The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.
We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.
Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)
Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:
Sounds like it's the same as Google's previous clampdowns on rogue extensions - they removed a few high-profile offenders, put out a press release about it, and left a whole load of malicious extensions untouched even though they'd been repeatedly reported.
A good thing would probably to have a way to see the requests triggered by installed extensions. Even checking this list once in a while and manually reporting the suspicious ones with a "report" button would make these rogue extensions almost worthless.
That would be pretty nice.. I tend to have half a dozen extensions loaded, mostly dev extensions from trusted sources. I've also used the source versions of a few as well.
I think one of the worst things to me is the number of drive-by installers that now target chrome, firefox and ie with malware extensions, or transparent proxies. I saw one on a friend's son's computure and mainly noticed because there were additional ads on Amazon's site. Sometimes I think we should bring back outlaw (dead or alive) status for certain classes of criminal dredge on society... Then I think about where the likes of Snowden would fall from the governments perspective and think it over again.
Just a guess but can you see those in the DevTools on the Network tab? Needs to be open before you load the page. I'd check but I don't have any extensions installed except WTF and the WebGL Inspector.
This depends on what/how the extension is accessing the network. They have a background page and they can inject scripts on visited pages. If they are injecting scripts which then make the requests then it would show up in the DevTools on the page you are visiting, but this is uncommon.
Instead it is far more likely for the extension to make the requests from their background page (which has elevated permissions) which is essentially its own page with its own inspector. You can inspect each extension individually by going to your extension listing, enabling developer mode and inspecting the background page of the extension you suspect.
You can see EFF PrivacyBadger code getting injected in the source tab in dev tools, not positive about network requests. It wouldn't be hard to test though, just make a simple extension that does XHR to example.com and load it up locally. Chrome extensions are surprisingly easy to write, and there are some simple tutorials if you google around a bit :)
somewhat unrelated but if you email a private URL to a Microsoft email address, they will also crawl it, about once a month (I get an email anytime someone access it and MS bot is the only one accessing it). Not sure if Google also does that...
Agh, damn. Just removed Awesome Screenshot due to your comment and I liked it as an extension too. Not enough to leak information to third parties though..
And this is why google sucks: even technically apt people can get suckered. Google bears responsibility for what's in the chrome web store, except they (as standard) duck it and dump all responsibility onto the users. If even sophisticated users can get fooled, what hope do most folks have?
The answer is for google to own what is in their store, but that costs money.
"This extension will have access to your browsing history and private data on all websites".
Which is usually accompanied by the developer apologising and explaining they have to declare this in order to provide the extension's core functionality. Users then learn to ignore these warnings, malicious extensions ensue.
I'm glad Google is taking malicious extensions seriously, but purging is a difficult semi-manual effort when extensions can update any time. A lot more effective would be to bake security into the whole model. Extensions shouldn't need to see your entire browsing history on all sites just to enhance some links or do syntax highlighting.
It should also be possible to request permissions on demand, and for certain URLs, instead of blanket-consenting before the extension is even installed. I know these things are a trade-off with simplicity, but should at least be there for orgs and individuals who want to take advantage of them.
Sounds like Chrome's "security model" for extensions is just as awful as Android? Large, sweeping permissions categories rather than fine-grained control, and all-or-nothing acceptance.
Pretty much the same, which is different to general websites, which do on-demand permissions (as with iOS model).
Chrome extensions can request only access to specific URL regex's, so they can be fine-grained about location, but the actual permissions tend to be coarse-grained. And as a user, you can't change the URL regex (that's some low-hanging fruit right there - users should be able to edit the URL pattern for any extension).
In some respects, Chrome apps are morphing to be general websites (e.g. with manifest.json and installing to home screen on Android), so hopefully things will move more in the direction of the web. There were also some hints towards on-demand permissions in the security talk at the most recent Chrome Web Summit, I'm not sure it's proceeding.
I really appreciate that an SPA can function more as an offline application, not just a website. I wish that there were a standard endorsed beyond just the manifest.json though... I wish there were a .{someExtensionThatIsReallyZip} package that contained a manifest.json, as well as all other files that package needed... this is how chrome extensions are, but it would be nice to see a standard model for apps supported by more browsers for this.
