread Status:
Not open for further replies.
  1. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    http://www.theregister.co.uk/2012/03/25/chrome_web_store_malware_hijacks_facebook_profiles/
     
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Never really liked the "web store", always seemed like a big feature creep to me. Just another reason to avoid it.
     
  3. tlu

    tlu Guest

    I thought that Google had started to check new apps uploaded to the web store some time ago. Embarrassing :thumbd:

    EDIT: Kaspersky writes: "Think twice before installing Chrome extensions". I'm tempted to say: "Think twice before installing Chrome as long as Google isn't doing their homework".
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There was a thread sometime ago about whether or not Google has a system in place to verify rogue extensions. I even provided links with evidence that they don't.

    This is just another great example. Unless someone is familiar with the people behind an extension, then one should stay the heck away from any of them, which probably means 99% of them. Pretty insane. o_O

    And, I still do not understand why Google hasn't done nothing about this. Why haven't they implement a system to verify extensions, before uploading them to Chrome Web Store? o_O

    I hope Google starts to have some bad advertising about it, everywhere. Once it starts happening, a change will happen. I like to think that it would.

    But, you're being drastic when you say I'm tempted to say: "Think twice before installing Chrome as long as Google isn't doing their homework"..

    Even Firefox, which I do praise Mozilla's work to prevent rogue extensions, doesn't come without its own issues. Heck, I remember a fight between two very popular extensions, where one of the developers introduced code to prevent the other extension from working. So... not exactly malware, but nonetheless an extension that went rogue.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I don't think it's drastic to feel uncertain about installing Chrome. This is a company constantly getting its own self in trouble, and they themselves make it hard to trust anything Google. You're right about Firefox extensions having issues, extensions there have a bit too much power, imo. However, at least the majority of them (if not all, maybe excluding the likes of AdBlock and NoScript) go through some kind of vetting process.

    Over in Chrome you get some half-assed "about the developer" thing, which can easily be tainted or outright faked, and very little else. Sometimes you can go by the comments, but who is to say the comments aren't planted? (the same could be said for Firefox extension comments as well).
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    As discussed before the only time extensions are checked is when they load up binaries. This obviously is not enough. Malware can work within the sandbox - we see this with android.

    Google will be idiotic about this and not do anything until it's too late. Implementing a "bouncer" after hackers already have started getting money out of it is just going to make them try a bit harder.

    There should have been a bouncer from day one.

    Hopefully they actually do something but I am not confident.

    EDIT:

    Who's saying to feel uncertain about installing Chrome? It's the extension store (google seem sot have an issue policing these) that's got issues.

    Firefox uses a vetting process but I don't think AdBlock or NoScript are vetted anymore because of their reputation. This is why it was possible for NoScript to go rogue that one time.

    They need to implement some strong heuristics to red flag and review malware. They need to do thi svery very quickly or they'll be playing catch-up for months as they are with Android.

    They say that they've been taking them down as fast as the authors have been putting them up, perhaps this is already in place in some way.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Tlu said it was tempting to say to avoid installing Chrome based on "Google not doing its homework", which I happen to agree with. Whether it's not minding the shop when it comes to extensions, or one of many issues Google is involved in at a given time, it's difficult to place trust in them for many, myself included.

    Chrome is a good browser, Google is not a good company (anymore). Rather silly to use a product from a company that's hard to trust, right? I really wish they'd get their s*** straight, I really do. I'm not confident they will though either. They've had years now to put something in place, knowing extensions were likely attack vectors. Maybe they don't want to admit they aren't perfect, I don't know.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I somehow missed that.

    I agree that it's difficult to use a product from a company you don't trust. At this point I'd be wary to use Chrome based on other things if I weren't confident that it was fine based on packet sniffing and the fact that it is largely open source.

    My friend at Mozilla keeps pushing me to use Firefox though lol and he is convincing. If I hadn't done my homework I likely would have switched already.
     
  9. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I totally agree with this. I admit I use some Google services as it's difficult not to, but their apathetic approach to security with extensions & some other Google issues quite frankly scare me.

    Chrome is relatively stable, safe & more or less bug free. As for Google, isn't their new motto "Resistance is futile"? :eek:
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, aren't you folks mixing things? One thing is privacy, another thing is security.

    I have doubts you're saying not to trust in Google due to security issues. ;) This thread is about a security issue, in what comes to extensions, considering there's no vetting process.

    I could very well say I don't trust Internet Explorer either; nor Firefox or Opera. Which is why I use Chromium. But, that's not the issue. :D
     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Dodgy Google privacy policy issues aside; I was referring primarily to the lapse security at the Chrome Store.

    I will concede that Chrome is the safest browser 'out of the box', which is a good security policy by Google. The slacking at the Chrome Store however could be a portent of things to come from Google. Sometimes companies get too big for their boots.

    I don't trust Opera to work properly. ;)
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'm not mixing things at all, my post was in fact referring to its security. Though, honestly, in today's world, privacy and security often go hand in hand. After all, if a company is invading your privacy in the form of tracking and what have you, it is also hampering a part of your security. But I get what you mean, and no, I don't intend to turn this into a Google rant.

    Their general company practices are well known, their intent is well known, so we needn't beat a dead horse. This is about their extension process, and said process frankly sucks.
     
  13. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    For those who don't know, both Chrome and Chromium are made by Google. It seems necessary to point this out.
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, I actually misundertood your post. Don't know why, but I associated it with privacy. :D

    But yes, they should get their **** together. This isn't funny any longer. Google Chrome Web Store is weak spot, and they must take care of it once and for all.

    It's actually pretty crazy if you think about it. All a cybercriminal has to do is have a website with some dead video saying the user needs to install Adobe Flash Player. Maybe the user knows he/she shouldn't install programs from non-official sources. But, this website actually says to download Adobe Flash Player from Chrome Web Store - Google's official website for extensions. Maybe they think OK. Maybe Google partnered with the folks behind Flash Player. I'll install it. o_O

    Quite a few security researchers have shown that Chrome Web Store simply has no vetting process to spot this malicious extensions. One has to wonder why Google still hasn't done anything about it. o_O

    Maybe it isn't getting that bad publicity about it? That would be a strong bet... Maybe this needs to change. :D
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And your point is? o_O I suppose I should have put the :rolleyes: emoticon in my previous post... Then again, and I don't know if this reply was meant for me, I did not say I don't trust Google. lol
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    This is an unsubstantiated claim. But it is fashionable and emotive and is being exploited.
     
  17. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    It's not unsubstantiated that Google tracks people. Tracking is a privacy issue. Ipso facto privacy is also a security issue.
     
  18. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    My point is exactly that: even in the Ubuntu forums, I've seen anti-Chrome rants and suggestions to use Chromium instead without any recognition or admission that both browsers are made by the same entity.

    Whether to trust something or the other is certainly not a decision to be based on ambient noise.
     
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Ipso facto and semiotics and irony don't really cut it.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Then, I'll have to ask again: What's your point?

    You came up with For those who don't know, both Chrome and Chromium are made by Google. It seems necessary to point this out.

    Apparently, as a reply to one of my posts. Although, nowhere in that same post I made mentions to Google Chrome. Which is why I'm asking: What's your point?
     
  21. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Err, hate to derail this..but where are you getting unsubstantiated from? There's plenty of proof for Google tracking, and, if you're trying to argue that privacy is not related to security, well, I don't see how you can come up with that either.
     
  22. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Neither do immature ad hominem pointless retorts, apparently. :rolleyes:
     
    Last edited: Mar 26, 2012
  23. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,802
  24. tlu

    tlu Guest

    Well, it's a thorough vetting process - see here.
     
  25. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    @vasa1: Thanks for pointing out that both Chrome & Chromium are developed by Google. In so many articles, blogs, posts I have seen authors recommending to chuck Chrome and embrace Chromium as it is open source and do not contain "proprietary Google code"

    What is unsubstantiated that you are referring to? Google's tracking or privacy and security often going hand in hand?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.