Beware! Spyware disguised as browser extensions

OlgaA

The discovery of more malicious and fraudulent browser extensions is a reminder that you should be cautious when installing these tools in your browser.

Click here to see the full blog post

madiso

One of the most popular ones that should definitely be removed is WOT, aka Web Of Trust. It was previously removed over data leak concerns, but after fixing that, is now back in web stores.

The most important problem with it is in its core actually - the ratings are all provided by random users, sometimes even in batches (an user votes for a list of sites at once)

A much better protection for the unsafe sites is a simple content blocker, such as uBlock Origin. Compared to many other "ad blockers", this one does not support "acceptable ads" (which still breach your privacy) and it also blocks various trackers by default.

---

Another one is Stylish, which was also removed over analytics concerns, but is now back in store. Use Stylus instead.

LonM

@madiso said in Beware! Spyware disguised as browser extensions:

The most important problem with it is in its core actually - the ratings are all provided by random users, sometimes even in batches (an user votes for a list of sites at once)

The core idea of WOT had a good system in place. It would weigh different users reports differently. So a score from a long-time user would be more influential than that of a new user.

My big problem with WOT is that because this system requires a login, you are effectively giving a list of websites you visit tied to a unique identifier (at least, the ones you rate).

madiso

@LonM It doesn't matter how old the user is, though, if it is still based on opinion, not facts.

E.g. a private search engine may get a lower rating due to the (subjective) quality of search results, not privacy.

Pesala

I have long maintained that features should, if possible, be integrated into the browser so that extensions are not required by most users.

I used to use the Grammarly extension, but stopped using it after reading about the privacy implications highlighted in the Vivaldi Blog article — Don't say a Word.

I would like to see proof-reading and auto-correct integrated into Vivaldi: Grammar-check Proof-reader. At least smart quotes would be nice to have.

I realise that there will always be some functions that are best suited to using an extension, but the fewer the better. They can break with updates, and cause conflicts with built-in shortcuts or features.

Catweazle

This is certainly a problem. I use quite a few extensions, but I always look at the following points before installing them.
A web page or the author in the description, which I visit to see the impressum. Wrong if not figur in the store or the author and no other reference.
I read the opinions of the users, both those of the store and also on the web.
I give preference to OpenSource extensions that, apart from the store, are also available on GitHub.
In general, not only with the extensions, but also with any other software, I always look for all the independent information, before installing it. I think it's a good habit.

PD Hola VPN is still in the Store (see reviews in the web), just like other "VPN" with doubtful privacy .

Chas4

@madiso: Only ones I have rated in WOT have been scam or malware sites

Chas4

@pesala: What I have done in the past is type things up in a word processor and use the spelling & grammar check there before a copy and paste to where it was going.

Pesala

@Chas4 That is not practical for forum posts.

Chas4

Also choosing which extensions get to work in a private window is another thing to think about

Chas4

@Pesala I used it all the time back when My Opera was around.

FoxC

I just posted yesterday, the trouble I was having with CCleaner remnants in my PC (had admin privileges that I didn't have a key for). I've gotten in the habbit of only using apps from github and f-droid. I use Open Launcher, AnySoftKeyboard, and Blokada. These help to tremendously cut down on outside app integration with basic necessities (first thing I did to my new Android One phone was replace the g-board and Moto launcher). I use Blokada on my Fire TV, it does help remove ads. I put it on mom's tablet (she plays card games and such), It blocked over 11,000 integrations the very first week. AnySoftKeyboard has a nice spell check, and many options. I trust AOSP more than Google apps for privacy... they make $ by tracking me, No Question about it. I've also come to realize, if I want any privacy... I'll have to go Linex. Just the way things have become...

Catweazle

@FoxC , (off) on the PC use instead of CCleaner, BleachBit, it is FOSS and it really cleans the system (! it is not for newbees).

Dr.Flay

@madiso said:

One of the most popular ones that should definitely be removed is WOT, aka Web Of Trust. It was previously removed over data leak concerns, but after fixing that, is now back in web stores.

The most important problem with it is in its core actually - the ratings are all provided by random users, sometimes even in batches (an user votes for a list of sites at once)

A much better protection for the unsafe sites is a simple content blocker, such as uBlock Origin. Compared to many other "ad blockers", this one does not support "acceptable ads" (which still breach your privacy) and it also blocks various trackers by default.

That does not make sense. WOT was pulled from the store because researchers worked out a flaw in their anonymising of user data. Once that was reported and dealt with like the bug that it was, it was fixed and the problem dealt with.
People continued to freak out because your browsing is sent back to the site.
Yes that is the whole point of the extension. Every URL you visit is checked just like Microsoft smartscreen.
It cannot give you a rating for a site unless it knows you are on the site.
Keeping a local DB would be possible but bulky, slow and not current.