For all the things I didn't/don't care for regarding flash and silverlight, having a single compressed downloadable package is a nicety. I think Silverlight did a better job of it though. When Adobe bought Macromedia, my sincere hope was that they'd turn flash into a more open format that was an archive manifest with svg, mp3 and other assets with closer to plain JavaScript for their part. That could have been something browsers would be more likely to have embraced.
This has been there from the very beginning (as it was a part of GreaseMonkey/UserScripts), but it's not part of the permission system. This is the developer saying "only enable the extension on these pages." So the system to enforce this is in place, but it's not treated exposed to the end-user.
IIRC (using Firefox nowadays) it did tell the user what sites it was allowed on, although it did this through wildcards (e.g. "http://news.ycombinator.com/*") instead of regexes.
Unfortunately it's hard to access /any/ information on a page without accessing /all/ information on a page. Unless the page can expose the data itself (say, through an API) an extension will need to access the DOM. Accessing the DOM means data leakage from that page to potentially any server.
Just FYI, there are many cases of malware (presumably browser extensions) targeting online bankings in Indonesia recently. The typical flow is like this:
1. The user logs in to his/her online banking website.
2. The malware gets triggered and phones home with user's credentials.
3. The bad guy logs in using user's credentials in own computer.
4. The bad guy initiates bank transfer from user's account to his account.
4. The bad guy is presented with "enter auth code" to confirm the transaction.
5. The malware pops up "Verify your auth code" into user's computer.
6. Thinking "it must be new method from my bank", user types his/her auth code.
7. The auth code gets sent to the bad guy, allowing him to complete transaction.
8. Profit.
Even tech savvy people can be a victim if he's being careless.
Ew, bank fail. My bank will send me a 2FA code to my phone, it'll explain what it's for first. So the message will say 'you're trying to send $200 to xyz at date yxz. Enter this code'.
You'd then have to go to a screen on your computer with that particular transaction, find it, and enter the code. You don't suddenly get some kind of authentication pop up, and know to enter a particular code that authorises anything that isn't your password. That's the whole point of 2FA?
Beyond that, it's surprising that bank fraud still happens seeing as in most countries there are very strict KYC/AML requirements, meaning you can only open a bank acc with an ID in person, with a registered address. I got hit by this myself a while ago when I sent some money for an online purchase that never delivered. I was really bummed out, got scammed but thought at least I had an acc number with a name and address. I looked into it more and it turns out there's a big network of low-end criminals who will approach some 16 year old on his way home from High School. He'll have $50 on his account. Is given $100 straight up, and promised $200 additionally later on, in exchange for his debit card. Youth thinks 'why the hell not, got $50 to lose, just gained $100 and potentially more'. The criminal will use that bank acc to collect money, retrieves it from an ATM with the card, then disappears. Police investigation into the scam will turn up with a 16 year old unaware of the risk of 'identity theft' (weird semi-bs concept itself) who lent out his card and didn't understand the consequences. The criminal goes free without a trace.
Even contextual messages are game-able - the default text "enter your verification code" showing up on the website will likely catch a LOT of people, since they're thinking it's from the bank.
Extensions are Apps.
Without a meaningfully robust (and mandatory) security model and some basic security audits to prevent over-reaching security defaults/requests, you might as well be running Windows XP.
Doesn't even have to be that complicated, the malware can just rewrite the destination to the malware author's silently and wait for people to be sending money there anyway. It's a reasonably dangerous property of Google-style 2FA that they can be transposed without any warning. My bank attempts to get around this by only using SMS based tokens, and the first line of the SMS says exactly what is being sent and where.
Is it really possible from an evil standpoint to get SMS rerouted to another number? I was looking into that a while ago (I wanted a prettier number, but didn't want to lose things associated with the old one) and the answer I got was that it's not something anybody can do. I get how the phone call rerouting stuff would go down, but not SMS rerouting.
