Unauthorized Vivaldi installers – help us find them
-
Hi folks and Happy New Year!
I've just joined Vivaldi as a developer and came across a curious issue – some websites distributing Vivaldi installers that have a potentially unwanted software. I thought I’d reach out to you all to see how big of an issue this is — and also take this as an opportunity to introduce myself.
-
This kind of thing does not really happen on Linux and is less common on mac but we do occasionally see it there. For Mac you can check the signature of the app within the .dmg by opening a terminal and running a command like:
codesign -d --verbose=2 Vivaldi.app
Amongst the output you should see Authority=Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y)
-
Oh and congrats to Julien on joining us and your first blog post!
-
On the Mac, in addition to using codesign, you can further double-check the integrity of the app bundle with:
spctl -a -vv Vivaldi.app
-
Funny fact: …and yesterday I wrote my own installer, since I'm still missing an unattended/silent setup for deploying Vivaldi in an enterprise environment.
DEB packages are fine for our GNU/Linux clients. But when will we see MSI's for Windows (or something like that)? -
In the meantime, the best way is to download only on https://vivaldi.com/download/
-
"Malicious" as in actually so, or just the usual type of nonsense that sites like CNET used to do (I think they discontinued the practice), where they repackage the installer with some "optional" goodies that you have to look really hard to disable? Definitely not good, but it's not as if they were viruses or anything.
-
Welcome another one from the dark (at least other) side of the force.
-
how this can fix the problem if any site can still make a button "download vivaldi" which points to their exe file, which installs some malware + downloads and opens real installer from vivaldi.com ? 5 minutes task
-
http://www.dobreprogramy.pl/Vivaldi,Program,Windows,60614.html
dobreprogramy is very popular app download site in Poland, for 2-3 years they started to serve their own "installer", which contains unwanted stuff, but you can still directly download using the grey button on the right.
they have some apps which CAN'T be downloaded with their installer though, don't know why they do that
-
https://www.vivaldi.ru/downloads and http://vivaldi.findmysoft.com/download/ and http://www.afterdawn.com/software/search/results.cfm?q=vivaldi seems to provide some fake installers
not sure portable installer like http://portableappz.blogspot.fr/2015/01/vivaldi-108338-multilingual-tech-preview.html are really usefull too… -
I would not be at all surprised if most users are getting PUPs or malware from the major download sites like CNET, Softpedia, FileHippo, etc., from a Google search. These major download sites are far more likely to be used than some random link on a YouTube video or FaceBook page.
I no longer trust these sites, and avoid them as far as possible. The sad truth is that they need to distribute PUPs to make money and stay viable. Some PUPs are malicious.
People should download Vivaldi from Vivaldi.com
-
not a beer drinker
You lost me there. But welcome all the same.
I use a portable installer that downloads from Vivaldi servers to create it's own portable version. Would that count? There is nothing maliciously installed with it
-
On slunecnice.cz, when downloading Vivaldi, there is defaultly ticked button that you accept installation of other software. When unticked original installer downloads, but… (download link)
-
Please encourage the use of Virus Total browser extension. This will allow users to scan files before downloading. Hashes for bad files can then be shared safely https://www.virustotal.com/en/documentation/browser-extensions/
-
Do You have any analysis of what mechanisms are being used inside these unauthorized installers?
Are they just simple containers with original installer inside?
Or do they work in a bit more sophisticated way?How does Vivaldi installer is being generated?
Wouldn't it be possibe to embed some const to check installer size?
Or maybe just add an option to check installer hash with some online public hash database?
And then just show warning message about possible fake file? -
I've never downloaded a browser from a source other than the browser's official website. I didn't really know people did this or that you could. Shows what I know. Yikes.
-
Yeah, yours is better and has clearer output.
-
Definitely!
-
Mine verifies that the app bundle (still) passes the Gatekeeper checks and displays who signed the bundle. Yours displays more details about how the bundle was signed. The two checks go hand in hand and both should be done… along with a few more if you're ultra-paranoid.