Adware vendors buying Chrome Extensions



  • [url=http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/]Adware vendors buy Chrome Extensions to send ad- and malware-filled updates[/url] [quote]While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it. To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.[/quote] The article is much longer and explains how some extension authors are being offered lots of money to sell their popular extensions to silently push ad-filled 'updates'. One of the best things about Presto-based Opera was that it had so many features that were built in. I never really liked the idea of relying on third parties to add functionality to the browser. And it seems like a common answer from the devs working on Chromium-based Opera when users make a feature request is 'get an extension'.



  • Well, given that the main reason for Opera to switch to Webkit/Chromium was to need much fewer developers, that should not be a big surprise.

    I - and many others - saw it as a big security risk back when Mozilla made their first extendable version. Google have proven more sloppy than I would have hoped both with their browser and with the Android app interface. There are very good reasons for restricting third party developers to the API subset they need to use for their particular application.



  • @ugly:

    One of the best things about Presto-based Opera was that it had so many features that were built in. I never really liked the idea of relying on third parties to add functionality to the browser.

    …nothing more to say.



  • Making money with ads is tempting for extension writers as well.
    Giorgio Maone, member of the Mozilla Security Group and author of NoScript comes to my mind.
    It's an older story from 2009, some of you might remember ;)

    AFAIK there are ad sponsored extensions for Chropera too.
    Since I neither use Chropera nor intend to do so, I can't tell if such extensions have to be labelled or not.



  • @Krake:

    Making money with ads is tempting for extension writers as well.

    … and I can understand that.

    I know of some extension developers who wrote extensions that were downloaded several hundred thousand times, who put a whole lot of effort and time into it - for nothing. Some of them had a "donate" button on the page, but in the end they earned not more than about 10 or 20 USD for literally hundreds of hours of work.

    Yes, it is exciting to see that an extension gets good ratings, that it is downloaded by a lot of people, but I bet that at some time every developer of a complex extension, who is not sponsored by a third party, comes to the point when he asks himself: "Why am I doing this?"

    This is exactly the point where he is "vulnerable" to such shady offers.

    May be the extension store owners could offer 0.5ct (or lines_of_unobfuscated_code/2000 ct :evil: ) per download - some of them bail out way more money for advertising anyway. IMHO a well filled store is some kind of advertising too. If they fear they would ruin themselves, they could set an upper limit to prevent ruining themselves if an extension is downloaded more than e.g. 2 Billion times - or something like that :woohoo:



  • in my case…
    Opera 12
    vs.
    Opera 19 (usually it's over 20)

    every of those extensions adds listeners to events or whatever, they take one process, min. 8 MB of memory, usually they change DOM (injected), restricted because of sec. reasons and keeping holy Chrome UI clean :sick:
    all in all…chrome extension system sucks
    When Opera switched to WK/blink I was hoping that they saw some sort of window of opportunity (chrome is dumbed down browser). Combo of fast engine (JS) with feature rich app (something that they have experience).
    But...we all know how that story goes/ended :huh:



  • From a business perspective, building a browser that relies on "outside" extensions is to intentionally give up control of part of your product, in the eyes of your customers. If the functionality is important, put it in the product natively or at least create the extensions yourself. To export functionality to extensions made by others is to turn over part of the browser to an outsider's influence, both functionally and security-wise. Eg: if a Chrome extension causes trouble, either by malfunctioning or adware or malware, it will be Chrome that takes the first hit, and it's Chrome the user will remember as giving him grief - even if subsequent events show it to actually have been the extension. And all too often, the cause of an extension malfunction is a version upgrade to the basic browser that breaks the extension, simply because the browser and extension developers are different folks with differing agendas and schedules. This is just not a good position for a business to put itself into.

    The single biggest mistake I believe made with the new Opera design has been to rely on extensions for primary functionality. Perhaps that's a "necessary evil" with a WebKit-lineage architecture… perhaps not. But it is the existing situation, and already there have been numerous posts complaining of some major extension being broken by some New Opera version update. Whatever Opera may respond with to such complaints, the effect on users comparing that with the Opera of old impacts on Opera, not on the extension authors.



  • Infecting trusted Chrome extensions isn't breaking news.
    This one is two years old:

    TIL a Chrome Extension was spying on me. BEWARE "Smooth Gestures"

    The app ID is: lfkgmnnajiljnolcgolmmgnecgldgeld
    And this isn't some unknown, shady app. Google reports it to have over 400,000 users and a 5-star rating with over 5000 votes.



