Security Sunday
January 26, 2014 10:56 AM   Subscribe

Ars Technica reports on malicious extensions on the Chrome web browser, which install advertising-based malware that hijack links and inject ad content. Further speech recognition exploits (source) leave open the opportunity for malicious sites to record sound captured by the user's web browser without permission.
posted by Blazecock Pileon (30 comments total) 13 users marked this as a favorite
 
Oh swell, and Google's solution for this problem is coming in June.
posted by JHarris at 11:12 AM on January 26, 2014 [1 favorite]


Isn't this endemic of all App Stores that distribute considerable closed source software too? At least Chrome extensions must be written in JavaScript, potentially exposing the malicious code. We've like zero chance with malicious iOS and Android Apps.

Android users could partially protect themselves by restricting themselves to open source software. And ideally replacing their carriers scuzzy distribution Android with CyanogenMod. iOS users have fewer options.
posted by jeffburdges at 11:13 AM on January 26, 2014


Uh no, the article talks about a specific problem involving auto-updating extensions and transferals of ownership of those extensions. The closed or open status of the source code is irrelevant.
posted by kiltedtaco at 11:25 AM on January 26, 2014 [6 favorites]


> Isn't this endemic of all App Stores that distribute considerable closed source software too?

Probably not, because the exploit is a product of how loosely code signing is managed in the Chrome Store. Visibility of the code doesn't matter, because it's Javascript and totally visible. The code will be perfectly benign up until some unannounced moment that it gets updated and goes batshit on you.

Arguably OSS code is safer because many eyes will keep attempts to sneak in code to a minimum, but that assumes any given extension's repo is managed responsibly and has sufficient involvement from sufficient numbers of knowledgeable people to ward off janky-ass updates.
posted by ardgedee at 11:32 AM on January 26, 2014 [3 favorites]


Visibility of the code doesn't matter, because it's Javascript and totally visible.

But this is the point...you have no idea if such an exploit exists right now in safari, or your android browser. At least when the code is available, someone, somewhere is probably going to poke through it.
posted by maxwelton at 11:50 AM on January 26, 2014


What killedtaco said. I was using an extension called Awesome New Tab, Page, which let you configure the new tab page in awesome ways, for several months. At some point, the extension was sold, and after that I started seeing product ads inserted under random images (the products featured were context related). Evil.

I had no idea of the source, so resorted to uninstalling extensions until I found the culprit. Google has to get in front of this.
posted by notyou at 11:57 AM on January 26, 2014 [2 favorites]


you have no idea if such an exploit exists right now in safari

It's clear you didn't read the article, because the "exploit" is "someone buys the extension and turns it into malware before anyone notices".
posted by kiltedtaco at 12:01 PM on January 26, 2014 [3 favorites]


I had no idea of the source, so resorted to uninstalling extensions until I found the culprit. Google has to get in front of this.

What got me was how Chrome syncs itself across installations, amplifying the problem.
posted by Blazecock Pileon at 12:10 PM on January 26, 2014 [4 favorites]


Virus scanners are unlikely to flag ad-injecting JavaScript as malicious. Extensions are synced to your Google account, which means that even wiping out a computer and reinstalling the OS will not remove the malware—signing-in to Chrome will just download it again. The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices.
posted by double block and bleed at 12:12 PM on January 26, 2014


*DRINK MORE COKE*

Personally I think this is over-blown.

*DRINK MORE COKE*
posted by ZenMasterThis at 12:15 PM on January 26, 2014 [7 favorites]


I have always gone in and disabled access to my camera and microphone in browsers. I'm only a little bit paranoid, but I just see so little benefit and such a high likelihood of misuse. If anything, I'm surprised it took this long to find an exploit.

Even with Siri on the iPhone, the only times I've found it useful at all where when my hands were full, or when I was using Maps while driving.
posted by KGMoney at 12:20 PM on January 26, 2014


Why do they even need an exploit? Almost all android apps ask for permission for everything including permission to date your mother anyway.
posted by srboisvert at 12:43 PM on January 26, 2014 [5 favorites]


It's clear you didn't read the article, because the "exploit" is "someone buys the extension and turns it into malware before anyone notices".

Hate to burst your bubble, but I did read the article. Perhaps you didn't read it either?

There are at least two exploits mentioned: the more serious one is a bug is a JS library which allows unfettered access to a computer's microphone (this one is not dependent on someone buying the extension, hopefully you can see that). It should be noted that the buying of an existing extension is a convenience factor, not a necessity. You could have a "fart app" written from the get-go to trigger unwanted ads/eavesdropping whenever the creator decided their user base was large enough.

The other is more of a "capitalistic" exploit, in that corporations and people love money and generally will do anything in their power to get more...up to and including selling their product to third-parties who then insert their crapware into the formerly decent product, or buying a decent product under false pretenses to gain access to an established userbase. And, of course, our giant corporations--sitting on so much money they don't know what to do with (something which is somehow celebrated by their fans like it's anything other than a huge "yur dumb" middle finger held aloft), yet are completely willing to look the other way while this shit goes down, as long as they continue to bank fat stacks.

My point, underlining one made above it, is when the code can be examined, at least the general public has a chance to discover these shenanigans eventually.
posted by maxwelton at 12:53 PM on January 26, 2014 [1 favorite]


"Why do they even need an exploit? Almost all android apps ask for permission for everything including permission to date your mother anyway."

Joke's on them, Mom passed away back in '86.

yes, I'm ashamed of myself....
posted by HuronBob at 1:08 PM on January 26, 2014 [1 favorite]


"Eventually" is too late. The problem is that signed, previously trusted code is suddenly not trustable.