I may be a random user if you insist on that description, but the nature of WOT isn't a site blocker though it can. It is a site reviews and opinions site.
Any pages with only ratings and no reviews are not helpful, however if you find a page is marked red and read the reviews you may quickly find that the site is no threat but is an adult site, or was once hacked but is now clean.

Yes WOT can be abused, just like all the other so-called "trusted" review sites. Under that reasoning all connections to all reviews sites should be blocked.

If there is a current threat in the current extension or anonymising system, then please inform google and have it removed.
If there is no threat in the current extension or system, there is no problem.
Google are not going to remove extensions because of properly anonymised data from services that have a clear privacy policy which others have crawled over like maggots on a carcass.

Dr.Flay

@lonm: No actually it does not need you to login or even have an account, unless you want to rate or post reviews.
That is the most anonymous way to use it, or use a different ratings extension which also includes WOT.
Anyone that switches off the browsers own ability to check for bad URLs due to privacy concerns should never install any extension that will check for bad sites, even ones that use Virus Total.

They do have a weighted voting already, but it is driven by numbers not quality so yes they need to rethink who gets votes worth more. Personally I would limit it to users of the forum so admin and the community have an idea of how serious, or maybe how politicised the voter may be.

Catweazle

@Dr-Flay said in Beware! Spyware disguised as browser extensions:

@lonm: No actually it does not need you to login or even have an account, unless you want to rate or post reviews.
That is the most anonymous way to use it, or use a different ratings extension which also includes WOT.
Anyone that switches off the browsers own ability to check for bad URLs due to privacy concerns should never install any extension that will check for bad sites, even ones that use Virus Total.

They do have a weighted voting already, but it is driven by numbers not quality so yes they need to rethink who gets votes worth more. Personally I would limit it to users of the forum so admin and the community have an idea of how serious, or maybe how politicised the voter may be.

I have used WOT in the past, but only a short time when considering valuations too subjective. I don't have it for a very useful extension for real security, it can only be indicative, based on particular opinions that may also be interested. Not trustworthy.

Dr.Flay

Start the clock counting until google buy the service that was used to find the info.
CRXcavator.io is the tool the researchers used to join the dots. You can check any extension you have concerns about by name or the unique ID string.
They also have an extension aimed at organisations wishing to audit the extensions in use around the company.
https://crxcavator.io/docs#/crxcavator_gatherer
I wonder if we should consider this service for inclusion in Vivaldi as an optional security feature ?

Fang

"Anyone using one of the now-suspended 500 extensions will find they’ve AUTOMATICALLY BEEN DEACTIVATED in their browser.

This incident is a double-edged sword. It’s good because these extensions can no longer infect users. BUT IT’S BAD BECAUSE IT IS AN EXAMPLE OF HOW EASY IT IS FOR MALICIOUS EXTENSIONS TO SNEAK IN THE CHROME WEB STORE and stay put for years without Google noticing."

No, it's bad because it shows how easy it is to manipulate your browser. In this case it is ok but what is the certainty that Google will not disable any of the extensions that simply do not suit them?

jamesbeardmore

@Fang This^^

Whilst Google used their powers for "good" on this occasion, to remove these extensions, automatic control over user extensions (or other programs) without warning is a worrying thing. I expect my AV to try to do this, of course... but any responsible AV will notify the user first (or preferably ask first).

This type of functionality is slowly creeping into everything - for instance, the Amazon Swindle, amongst its various tracking antifeatures, also allows for remote control of books that the user has "purchased". In a somewhat ironic blunder a few years ago, this lead to Amazon accidentally silently wiping all copies of George Orwell's "1984" from their e-readers.

Transparency is key. The correct way to deal with these extensions would be to bring up a notification dialogue informing the reader that the extensions have been disabled, and would they like to remove them. Alternatively, given the fact that Google's parent company also owns VirusTotal, they should simply have submitted the offensive extensions to the research departments of the 60+ antimalware solutions, and let those research departments make the final call on whether the extensions were harmful or not.

Covert behaviour, silently deleting extensions and changing settings at will, leaves too much temptation for the software developer to abuse that power - for instance, deleting any extension that doesn't enhance their business revenue, or extensions/files that are beneficial to people with opposing political views.

I don't mind automatic deletion of malware... but only if I've specifically instructed the software to do such a thing - and only if it notifies me of its actions.

Either you control your software, or it controls you.

jamesbeardmore

@Catweazle Yes agreed, my main criteria for extensions are responsiveness and transparency of the developer, and the licence the extension is released under. The ideal situation is a developer who is very communicative, has no obvious conflict of interest, and has released the extension under the GPL.

As a bit of advice for people, I've noticed that a lot of "Youtube download" type of extensions tend to be problematic. Most of the time when I see people having problems, it turns out to be caused by a fake or fraudulent Youtube downloader. As an alternative, I'd suggest looking for the video on Invidious, which sometimes gives a download option, or trying a free and open-source tool such as Youtube-DL.