Adware vendors buying Chrome Extensions
-
[url=http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/]Adware vendors buy Chrome Extensions to send ad- and malware-filled updates[/url] [quote]While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it. To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.[/quote] The article is much longer and explains how some extension authors are being offered lots of money to sell their popular extensions to silently push ad-filled 'updates'. One of the best things about Presto-based Opera was that it had so many features that were built in. I never really liked the idea of relying on third parties to add functionality to the browser. And it seems like a common answer from the devs working on Chromium-based Opera when users make a feature request is 'get an extension'.
-
Well, given that the main reason for Opera to switch to Webkit/Chromium was to need much fewer developers, that should not be a big surprise.
I - and many others - saw it as a big security risk back when Mozilla made their first extendable version. Google have proven more sloppy than I would have hoped both with their browser and with the Android app interface. There are very good reasons for restricting third party developers to the API subset they need to use for their particular application.
-
One of the best things about Presto-based Opera was that it had so many features that were built in. I never really liked the idea of relying on third parties to add functionality to the browser.
…nothing more to say.
-
Making money with ads is tempting for extension writers as well.
Giorgio Maone, member of the Mozilla Security Group and author of NoScript comes to my mind.
It's an older story from 2009, some of you might rememberAFAIK there are ad sponsored extensions for Chropera too.
Since I neither use Chropera nor intend to do so, I can't tell if such extensions have to be labelled or not. -
Making money with ads is tempting for extension writers as well.
… and I can understand that.
I know of some extension developers who wrote extensions that were downloaded several hundred thousand times, who put a whole lot of effort and time into it - for nothing. Some of them had a "donate" button on the page, but in the end they earned not more than about 10 or 20 USD for literally hundreds of hours of work.
Yes, it is exciting to see that an extension gets good ratings, that it is downloaded by a lot of people, but I bet that at some time every developer of a complex extension, who is not sponsored by a third party, comes to the point when he asks himself: "Why am I doing this?"
This is exactly the point where he is "vulnerable" to such shady offers.
May be the extension store owners could offer 0.5ct (or lines_of_unobfuscated_code/2000 ct :evil: ) per download - some of them bail out way more money for advertising anyway. IMHO a well filled store is some kind of advertising too. If they fear they would ruin themselves, they could set an upper limit to prevent ruining themselves if an extension is downloaded more than e.g. 2 Billion times - or something like that :woohoo:
-
in my case…
Opera 12
vs.
Opera 19 (usually it's over 20)every of those extensions adds listeners to events or whatever, they take one process, min. 8 MB of memory, usually they change DOM (injected), restricted because of sec. reasons and keeping holy Chrome UI clean
all in all…chrome extension system sucks
When Opera switched to WK/blink I was hoping that they saw some sort of window of opportunity (chrome is dumbed down browser). Combo of fast engine (JS) with feature rich app (something that they have experience).
But...we all know how that story goes/ended :huh: -
From a business perspective, building a browser that relies on "outside" extensions is to intentionally give up control of part of your product, in the eyes of your customers. If the functionality is important, put it in the product natively or at least create the extensions yourself. To export functionality to extensions made by others is to turn over part of the browser to an outsider's influence, both functionally and security-wise. Eg: if a Chrome extension causes trouble, either by malfunctioning or adware or malware, it will be Chrome that takes the first hit, and it's Chrome the user will remember as giving him grief - even if subsequent events show it to actually have been the extension. And all too often, the cause of an extension malfunction is a version upgrade to the basic browser that breaks the extension, simply because the browser and extension developers are different folks with differing agendas and schedules. This is just not a good position for a business to put itself into.
The single biggest mistake I believe made with the new Opera design has been to rely on extensions for primary functionality. Perhaps that's a "necessary evil" with a WebKit-lineage architecture… perhaps not. But it is the existing situation, and already there have been numerous posts complaining of some major extension being broken by some New Opera version update. Whatever Opera may respond with to such complaints, the effect on users comparing that with the Opera of old impacts on Opera, not on the extension authors.
-
Infecting trusted Chrome extensions isn't breaking news.
This one is two years old:TIL a Chrome Extension was spying on me. BEWARE "Smooth Gestures"
The app ID is: lfkgmnnajiljnolcgolmmgnecgldgeld
And this isn't some unknown, shady app. Google reports it to have over 400,000 users and a 5-star rating with over 5000 votes. -
The single biggest mistake I believe made with the new Opera design has been to rely on extensions for primary functionality.
No mistake, only some misunderstanding.