GrandCentral / Google Voice used to be able to do this, along with tons of other awesome stuff for VoIP nerds. You could bring whatever DIDs you had (IIRC they also sold them for a reasonable fee) and set up routing however you wanted, and you could trunk to your own SIP server if you wanted to e.g. Set up a phone menu to drive your home automation.
Not sure if any of that still works with GVoice, but if not, I'd look into doing it with Twilio possibly.
> "You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar."
AdBlock is very clear in what it does and users install it because they want to block ads, whereas users are usually not aware when an extension injects ads. As a note, the Awesome Screenshot extension for Firefox asks you if you want ads injected, probably because of Mozilla's review process, whereas the Chrome version does not.
It's one thing for websites to be ripped of the opportunity to make money from your eyeballs, with your consent, it's quite another for those same websites to generate money unknowingly for an obscure third-party. We are probably talking about copyright infringement done for commercial for-profit reasons.
Google is annoying me lately. I now use Firefox on my Android and I do that because AdBlock Plus and uBlock are working on it, whereas Chrome for Android still doesn't have plugins, probably because they don't want ad blockers in it.
I guess the lure of selling use data is just too great for any commercial entity to control the source of these as blockers. uBlock and PrivacyBadger are still clean AFAIK.
From what I've read, ABP are just plain extortionists: "those are nice 'acceptable' ads you have; shame if something were to happen to them." Ghostery's business model makes it a bit untrustworthy, but it works pretty well as far as I can tell. uBlock is "you get what you pay for" freeware, so you can trust it as long as not many people use it. PrivacyBadger is developed by a small number of honest-to-God privacy zealots (in the best possible sense), so it won't get sold out, but will probably lag behind the curve.
I use a couple of them at once, block most JavaScript, usually run with cookies disabled, and pay a bit of attention to what's going on in the privacy news. For less tech-savvy relatives, I just install Ghostery and disable third-party cookies, since that seems least likely to break websites, and blocks most of the worst tracking.
Oh, and hosts-block tynt. Those guys should drown in burning kerosene.
The whitelisted ads are configurable and to tell you the truth this is what I miss now that I'm using uBlock. Personally I understand that ads are a business model that many websites and services need to survive and I've got nothing against websites showing ads tastefully.
I've been in contact with someone from Google Security and this was their answer:
"I spoke to the team that maintains that list and they don't have plans to make it public, if you would be willing to share some ideas on how to better protect people from this unwanted software I would be happy to pass it on but due to the nature of the work (trying to stay one step ahead of bad guys) we probably won't be able to share anything back."
I'm the author of this anti-adware addon called "Extension Defender" and it would greatly help my users if I could use their list, because while they extensions were removed from the Webstore, does that mean it was forcibly removed from their PC? Probably not.
I had the same problem. I'd also like to know whether an extension purged from the store will be automatically removed from Chrome if it is installed or would have to be manually removed.
Should say "Google does a lousy job purging bad extensions from Chrome". A: Because all of the malware I reported is still there. And B: Because actually policing your store for malware for once shouldn't be a news item.
A good example of Vosteran New Tab. Almost two million users, none or near none of which are consensual users. Nobody I've ever uninstalled that from ever intended to install it. It hijacks your new tab page and search.
Interestingly enough, Vosteran also produces a rogue fork of Chrome which makes Vosteran's own search/ad platform built-in and unavoidable. Said rogue fork is also installed without users' permission.
I invite you to peruse the first five pages of search results here and make your own assumptions about the legitimacy of all it's five star ratings: https://www.google.com/?gws_rd=ssl#q=vosteran
Hm, let's take a look at Vosteran. From Wikipedia[1]: "Vosteran is a browser hijacker that changes a browser's home page and default search provider to vosteran.com. This infection is essentially distributed bundled with other third-party applications. Vosteran carries the PUP virus. The identity of Vosteran is protected by privacyprotect.org from Australia."
Okay, so it's malware. Let's check out their webpage[2]! Hm, they give a physical address at 28 Lilienbulm St. in Tel Aviv... as an image, to avoid search engines. Let's look at their "how-to-get-rid-of-this-crap-I-don't-want" process[3], which "shouldn't take more than 10 minutes": so they basically put their tentacles into any crevice they can find, and make it annoying to pry them out.
