Vendors buy Chrome Extensions to push ads and malware updates

Discussion in 'privacy problems' started by TheWindBringeth, Jan 18, 2014.

  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    http://arstechnica.com/security/201...ome-extensions-to-send-adware-filled-updates/
    These comments:
    make Chrome sound like it doesn't have proper controls for syncing and updating. I hope that isn't the case.
     
  2. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    I saw this yesterday and that just plain sucks. But, it's the risk you take with extensions. I'm pretty certain synching can be shut off, but no, I don't believe updating extensions can. Chrome really needs to get rid of "can see all your data" permissions. But then you're intruding upon the very method in which Google makes money, so I don't know. For all of the actual malware security Chrome has, excluding this particular instance, the browser seems very resistant to data security. Sadly the only thing you can really do to check these extensions is rely on the user reviews.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    This must be the same for Firefox extensions? If I would see any ads thanks to an extension I´d uninstall it faster than i fart.
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I've never played with Firefox sync. Regarding Firefox update controls...

    - Tools->Advanced->Update has controls related to browser and search engine updates
    - In the Help->About Firefox dialog the "Check for Updates" button will check for updates and, if available, immediately start to install them whether you wanted to or not.
    - The Add-ons Manager Gear button drop down has global controls for extension updates
    - In Add-ons Manager Extensions tab, the "More" link for each add-on has a control for automatic updating the specific extension
    - I don't think separately installed plugins are supported by Firefox's update mechanisms. However, in Add-ons Manager Plugins tab there is a link to manually check for updates via a Mozilla page.
    - In about:config you can search for the word update and/or browse the preferences

    So disabling extension updates across the board or individually should be no problem. IIRC, I was able to configure Firefox to check for extension updates and not install them (extensions.update.enabled=true, extensions.update.autoUpdateDefault=false, all extensions used the default) but the notification was only visible while viewing the Add-ons Manager page (making it considerably less useful).
     
  5. tlu

    tlu Guest

    Not only, IMHO. Since HTTPSB is able to control behind-scene requests (which also includes requests by extensions), this should, at least, mitigate this threat somewhat. But it's clear that Google has to improve the situation. There must be a better vetting system.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have Firefox set to not automatically update extensions.
     
  7. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    I'm sure you can see the problem with this though. You're relying on an extension to control possibly malicious extensions. Furthermore, you have to use that extension to begin with and, as far as I am aware few are. That isn't a knock against it, it is just that these sorts of extensions aren't used by the large crowds. Then, once you have it, you have to know which requests are which and have to experiment to see what they do when you allow or deny them. In other words, they have to learn to use the extension before they can rely on the extension to control extensions.

    Besides, it's time users stopped having to rely on themselves to fix vendor screwups. That's not saying they should be smart, but that vendors should be smarter and know better than this crap.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Google discards extensions that force feed users ads in Chrome
    http://news.cnet.com/8301-1023_3-57...tensions-that-force-feed-users-ads-in-chrome/
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    http://www.ghacks.net/2014/01/18/monitor-extension-updates-chrome-firefox/
    Third option, not mutually exclusive with those above: When you encounter a software developer who isn't building in an "inform me when updates are available but let me decide whether and when to install them" option... beat them with a stick. Thoroughly. Then once more for good measure.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I'll pass that along to some Devs I know - this might change things a bit.
     
  13. tlu

    tlu Guest

    Yes, of course. That's why I said it's a problem which must be solved by Google.

    Nevertheless some remarks: I'm not relying just on "an" extension but specifically on HTTPSB. Not only because it's the only one, AFAIK, that is able to control behind-the-scene requests but also - even more importantly - because it's one of the relatively few extensions where its author meticulously documents on his home page what he's doing. As long as gorhill is doing it this way, I trust him (besides, I can't imagine that he will sell HTTPSB - he even refuses to accept donations ;) ). Unfortunately, this openness is rather rare. I'm not sure if it's realistic that from now on we'll only install extensions that follow this principle. However, those incidents should teach us to inspect an extension more diligently before we decide to use it. But again, such an attitude is not a solution for the masses.
     
  14. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    https://chrome.google.com/webstore/...ious/gceighgadbamgchioaofojlblndjcggh/details

    ExtShield

    There is two version in store right now. The version I linked has more features than the other (from same developer though). Must have for people with a lot of Chrome extensions.

    Review: http://lifehacker.com/chrome-protector-notifies-you-if-youre-running-an-adwa-1505371480

    Note: Use at your own risk. :D
     
    Last edited: Jan 22, 2014
  15. tlu

    tlu Guest

  16. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Yep. Well the author seems responsive and even created a reddit thread. As for the closeness of the extension as opposed to being open has something to do to prevent malware authors from circumventing it.
     
  17. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    I will look at the code. First glance is negative impression as the code is obfuscated. Will report later.

    EDIT: The deobfuscated code is itself obfuscated as in impossible to make sense unless spending a lot of time to sort out. Example of deobfuscated portion of code:

    Code:
    chrome[_0x92e5[22]][_0x92e5[21]][_0x92e5[7]](function (_0xc6d7x1) {
        if (_0xc6d7x1[_0x92e5[15]] == _0x92e5[16]) {
            chrome[_0x92e5[19]][_0x92e5[18]](function (_0xc6d7x3) {
                for (var _0xc6d7x4 in _0xc6d7x3) {
                    var _0xc6d7x5 = _0xc6d7x3[_0xc6d7x4];
                    if (isMalware(_0xc6d7x5[_0x92e5[17]])) {
                        chrome[_0x92e5[12]][_0x92e5[11]]({
                            "\x75\x72\x6C": _0x92e5[10]
                        });
                        return
                    }
                }
            })
        };
        if (_0xc6d7x1[_0x92e5[15]] === _0x92e5[20]) {
            chrome[_0x92e5[12]][_0x92e5[11]]({
                "\x75\x72\x6C": _0x92e5[10]
            })
        }
    });
     
    Last edited: Jan 22, 2014
  18. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    I tried it for a few minutes though. Throught httpsb, there is no suspicous outbound connection and seems to work fine. There's some bugs that I noticed though. After that I uninstalled as I only use two extensions. Httpsb and abp
     
  19. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    The developer published a new version which is not obfuscated (instead of updating the original version).

    So I couldn't help but de-obfuscate further the original version (which is still in the store) to see how it differs from the newly published version.

    I don't see anything harm in the originally obfuscated version, it differs from the new one though.

    It was using a listener to detect whenever the user was navigating to an extension page at which time it was attempting to detect if the extension name (extracted from the extension page URL) was part of a hard-coded blacklist of extensions.)
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    According to version details, that is actually an older version than kupo's.
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  22. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://barracudalabs.com/2014/02/mo...pacting-180k-users-that-google-should-remove/
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA