Beware! Spyware disguised as browser extensions

Pesala

@Chas4 That is not practical for forum posts.

Chas4

Also choosing which extensions get to work in a private window is another thing to think about

Chas4

@Pesala I used it all the time back when My Opera was around.

FoxC

I just posted yesterday, the trouble I was having with CCleaner remnants in my PC (had admin privileges that I didn't have a key for). I've gotten in the habbit of only using apps from github and f-droid. I use Open Launcher, AnySoftKeyboard, and Blokada. These help to tremendously cut down on outside app integration with basic necessities (first thing I did to my new Android One phone was replace the g-board and Moto launcher). I use Blokada on my Fire TV, it does help remove ads. I put it on mom's tablet (she plays card games and such), It blocked over 11,000 integrations the very first week. AnySoftKeyboard has a nice spell check, and many options. I trust AOSP more than Google apps for privacy... they make $ by tracking me, No Question about it. I've also come to realize, if I want any privacy... I'll have to go Linex. Just the way things have become...

Catweazle

@FoxC , (off) on the PC use instead of CCleaner, BleachBit, it is FOSS and it really cleans the system (! it is not for newbees).

Dr.Flay

@madiso said:

One of the most popular ones that should definitely be removed is WOT, aka Web Of Trust. It was previously removed over data leak concerns, but after fixing that, is now back in web stores.

The most important problem with it is in its core actually - the ratings are all provided by random users, sometimes even in batches (an user votes for a list of sites at once)

A much better protection for the unsafe sites is a simple content blocker, such as uBlock Origin. Compared to many other "ad blockers", this one does not support "acceptable ads" (which still breach your privacy) and it also blocks various trackers by default.

That does not make sense. WOT was pulled from the store because researchers worked out a flaw in their anonymising of user data. Once that was reported and dealt with like the bug that it was, it was fixed and the problem dealt with.
People continued to freak out because your browsing is sent back to the site.
Yes that is the whole point of the extension. Every URL you visit is checked just like Microsoft smartscreen.
It cannot give you a rating for a site unless it knows you are on the site.
Keeping a local DB would be possible but bulky, slow and not current.

I may be a random user if you insist on that description, but the nature of WOT isn't a site blocker though it can. It is a site reviews and opinions site.
Any pages with only ratings and no reviews are not helpful, however if you find a page is marked red and read the reviews you may quickly find that the site is no threat but is an adult site, or was once hacked but is now clean.

Yes WOT can be abused, just like all the other so-called "trusted" review sites. Under that reasoning all connections to all reviews sites should be blocked.

If there is a current threat in the current extension or anonymising system, then please inform google and have it removed.
If there is no threat in the current extension or system, there is no problem.
Google are not going to remove extensions because of properly anonymised data from services that have a clear privacy policy which others have crawled over like maggots on a carcass.

Dr.Flay

@lonm: No actually it does not need you to login or even have an account, unless you want to rate or post reviews.
That is the most anonymous way to use it, or use a different ratings extension which also includes WOT.
Anyone that switches off the browsers own ability to check for bad URLs due to privacy concerns should never install any extension that will check for bad sites, even ones that use Virus Total.

They do have a weighted voting already, but it is driven by numbers not quality so yes they need to rethink who gets votes worth more. Personally I would limit it to users of the forum so admin and the community have an idea of how serious, or maybe how politicised the voter may be.

Catweazle

@Dr-Flay said in Beware! Spyware disguised as browser extensions:

@lonm: No actually it does not need you to login or even have an account, unless you want to rate or post reviews.
That is the most anonymous way to use it, or use a different ratings extension which also includes WOT.
Anyone that switches off the browsers own ability to check for bad URLs due to privacy concerns should never install any extension that will check for bad sites, even ones that use Virus Total.

They do have a weighted voting already, but it is driven by numbers not quality so yes they need to rethink who gets votes worth more. Personally I would limit it to users of the forum so admin and the community have an idea of how serious, or maybe how politicised the voter may be.

I have used WOT in the past, but only a short time when considering valuations too subjective. I don't have it for a very useful extension for real security, it can only be indicative, based on particular opinions that may also be interested. Not trustworthy.

Dr.Flay

Start the clock counting until google buy the service that was used to find the info.
CRXcavator.io is the tool the researchers used to join the dots. You can check any extension you have concerns about by name or the unique ID string.
They also have an extension aimed at organisations wishing to audit the extensions in use around the company.
https://crxcavator.io/docs#/crxcavator_gatherer
I wonder if we should consider this service for inclusion in Vivaldi as an optional security feature ?

Fang

"Anyone using one of the now-suspended 500 extensions will find they’ve AUTOMATICALLY BEEN DEACTIVATED in their browser.

This incident is a double-edged sword. It’s good because these extensions can no longer infect users. BUT IT’S BAD BECAUSE IT IS AN EXAMPLE OF HOW EASY IT IS FOR MALICIOUS EXTENSIONS TO SNEAK IN THE CHROME WEB STORE and stay put for years without Google noticing."

No, it's bad because it shows how easy it is to manipulate your browser. In this case it is ok but what is the certainty that Google will not disable any of the extensions that simply do not suit them?

jamesbeardmore

@Fang This^^

Whilst Google used their powers for "good" on this occasion, to remove these extensions, automatic control over user extensions (or other programs) without warning is a worrying thing. I expect my AV to try to do this, of course... but any responsible AV will notify the user first (or preferably ask first).

This type of functionality is slowly creeping into everything - for instance, the Amazon Swindle, amongst its various tracking antifeatures, also allows for remote control of books that the user has "purchased". In a somewhat ironic blunder a few years ago, this lead to Amazon accidentally silently wiping all copies of George Orwell's "1984" from their e-readers.

Transparency is key. The correct way to deal with these extensions would be to bring up a notification dialogue informing the reader that the extensions have been disabled, and would they like to remove them. Alternatively, given the fact that Google's parent company also owns VirusTotal, they should simply have submitted the offensive extensions to the research departments of the 60+ antimalware solutions, and let those research departments make the final call on whether the extensions were harmful or not.

Covert behaviour, silently deleting extensions and changing settings at will, leaves too much temptation for the software developer to abuse that power - for instance, deleting any extension that doesn't enhance their business revenue, or extensions/files that are beneficial to people with opposing political views.

I don't mind automatic deletion of malware... but only if I've specifically instructed the software to do such a thing - and only if it notifies me of its actions.

Either you control your software, or it controls you.

jamesbeardmore

@Catweazle Yes agreed, my main criteria for extensions are responsiveness and transparency of the developer, and the licence the extension is released under. The ideal situation is a developer who is very communicative, has no obvious conflict of interest, and has released the extension under the GPL.

As a bit of advice for people, I've noticed that a lot of "Youtube download" type of extensions tend to be problematic. Most of the time when I see people having problems, it turns out to be caused by a fake or fraudulent Youtube downloader. As an alternative, I'd suggest looking for the video on Invidious, which sometimes gives a download option, or trying a free and open-source tool such as Youtube-DL.

mossman

@FoxC said in Beware! Spyware disguised as browser extensions:

the trouble I was having with CCleaner remnants in my PC (had admin privileges that I didn't have a key for)

As you mentioned this yesterday, I'm a little confused - if you're the owner of the PC then you should have admin rights on at least one user profile. AFAIK CCleaner can't have "higher" rights than a user admin.

Another thing - what do you mean by remnants? Files? Registry keys? AFAIK CCleaner doesn't install anything except in its own folder and an admin user should be able to delete that and any registry keys, soooo....

Catweazle

@jamesbeardmore said in Beware! Spyware disguised as browser extensions:

@Catweazle Yes agreed, my main criteria for extensions are responsiveness and transparency of the developer, and the licence the extension is released under. The ideal situation is a developer who is very communicative, has no obvious conflict of interest, and has released the extension under the GPL.

As a bit of advice for people, I've noticed that a lot of "Youtube download" type of extensions tend to be problematic. Most of the time when I see people having problems, it turns out to be caused by a fake or fraudulent Youtube downloader. As an alternative, I'd suggest looking for the video on Invidious, which sometimes gives a download option, or trying a free and open-source tool such as Youtube-DL.

I use VLC for download Videos in streaming.

FoxC

Sorry so long to reply, I was aggrivated with the beta yesterday. For some reason the screen touch is out of sync with the display (about 3/16 inch lower than where I tap). Also affects copy and paste function. Yes, The CCleaner had files in C: System that I could not access. They were granted group admin rights that I was not allowed to access. I still have that issue with Recuva in the system, which is a recovery app developed by the same company. From what I can gather (once again, the way indexing works now... It's really hard to find relative results), Recuva is not a Windows native program. Thing is, after removing "remnants" from the registry files, app install and uninstall files from system files, along with multiples from TEMP and %temp%, then restoring Windows back to original state... I still can not access the Recuva files without a group admin key! This kind of thing bothers me, I've only been slightly learning about programming for a few years on my own. I'm a mechanical genius (atleast the military said so), but before NAFTA and EPA killed my career as a textile machine tech., I never had time to learn. I'm 56 now, grew up when you weren't allowed to have a calculator at school, and typed on a manual machine. This is the only reason I joined the beta community. I can download FF and jump into about:config, and make changes that have the same function as most of the add ons people install. It's really time consuming, but actually improves the speed. JavaScript has to have a switch though. Sorry about run-on sentances, I type like I think... it's the artist/poet in me, I tend to ignore the norm. Thanks for the replys...

FoxC

Forgot to mention, the CCleaner version that was installed, was the one that was security breached! It was installed years ago...

iAN CooG

@FoxC said in Beware! Spyware disguised as browser extensions:
[snip wall of text, tl;dr]

I tend to ignore the norm

don't be surprised then when you find out people tend to ignore what you write

fofo

@fang: Exactly my concern. I wouldn't cosider it a bad thing if they are disabled with/after an autoupdate. I WOULD consider it a bad thing if it's done live.

fofo

My concern is also on own the extensions are deactivated.
I wouldn't cosider it a bad thing if they are disabled with/after an autoupdate.
I WOULD consider it a bad thing if it's done live.

AsterX

This would be the point where Vivaldi should check what features the users are missing and installing extensions instead.
E.g. it would be high time to give us Proxy settings, and per-side Referer control, as two very important privacy tools, or at least the basic functionalities of the Stylish and Tampermonkey extensions, RSS feeds and an 'immediately navigate to site on URL pasting in page' like they could be found in Opera IIRC…

Mabye also some 'download all links of type XX' of a site, Poper Blocker functionality and an enhanced version of the image properties built-in, showing more information and working locally via JS?

Just have a look of the most popular extensions for FireFox/Chromium and go, build them in