Let's see if it's easy to see who runs this bit of evil... nope. They're amoral scum.
The security model of chrome extensions is such that I only use one--and that's one from a well-known company that I already trust with sensitive items.
I just can't talk myself into the "This extension will have access to your browsing history and private data on all websites" warning that appears beforehand, and it looks like with extensions sending private URLs away to be crawled, I was at least a little correct to worry.
Google probably compares all the JS and HTML of the resulting page in-browser with the code that they originally delivered, allowing them to see if an extension or userscript manipulated it.
When the extensions are removed from the Chrome Web Store are they removed from everyone's browsers automatically? I didn't see it mentioned here or in the article.
Actually I think the answer is yes. Or at least they're disabled.
I forget the name but I had one that allowed for a custom new tab page. It had opt-out ads, but I otherwise loved it. It kept getting disabled after each fresh start of Chrome. Debated forking it but haven't yet.
It might matter that I do have my extensions sync between machines. Extension is eventually disabled on the others as well.
EDIT: "This extension violates the Chrome Web Store policy." The extension is Modern New Tab Page. The store page is gone, so no clue what policies are violated, what I need to fear, etcetera.
I can still enable it, but it will be disabled at some point.
Does it have questionable practices? Yes. There's a settings option but it's different than the settings I see by going to chrome://extensions/ as the sole option on the latter is to disable ads.
EDIT 2: To be clear, this extension was blocked late last year, and is not part of this recent batch. At that time there were questions about whether there was a list as well. There was, like this time, no notification to impacted users.
It's a horrible middle-ground. Google definitely dropped the ball with alerting users of a possible breach. If there's strong evidence a plugin was capturing and using credentials I need to know to change credentials.
Aren't extensions written in JavaScript? That alone sounds like it'd make it pretty easy to examine and remove any "unwanted functionality" from one, or to show that it's doing something it shouldn't be. It only takes one knowledgeable user to find out and spread the news...
As an aside, I'm surprised at how willing most users seem to be to install any software, be it browser extensions or random apps on their phones/tablets/PCs. Especially in the case of deliberately malicious extensions mentioned in the article, I wonder if they were installed without the user ever considering "What is this for? Do I really need it?"
It's easy to examine once, but once you grant permissions, the author can silently push out a malicious update at any time. I really wish there was a way to disable auto update on an extension by extension basis.
> Aren't extensions written in JavaScript? That alone sounds like it'd make it pretty easy to examine and remove any "unwanted functionality" from one
How? One of the biggest offenders are extensions whose expected behavior is to send large amounts of data to a remote server to be used on your behalf, but where they actually then use the information for other purposes, sell it to others, etc.
Examining the client side JS will never tell you what the back end is doing with the data, only what data is transferred, and so won't identify this kind of nefarious behavior at all.
>That alone sounds like it'd make it pretty easy to examine and remove
Minified and obfuscated Javascript is not much easier to check than binary files and more difficult than e.g Java class files, at least without ProGuard.
Oh there is a built in version in the Chrome debugger.
And it can sure handle js uglify, etc there are tools and systems that allow you to remove more than that and then it becomes really difficult to get a handle on WTF is going on.
Sure, but this one is much more advanced than the the one in the Chrome Inspector, which only formats. This one renames variables and functions, adds comments, and even annotates types.
There are lots of potential explanations which don't involve stupidity. Users may mistakenly assume apps/extensions are nowadays sufficiently sandboxed. Users may also be assuming that the Chrome Web Store is a somewhat reputable marketplace with any malicious software weeded out.
Tons of extensions serve the purpose of modifying actual pages to change/modify/add content. When users have many extensions, it's near impossible to determine which one is the bad actor without a lot of leg work. But people do figure it out and spread the news exactly how you describe. The problem is most people don't read the reviews and most casual internet users have no idea what's wrong if the functionality is added after the fact.
I don't understand why you can't block (or lockout) certain permissions for extensions. If an extension requests permission to browsing history, you should be able to install the extension by deny it access. this is the same problem that I see on Android.
I've created a few Chrome extensions, and I constantly get bombarded with aggressive emails practically demanding that I accept financial compensation in exchange for adding whatever sketchy javascript snippet they want me to add. Some even have the nerve to follow up as if they are offended by my silence when I don't respond to them. I'm not sure how those people even got their hands on my email address.
What infuriates me is that even extensions that are widely known to have succumbed to these sinister offers to include borderline malware in their extension, such as Hover Zoom, are not punished in the slightest even after being caught, or even required to remove the malicious javascript snippet.
What the hell is the point of all these XSS prevention measures in modern browsers, such as reflected XSS prevention, CSP, script nonces, etc. when all you have to do to bypass all of them is make your own browser extension? Is the team at Google that handles Chrome extensions completely unable to communicate with the team that handles browser security? The left hand has forgotten that the right hand even exists. I nominate Google as the company that the movie The Cube was warning us about.
If the suspiciously nameless author of this article wasn't paid by Google to write it, then he ripped himself off. If the author had performed the most basic research into the topic he was writing about, he would have learned that Firefox's approach to extensions is perfect and is the only reasonable solution to the security problems that exist with Chrome's extensions. An actual journalist writing about this topic would have swiftly concluded that Google should be lambasted for its blunders and mocked for not living up to Firefox's standards, rather than being borderline worshipped for barely doing anything to fix a horrific problem they openly invited in the first place.
You can manually install extensions, which is how I install mine (e.g. µMatrix). I'd rather not have to use the Chrome store (and I prefer Chromium , as well).
Well, AdBlock Plus is a bad extension. People who use it should feel like scum. Because they are scum.
That being said, your walled garden notion is accurate. Chrome used "security" as an excuse to lock down the extensions platform to only their Web Store. But it's not any more secure, since there's plenty of malware in the Web Store. It was just an excuse to wall in their product.
Chrome extensions can do some really nasty things.. Just last year while doing adware research for extensions, I actually came across an extension monetization company who was silently installing google android apps to the users phone with no human interaction what so ever, I wrote a break down of this on my blog:
This probably isn't a popular view for the HN crowd but at this point I'm convinced that for 90% of users, browser extensions are an anti-feature doing way more harm than good.
For almost 100% of users, the "modern web" is an anti-feature doing way more harm than good. It's a giant pile of tracking scripts and animated "punch-the-monkey" graphics wasting users' power and bandwidth while stealing their personal data and providing nothing of value. Web browsers are creaking piles of bloat trying (badly) to support this disaster while pretending to be shinier than their competitors, or than last month's version of themselves.
Browser extensions offer a whole new host of evils, along with a marginally effective way to fight back against the rising tsunami of web horrors. The web is mostly about harming users, so I can hardly blame them for grasping at whatever chance they have to defend themselves.
Much like toolbars back in the day. I still think that browsers should just let extensions be fully disabled by default so only the power users who know what they are doing can enable them poking in settings.
Chrome always gives this really scary warning that the extension will be able to read all my tabs etc. They need to sandbox everything so that I don't have to feel worried while installing extensions. Worry is not a good UX.
An extension I use regularly got zapped (Website Screenshot). There are definitely alternatives out there, but it's a little annoying that there was no indication as to WHY it was removed. Oh well.
This only addresses part of the problem. Chrome extensions are ONE method of injecting into a page. What about more advanced methods including code hooks, Proxy, LSP, TDI, WFP, etc... What is Chrome going to do about those?
Google needs a better way to notify users when extensions are superseded. For instance, I used to use the Google Voice extension even though it was buggy as hell, and kept using it for too long because I didn't know about the much better Hangouts extension that replaced it (I had been using Hangouts for a while but never had the Chrome extension).
The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.
We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.
Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)
Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:
https://chrisa.wordpress.com/2014/08/25/chrome-extensions-go... https://mig5.net/content/awesome-screenshot-and-niki-bot
I am thrilled to see Google finally acting to restore trust in their platform.
Update: Google removed Diigo Quick Note, but still has Awesome Screenshot <https://chrome.google.com/webstore/search/diigo?hl=en-US> which captures the identical data and sells it to third party crawlers.