  • @Blackbird:

    The single biggest mistake I believe made with the new Opera design has been to rely on extensions for primary functionality.

    No mistake, only some misunderstanding.
    Your or my concept of primary browser functionality simply doesn't match the concept of the new Opera developers, driven by their 'new vision'.

    @Blackbird:

    Perhaps that's a "necessary evil" with a WebKit-lineage architecture… perhaps not.

    Certainly not!



  • In my search for a possible Opera replacement I came across the PaleMoon optimised FF clone.
    Since it is my first encounter with add-on-dependable browser, I was shocked to discover that installing an add-on does not require administrative rights!!!

    Despite me being a LUA, having the Software Restriction Policy enforced - and still be able to install whatever add-on was available!
    And there is no clean and easy protection from it.
    The only kludge is to remove the write permission for the extension folder in user's profile.

    Once and again we see evidences of Opera (Presto/Caracan) being the most secure browser ever.



  • @booBot:

    I was shocked to discover that installing an add-on does not require administrative rights!!!

    I'd actually be more suspicious of an extension that did demand root privileges to be installed. Imagine with that privilege escalation what a bad extension could do to the whole system. The reason why an extension doesn't require admin/root privileges is because it's installed in the user area, not system-wide. In the end, if you don't trust the extension and haven't checked up on it extensively, then whether it's installed with user rights or admin/root rights is beside the point: you're taking a leap of faith.

    BTW, Opera 12.xx has extensions. They install into your profile and require no admin/root rights. Same problem.



  • @Gort:

    BTW, Opera 12.xx has extensions. They install into your profile and require no admin/root rights. Same problem.

    Never ever seen a need to use an extension with Opera v12-and-below. No problem.

    Now regarding the root privileges:

    1. only the OS/SW maintenance jobs are done by root
      1a) no everyday jobs are done by root
      Software installation (and add-ons ARE software) is purely root's task. Without his clear consent (in the form of installation of said software on user's behalf) NOBODY has rights to touch anything on machine.
      Otherwise it is total chaos.

    By following these simple rules, and as it just had transpired - by avoiding FF - I managed to live the malware-free life on my winXP-PRO since 2002 - without any AV.



  • @booBot:

    Despite me being a LUA, having the Software Restriction Policy enforced - and still be able to install whatever add-on was available!

    Opera/Presto allows installing extensions in a limited user account too - because extensions are in principle harmless user data (zipped source code) that resides in the users %localappdata% folder and can not be executed without additional software. Of course software like a browser can and must be able to read and write there even while running as limited user - and that is where the problem starts: The browser interprets or "just in time compiles" the data and then it becomes active.

    If the extension writer wants to spy on the user, (s)he can. The only things that could prevent that are either no extensions, or a walled garden from where extensions can be installed and strict vetting of every extension to make sure that no malicious or spying code is inside.

    Rumor:
    Latest news seem to indicate that Google will switch to a walled garden concept like Apple did and forbid installing extensions from places other than the chrome store. They will even go further forbid installing locally downloaded extensions in one of the next Chrome versions (but there is still a way to circumvent that). Nice thought, but as long as they don't do a 100% vetting of each and every extension - as far as I can see they still do not do that - the problem of "not wanted code inside" will remain.

    Side note:
    I personally have unzipped all extensions I have downloaded, looked into the code and removed everything I didn't like (e.g. the google analytics code that almost every second extension in the chrome store contains, and other unwanted stuff) and packed them again as cleaned up version - but that is of course not a thing a normal user should have to do.
    Yes, that may sound a bit paranoid, but I feel better that way …



  • @booBot:

    Never ever seen a need to use an extension with Opera v12-and-below. No problem.

    Well, one could just use Firefox without extensions. So, same problem. The problem is the installation of extensions, which Opera and Firefox has at its disposal.

    Now regarding the root privileges:

    1. only the OS/SW maintenance jobs are done by root
      1a) no everyday jobs are done by root
      Software installation (and add-ons ARE software) is purely root's task. Without his clear consent (in the form of installation of said software on user's behalf) NOBODY has rights to touch anything on machine.
      Otherwise it is total chaos.