Your or my concept of primary browser functionality simply doesn't match the concept of the new Opera developers, driven by their 'new vision'.Perhaps that's a "necessary evil" with a WebKit-lineage architecture… perhaps not.
Certainly not!
-
@booBot:
I was shocked to discover that installing an add-on does not require administrative rights!!!
I'd actually be more suspicious of an extension that did demand root privileges to be installed. Imagine with that privilege escalation what a bad extension could do to the whole system. The reason why an extension doesn't require admin/root privileges is because it's installed in the user area, not system-wide. In the end, if you don't trust the extension and haven't checked up on it extensively, then whether it's installed with user rights or admin/root rights is beside the point: you're taking a leap of faith.
BTW, Opera 12.xx has extensions. They install into your profile and require no admin/root rights. Same problem.
-
@booBot:
Despite me being a LUA, having the Software Restriction Policy enforced - and still be able to install whatever add-on was available!
Opera/Presto allows installing extensions in a limited user account too - because extensions are in principle harmless user data (zipped source code) that resides in the users %localappdata% folder and can not be executed without additional software. Of course software like a browser can and must be able to read and write there even while running as limited user - and that is where the problem starts: The browser interprets or "just in time compiles" the data and then it becomes active.
If the extension writer wants to spy on the user, (s)he can. The only things that could prevent that are either no extensions, or a walled garden from where extensions can be installed and strict vetting of every extension to make sure that no malicious or spying code is inside.
Rumor:
Latest news seem to indicate that Google will switch to a walled garden concept like Apple did and forbid installing extensions from places other than the chrome store. They will even go further forbid installing locally downloaded extensions in one of the next Chrome versions (but there is still a way to circumvent that). Nice thought, but as long as they don't do a 100% vetting of each and every extension - as far as I can see they still do not do that - the problem of "not wanted code inside" will remain.Side note:
I personally have unzipped all extensions I have downloaded, looked into the code and removed everything I didn't like (e.g. the google analytics code that almost every second extension in the chrome store contains, and other unwanted stuff) and packed them again as cleaned up version - but that is of course not a thing a normal user should have to do.
Yes, that may sound a bit paranoid, but I feel better that way … -
@booBot:
Never ever seen a need to use an extension with Opera v12-and-below. No problem.
Well, one could just use Firefox without extensions. So, same problem. The problem is the installation of extensions, which Opera and Firefox has at its disposal.
Now regarding the root privileges:
- only the OS/SW maintenance jobs are done by root
1a) no everyday jobs are done by root
Software installation (and add-ons ARE software) is purely root's task. Without his clear consent (in the form of installation of said software on user's behalf) NOBODY has rights to touch anything on machine.
Otherwise it is total chaos.
Maybe it's because I'm used to running Linux that I think this way, but I'm sure that this applies to other OSs. If you install an extension with root privileges, it gets root privileges to perform what it does. If it does something "bad", then that'll affect the whole system if it has root privileges. If it has user privileges, it'll affect the user (unless the software exploits a privilege escalation bug of some kind). Naturally, one has personal data in the user's domain, so even having a bad extension in that area would be bad, but it wouldn't affect the whole system (or other users on that system).
I'd reject straight away any extension that demanded of itself root rights. I'm not giving it that power, nor see any reason why it should have that power.
By following these simple rules, and as it just had transpired - by avoiding FF - I managed to live the malware-free life on my winXP-PRO since 2002 - without any AV.
Hmm… Windows and no AV? OK. Good luck with that.
- only the OS/SW maintenance jobs are done by root
-
Well… there's always IE11. No extensions allowed there to my knowledge. And I think it's actually quite secure when coupled witn Smart Screen filter.
-
-
@booBot:
@Gort:
Then you could know the difference between the "installed by root" and the "setuid root" bits of code.In a secure environment all the code must be installed by root - and owned only by him. The root decides what is allowed to run and by whom. Mortals must forbidden from altering either OS or SW in it.
Well, it depends on the circumstances. If you run a tight system with many users, and you want full control of your users, then you install your browser and its extensions for system-wide use, where the user can't tamper. If you're a bit more lax and willing to part some trust to your users, you can allow them to install things within their user domains, while keeping system-wide settings out of their reach. If you've got a machine with just one user (for instance, this one I'm typing on), then you can install the browser and its extensions in your own user area. My point is that an extension that demands root installation is an extension that I find untrustworthy by that very demand. I will not be giving an extension the right to root privilege on its say-so and see no reason to give it that privilege escalation.
You may not believe me, but still it is the fact - I managed to avoid any malware hit for years, and regular forensics proves this.
