http://arstechnica.com/security/201...ome-extensions-to-send-adware-filled-updates/ These comments: make Chrome sound like it doesn't have proper controls for syncing and updating. I hope that isn't the case.
I saw this yesterday and that just plain sucks. But, it's the risk you take with extensions. I'm pretty certain synching can be shut off, but no, I don't believe updating extensions can. Chrome really needs to get rid of "can see all your data" permissions. But then you're intruding upon the very method in which Google makes money, so I don't know. For all of the actual malware security Chrome has, excluding this particular instance, the browser seems very resistant to data security. Sadly the only thing you can really do to check these extensions is rely on the user reviews.
This must be the same for Firefox extensions? If I would see any ads thanks to an extension I´d uninstall it faster than i fart.
I've never played with Firefox sync. Regarding Firefox update controls... - Tools->Advanced->Update has controls related to browser and search engine updates - In the Help->About Firefox dialog the "Check for Updates" button will check for updates and, if available, immediately start to install them whether you wanted to or not. - The Add-ons Manager Gear button drop down has global controls for extension updates - In Add-ons Manager Extensions tab, the "More" link for each add-on has a control for automatic updating the specific extension - I don't think separately installed plugins are supported by Firefox's update mechanisms. However, in Add-ons Manager Plugins tab there is a link to manually check for updates via a Mozilla page. - In about:config you can search for the word update and/or browse the preferences So disabling extension updates across the board or individually should be no problem. IIRC, I was able to configure Firefox to check for extension updates and not install them (extensions.update.enabled=true, extensions.update.autoUpdateDefault=false, all extensions used the default) but the notification was only visible while viewing the Add-ons Manager page (making it considerably less useful).
Not only, IMHO. Since HTTPSB is able to control behind-scene requests (which also includes requests by extensions), this should, at least, mitigate this threat somewhat. But it's clear that Google has to improve the situation. There must be a better vetting system.
I'm sure you can see the problem with this though. You're relying on an extension to control possibly malicious extensions. Furthermore, you have to use that extension to begin with and, as far as I am aware few are. That isn't a knock against it, it is just that these sorts of extensions aren't used by the large crowds. Then, once you have it, you have to know which requests are which and have to experiment to see what they do when you allow or deny them. In other words, they have to learn to use the extension before they can rely on the extension to control extensions. Besides, it's time users stopped having to rely on themselves to fix vendor screwups. That's not saying they should be smart, but that vendors should be smarter and know better than this crap.
Google discards extensions that force feed users ads in Chrome http://news.cnet.com/8301-1023_3-57...tensions-that-force-feed-users-ads-in-chrome/
How to monitor extension updates in Chrome and Firefox http://www.ghacks.net/2014/01/18/monitor-extension-updates-chrome-firefox/
http://www.ghacks.net/2014/01/18/monitor-extension-updates-chrome-firefox/ Third option, not mutually exclusive with those above: When you encounter a software developer who isn't building in an "inform me when updates are available but let me decide whether and when to install them" option... beat them with a stick. Thoroughly. Then once more for good measure.
Yes, of course. That's why I said it's a problem which must be solved by Google. Nevertheless some remarks: I'm not relying just on "an" extension but specifically on HTTPSB. Not only because it's the only one, AFAIK, that is able to control behind-the-scene requests but also - even more importantly - because it's one of the relatively few extensions where its author meticulously documents on his home page what he's doing. As long as gorhill is doing it this way, I trust him (besides, I can't imagine that he will sell HTTPSB - he even refuses to accept donations ). Unfortunately, this openness is rather rare. I'm not sure if it's realistic that from now on we'll only install extensions that follow this principle. However, those incidents should teach us to inspect an extension more diligently before we decide to use it. But again, such an attitude is not a solution for the masses.
https://chrome.google.com/webstore/...ious/gceighgadbamgchioaofojlblndjcggh/details ExtShield There is two version in store right now. The version I linked has more features than the other (from same developer though). Must have for people with a lot of Chrome extensions. Review: http://lifehacker.com/chrome-protector-notifies-you-if-youre-running-an-adwa-1505371480 Note: Use at your own risk.
I'm sceptical. No homepage, no documentation, nothing. Just the opposite of what I said above about HTTPSB.
Yep. Well the author seems responsive and even created a reddit thread. As for the closeness of the extension as opposed to being open has something to do to prevent malware authors from circumventing it.
I will look at the code. First glance is negative impression as the code is obfuscated. Will report later. EDIT: The deobfuscated code is itself obfuscated as in impossible to make sense unless spending a lot of time to sort out. Example of deobfuscated portion of code: Code: chrome[_0x92e5[22]][_0x92e5[21]][_0x92e5[7]](function (_0xc6d7x1) { if (_0xc6d7x1[_0x92e5[15]] == _0x92e5[16]) { chrome[_0x92e5[19]][_0x92e5[18]](function (_0xc6d7x3) { for (var _0xc6d7x4 in _0xc6d7x3) { var _0xc6d7x5 = _0xc6d7x3[_0xc6d7x4]; if (isMalware(_0xc6d7x5[_0x92e5[17]])) { chrome[_0x92e5[12]][_0x92e5[11]]({ "\x75\x72\x6C": _0x92e5[10] }); return } } }) }; if (_0xc6d7x1[_0x92e5[15]] === _0x92e5[20]) { chrome[_0x92e5[12]][_0x92e5[11]]({ "\x75\x72\x6C": _0x92e5[10] }) } });
I tried it for a few minutes though. Throught httpsb, there is no suspicous outbound connection and seems to work fine. There's some bugs that I noticed though. After that I uninstalled as I only use two extensions. Httpsb and abp
The developer published a new version which is not obfuscated (instead of updating the original version). So I couldn't help but de-obfuscate further the original version (which is still in the store) to see how it differs from the newly published version. I don't see anything harm in the originally obfuscated version, it differs from the new one though. It was using a listener to detect whenever the user was navigating to an extension page at which time it was attempting to detect if the extension name (extracted from the extension page URL) was part of a hard-coded blacklist of extensions.)
Google dismisses eavesdropping threat in Chrome feature http://www.cso.com.au/article/536592/google_dismisses_eavesdropping_threat_chrome_feature/
Can you trust your browser extensions? Exploring an ad-injecting chrome extension Chrome Extensions Going Rogue
