Google Apps, how safe are they?

The following has occurred, I have installed the following App Ultimate Chrome flag.
h**ps://chrome.google.com/webstore/detail/dbpojpfdiliekbbiplijcphappgcgjfn

It constantly connects to the following ip address: 67.212.77.12 or 67.212.77.13 using various ports 60741,60742,60752,60753,53456,53460, Process: chrome.exe) ect.

This is the only App that does this, does it need to do this to function?

A quick Google search didn't provide any useful info.
Apparently it is not blacklisted, MBAM does block this however.

The solution is simple removing or disabling the App. solves the problem.

My question how dangerous is this, or other apps on Google?
Does google have some sort of safeguard in place?

Google help explanation: This item can read every page that you visit -- your bank, your web email, your Facebook page, and so on.

Does this mean it's a key-logger of sorts, can it read my typed password?

I will not install an App. that requires All data on your computer and the websites you visit to be seen.

Can someone with more expertise please help me on this, some Apps are great.

Or should I suspect the worst?

Thanks

 

It got 113,966 users, if it was malicious someone would have found out by now. Of course it connects to these IP addresses. How else should it get the information it provides?

Be cautious with less popular extensions. Yes, they can read your passwords or worse. Check the comments, "More from..." and judge yourself if it looks trustworthy.

AFAIK Chrome extensions run inside the sandbox so they can't read all your data or break out of Chrome and "infect" the rest of the system.

 

FULL STOP.

A large quantity of users does not ensure that anyone has looked at the code at all. Groups of people are very foolish, only individuals are intelligent, so do not fall prey to groupthink or herd mentality. Everything you need to know, Chrome told you:

1. You are giving full access to the application to see everything you do, follow you where you go, and access all your browser data. You are essentially entrusting it with surveillance capability over your entire browsing experience, and giving it the capability to phone home for unknown communications.

2. This application is either very poorly designed in that it needs you to submit full access to your browser, is malicious now or potentially in the future, or it legitimately requires you to give up access to a level you are not comfortable with.

Naturally it is a personal choice for you. However, you already know you are not comfortable with it, and there is no reason you should give up your privacy or security to a 3rd party you don't trust unless there is nothing you use your browser for that requires security or privacy, like logging into a website.

 

Good points, thanks for taking the time to reply.
I have uninstalled this particular app. and will stick to the verified websites.

 

It's not group think, it's actually simple statistics. There have been malicious addons, but they all got detected way before they could reach a larger user base.

Of course we'd first need to establish what a "malicious" extension is. I used it in the sense of "mal"ware and not riskware, adware or greyware. There are privacy implications, it might be used to profile your browsing habits for example which then is sold for targeted advertising and things like that. However the risk that this is a real malicious credential stealing, keylogging trojan are too minuscule to worry about. Or do you also worry that Aurora 2.0 gets into the Chrome built servers and distributes a fake update?
Anyway, with Chrome in the default configuration you already are "giving full access to the application to see everything you do, follow you where you go, and access all your browser data. You are essentially entrusting it with surveillance capability over your entire browsing experience, and giving it the capability to phone home for <...> communications." Yes, just Chrome alone, and it's not speculation or a possibility. It DOES send all URLs you enter to Google, all sites you visit that use ga, all search entries etc. It also used to send a unique ID that couldn't be deleted and it makes connections over https (to check which country you are in so .com is redirected to .ccTLD)

There is a huge difference between malware and greyware in terms of how easy and quick they get detected. Malware authors are usually interested in stealing your identity or getting into your bank account. These actions make them an easier target themselves. Greyware authors have more indirect ways to get to "their" money and since it's also legally a grey area, makes them much harder to prosecute.
Reminds me of the blackhat talk Security The Facebook Way, 2010. Find the actors, frustrate their economics and the technical aspects of security becomes a lot less important (i.e. you can't fix all vulnerabilities anyway or in our case, audit every piece of code you run).

On chrome extension security: http://www.pcmag.com/article2/0,2817,2359778,00.asp
and chrome.google.com *is* as verified as any download site. You always need to trust the vendor/users etc. unless you audit the code yourself. Which in the case of chrome extensions is really easy, it's just javascript and html.

Here's a report on a malicious extension, guess what? It wasn't distributed over chrome.google.com
http://www.malwarecity.com/blog/trojan-as-fake-google-chrome-extension-797.html

I also have to note that this extension isn't necessarily "very poorly designed". Steve, I don't think you understand the permission model of Chrome. It's _impossible_ to deliver the functionality of this extension without requesting said permission.

 

Doing some further research, I came across this extension. It may be of interest to some members.

https://chrome.google.com/webstore/detail/bbamfloeabgknfklmgbpjcgofcokhpia

Authors description:

Get detailed report on what each extension in a gallery is doing before installing it.

Displays:
- List of granted permissions (what this extension has access to)
- Extension features (whether or not it has toolbar icon, options page, etc)
- Which API methods are actually used
- Complete list of all extensions files

It was made for those who find Google's default extension installation warning not good enough.

Oh, and you would finally be able to tell what "My first extension!!!11" does without downloading it

 

Although Chrome may be an extreme, it's by no means unique. It's increasingly the norm to accept pervasive surveillance in order to get convenience and protection. Providers of real-time services must know what you're doing. Guardian angels, and all that. Anyway, who would have thought that we'd so readily embrace the panopticon?

 

Is that really any different than most add ons in firefox? Perhaps I misunderstand something, but in firefox, I expect Adblock, flashblock, better privacy ... pretty much every add on can and does read every page I visit, including email, banking, facebook (well, I never visit facebook) etc. If they didn't, how could they do their job? That does not mean they send the information I provide to some 3rd party without my permission, but I guess they could. Perhaps the message should be treated as a good reminder of the possible consequences of using an add on you aren't familiar with or from a source you don't know and therefore may not trust.

The part about connecting to an IP address would give me pause for concern, though.

FWIW, I have gotten a similar message with all the addons I've added to chromium under linux.

 

Addons in other browser don't have any permission restriction at all, they have the same privileges as the browser itself and by that (since most OSs don't have proper privilege separation and a RBAC/MAC system) the same privileges as the user himself.
If you trust the addon authors the same as the browser devs that is on itself nothing really problematic.

Chrome addons are written in JS, JS is executed in a VM which already isolates the code, as you know Chrome puts the whole javascript engine and html rendering into a sandbox so it's actually isolated twice. This protects against malicious/buggy addons messing with the system and user files but of course the addons might still have access to in-browser data like online credentials or visited urls.

The Chrome (OS) model is the closest thing we have to a secure least privilege computing system that is mainstream ready. But that still doesn't stop scam artists, social engineering, phishing and so forth. It can't solve the fundamental trust issues and certainly not PEBKAC but, if the security boundaries are sound it means the days of application level vulnerabilities are over.
However, how big of an accomplishment that is if "the browser is the OS" and the "apps" are all glorified html+ajax, I'm really not so sure about

 

This Post may address some of your concerns.