No, I believe you, but I do feel you need that "good luck with that", too. I mean, running AV isn't going to be a 100% protection and in many ways can make the user have a false sense of security. The user needs to practise safe browsing, make sure that they don't install anything and everything on a whim, that they remain vigilant, that they shut off any unneeded services (particularly those remotely listening) and other practices. Still, another layer of protection can also be of use, particularly if you slip one of these days.
-
But it's a locked-down store, right… somewhat like the way in which Apple locks down what can be added to its devices?
-
@booBot:
@Gort:
Still you confuse the "setuid root" (which is dangerous in every OS) with the "owned by root because it was installed by root" (which is perfectly normal and expected).Oh, I understand (I think ), but I just don't totally agree with all your approach. Sure, you can install an extension via root and it'll carry out user requests and not run root-only requests, but it still has to be installed. Unless you can read the code of the extension (and then that depends on it not being a binary and source not being closed), then can you guarantee that the extension, installed as root, isn't installing its malware into your system or altering root owned stuff? Sure, you can take a diff of before or after against a known backup using a live Linux CD, see what's been changed and all, but also are you sure that the extension is doing what it claims it does and not also something else? I mean, installing a malware infected extension as root is going to be more damaging than installing it as user, at least for the whole system.
No matter how many (mortal) users have accounts on a machine - the machine is root's, he and only he is responsible. Only root decides what he installs and allows mortals to run.
And it's root who decides how he or she wants to dictate the policy for the machine.
My point is - may be add-ons per se are not evil, but there must be strict discipline who decides which ones are installed.
There should be no way for drive-by unintended (by root) installation - which is not unfortunately the case with FF/chrome/chropera.Well, unless you explicitly allow other sites to be able to install extensions into Firefox, then it won't be happening drive-by. A default install of Firefox only allows you to install extensions from official sources. You have to manually intervene in order to allow other sites to install extensions.
There is safe life without AV - and no luck required, only knowledge, no matter the OS.
Of course, but just make sure you don't slip.
-
Sure, you can install an extension via root and it'll carry out user requests and not run root-only requests, but it still has to be installed.
Even non installed but just copied extensions can be malicious. You have to prevent the browser to run those.
In the end:
Nobody infects the system I use for online-banking or the other system I use for secure online communication unless (s)he can rewrite a CD-ROM (yes, I know of a malware that infects the firmware of a CD/DVD drive, so not even that is 100% secure ;)) -
@booBot:
And this immediately brings us to the very first post of this thread: malware laden add-ons appear at the official source - free for mortals to infect with.
How does clever root prevent such an attack?!
He must somehow disable any add-on installation by mortals first. Then he does his vetting and proceeds with installation.
By which means root vets an add-on is beyond this topic.Sure, but again this depends on root's attitude to users. Some systems give greater leeway to their users than others (and those others are right in their way to be restrictive). In a system where more leeway is given, then it'd make sense to have extensions user installed, in which any possible damage is localised (although privilege escalation can be a factor here). However, if you're one who micromanages your system and has many users, then one would vet extensions, have them installed system-wide, restricting users into using them only. A one user system is probably best served installing extensions in their user domain rather than root. No need to give an extension such power if one is the only user.
Of course, but just make sure you don't slip.
Well, well, well.
You, it seems, place too much trust in AV vendors.I certainly don't put trust in them. I see them as another hurdle. Hurdles can be jumped over, but it still adds to the difficulty. For a Windows user, I'd be more inclined to use an AV as an additional defence (although, to be fair, Windows has improved itself over the last few versions), but, as I've said in above posts, I would always be aware of the false sense of security mentality creeping up. The most important thing is to practise safe computing.
It is far easier to prevent than to combat.
Don't let it run in the first place, and it will not attack/infect you.
No AV is needed ever.I mentioned in above posts about the need for diligence and the problem with a false sense of security. Of course you can run quite happily without AV, but one has to be more careful. As you say, knowledge is your first weapon, for sure, but we all have odd days when we do something we later realise was a mistake. Maybe an AV won't protect you when you do that, but then again, it might. For you, running without an AV is fine (as long as you don't slip), but I wouldn't advise that for the vast majority of users out there.
-
Sure, you can install an extension via root and it'll carry out user requests and not run root-only requests, but it still has to be installed.
Even non installed but just copied extensions can be malicious. You have to prevent the browser to run those.
Well, installed or copied, the extension is run by the browser either way. I'd say that if you have an extension that's malicious, then that's your problem right there, and installing it as root just escalates it.