    Maybe it's because I'm used to running Linux that I think this way, but I'm sure that this applies to other OSs. If you install an extension with root privileges, it gets root privileges to perform what it does. If it does something "bad", then that'll affect the whole system if it has root privileges. If it has user privileges, it'll affect the user (unless the software exploits a privilege escalation bug of some kind). Naturally, one has personal data in the user's domain, so even having a bad extension in that area would be bad, but it wouldn't affect the whole system (or other users on that system).

    I'd reject straight away any extension that demanded of itself root rights. I'm not giving it that power, nor see any reason why it should have that power.

    By following these simple rules, and as it just had transpired - by avoiding FF - I managed to live the malware-free life on my winXP-PRO since 2002 - without any AV.

    Hmm… Windows and no AV? OK. Good luck with that.



  • @Gort:
    Then you could know the difference between the "installed by root" and the "setuid root" bits of code.

    In a secure environment all the code must be installed by root - and owned only by him. The root decides what is allowed to run and by whom. Mortals must be forbidden from altering either OS or SW in it.
    Mortal's rights must be restricted to non-code type of files - strictly within their profiles. No code from non-system folders must be runnable (by mortals).

    In windows (yes, I hate windows as well! :) ) there is no "setuid root" concept. What requires root's powers must be run by root himself.

    You may not believe me, but still it is the fact - I managed to avoid any malware hit for years, and regular forensics proves this.



  • Well… there's always IE11. No extensions allowed there to my knowledge. And I think it's actually quite secure when coupled witn Smart Screen filter.



  • @JamesD:

    Well… there's always IE11. No extensions allowed there to my knowledge.

    Extensions for IE11 are called add-ons. Only IE11 for WindowsRT does not support them.



  • @booBot:

    @Gort:
    Then you could know the difference between the "installed by root" and the "setuid root" bits of code.

    In a secure environment all the code must be installed by root - and owned only by him. The root decides what is allowed to run and by whom. Mortals must forbidden from altering either OS or SW in it.

    Well, it depends on the circumstances. If you run a tight system with many users, and you want full control of your users, then you install your browser and its extensions for system-wide use, where the user can't tamper. If you're a bit more lax and willing to part some trust to your users, you can allow them to install things within their user domains, while keeping system-wide settings out of their reach. If you've got a machine with just one user (for instance, this one I'm typing on), then you can install the browser and its extensions in your own user area. My point is that an extension that demands root installation is an extension that I find untrustworthy by that very demand. I will not be giving an extension the right to root privilege on its say-so and see no reason to give it that privilege escalation.

    You may not believe me, but still it is the fact - I managed to avoid any malware hit for years, and regular forensics proves this.

    No, I believe you, but I do feel you need that "good luck with that", too. ;) I mean, running AV isn't going to be a 100% protection and in many ways can make the user have a false sense of security. The user needs to practise safe browsing, make sure that they don't install anything and everything on a whim, that they remain vigilant, that they shut off any unneeded services (particularly those remotely listening) and other practices. Still, another layer of protection can also be of use, particularly if you slip one of these days.



  • @Gort:
    Still you confuse the "setuid root" (which is dangerous in every OS) with the "owned by root because it was installed by root" (which is perfectly normal and expected).

    In windows (I mean DECENT version of OS, not the 95/98 or "home" ones) no one is able to install anything unless he is root (an admin - in windows-speak).
    All the system folders and their contents belong to administrator. Mortals have no write permission there - only the "read and execute".
    There is no (at least - there were no in winXP and I believe in win7) such a code, running which gives to the one who started it, automatic root powers. If such code is found - it is always considered an exploit, and fixed ASAP.
    There is a code (in windows) that by design requires root's powers, such code is not possible to start for mortals - OS prevents this with the clear error message.

    No matter how many (mortal) users have accounts on a machine - the machine is root's, he and only he is responsible. Only root decides what he installs and allows mortals to run.

    My point is - may be add-ons per se are not evil, but there must be strict discipline who decides which ones are installed.
    There should be no way for drive-by unintended (by root) installation - which is not unfortunately the case with FF/chrome/chropera.

    When I was admining some unix box, I had all setuid-root programs runnable only for members of "wheels" group, joining which required a password. Some setuid-root programs I knew for sure are save to give mortals right to start were only startable via "sudo".

    There is safe life without AV - and no luck required, only knowledge, no matter the OS.
    :)



  • But it's a locked-down store, right… somewhat like the way in which Apple locks down what can be added to its devices?


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.