Nobody will feel prompted to examine a given extension until after it's propagated and installed. Any investigation will not be to prevent harm, but to learn how the harm had been done.
posted by ardgedee at 1:10 PM on January 26, 2014


maxwelton: When the code can be examined, at least the general public has a chance to discover these shenanigans eventually.

ardgdee: "Eventually" is too late. The problem is that signed, previously trusted code is suddenly not trustable.

Yeah, exactly. The only time that many people might look at source code in detail would be when it was first introduced, or when there's a major feature announcement. (And I would bet that the average Chrome extension is *never* examined by anyone outside the development team.)

So someone can now buy a perfectly functional extension, modify it maliciously, and rely on Chrome's auto-update mechanism to propagate it across all the devices signed into a given account.

What is more likely:
(a) the user decides to do daily code audits on each of his browser extensions, or
(b) the user says %#$& it and switches to Safari or Internet Explorer?

Chrome has a big problem here and they should fix it fast.
posted by RedOrGreen at 1:35 PM on January 26, 2014 [2 favorites]


Fuck.

And bloody Opera, my browser of choice since 1996 (!) has been chromified. Guess I'd better switch to Firefox completely then...
posted by MartinWisse at 1:43 PM on January 26, 2014


My point, underlining one made above it, is when the code can be examined, at least the general public has a chance to discover these shenanigans eventually.

But neither of the issues you described depend on the code to either the browser or the extension to be closed source. I see no reason why anyone would detect that an extension had become crapware any faster if it was open source than they would already notice just by "hey what's all this crap" in their browser. The flaw in the trust model is independent of the source code.

There are certainly situations in which the availability of the source code is a significant factor in ensuring security, but this is not one of them.
posted by kiltedtaco at 2:24 PM on January 26, 2014 [1 favorite]


I got bitten by this by HoverZoom. The scariest part of this "buy extensions and update them" attack is the potential damage could be much worse than showing some ads.

I'm unclear from what I've read; to what extent is the extension update risk specific to Chrome? I'd think it would affect all browsers with extensions; some sort of update mechanism has to be allowed. Firefox has a policy of reviewing add-ons, how effective is it in practice?
posted by Nelson at 2:37 PM on January 26, 2014


Preferences -> Settings -> Content Settings -> Media -> Do not allow sites to access my camera and microphone
posted by gwint at 2:49 PM on January 26, 2014


Why do they even need an exploit? Almost all android apps ask for permission for everything including permission to date your mother anyway.

Ugh, ain't that the truth. I wanted to use my bank's Android app so I could deposit checks by taking pictures of them, but the damned thing wanted permission to rifle through my contacts list and make phone calls autonomously, on my behalf. Fuck. That.
posted by indubitable at 3:03 PM on January 26, 2014 [2 favorites]


Oh swell, and Google's solution for this problem is coming in June.

Google is probably just annoyed they didn't think of it.
posted by Mezentian at 6:03 PM on January 26, 2014 [1 favorite]


Preferences -> Settings -> Content Settings -> Media -> Do not allow sites to access my camera and microphone

I'm not finding "content" (osx)..?
posted by HuronBob at 6:58 PM on January 26, 2014


What got me was how Chrome syncs itself across installations, amplifying the problem.

This doesn't happen by default. You, as a user, have to explicitly sign in to your Chrome browser to make this happen.

On a slightly tangential note, Chrome can be managed in a corporate environment so that users can only install approved extensions (or no extensions at all). Of course, it's still possible for an extension to be approved, then purchased by a third party and modified to become malicious, but administrators could at least remove the extension for everyone using a managed Chrome browser.
posted by me & my monkey at 8:34 PM on January 26, 2014


I hadn't thought of this exact attack vector, but I'll certainly say that I've always been uncomfortable with extensions for the reason that there was no way to control them turning malicious.

The only extensions I use are AdBlock Plus and Ghostery, and have avoided any 'convenience' extensions because I didn't trust the whole mechanism.

I tend to be security-conscious, and am constantly becoming even more so. I always have the feeling that I'm just being paranoid, but then I find out my worries were justified.

It's getting to the point that I'm always going to run a browser in private mode, and only go online from within a VM snapshot.
posted by Ickster at 9:11 PM on January 26, 2014


I'm not finding "content" (osx)..?

Click "Show advanced settings..." and then look for the Privacy heading. The button is under there.

You can also search for 'microphone' in the top right of the Settings screen and it'll point it out.
posted by raena at 9:49 PM on January 26, 2014


raena...thanks...found it..
posted by HuronBob at 10:57 PM on January 26, 2014


I don't use a lot of chrome extensions, but it would have been really nice if the author would have listed extensions that are known to have been exploited. It is one thing to talk about how this is a systemic issue and *any* extension could be misappropriated, but surely there are some actual bad ones today we could know about.

My browser is acting normally, so I presume I don't have any bad extensions. Would've been nice to see a list though.
posted by dgran at 12:19 PM on January 27, 2014


This Reddit discussion includes a list of allegedly compromised extensions. I don't know if the list is accurate. Add to Feedly, AwesomeNewTabPage, ChromeReload, CrxMouse, Hola Unblocker, HoverZoom?, Neat Bookmarks, ScrollToTopButton, SmoothGestures, Smooth Scroll, Translate Selection, Tweet This Page, Webpage Screenshot Capture, Window Resizer, Youtube Ratings Preview.

Just because your browser appears to be acting normally doesn't mean you're OK. One thing these malware vendors are being paid to do is simply track a user, presumably for ad targeting down the road or some more nefarious attack. Also some malware just replaces existing ads with other ones, that's a lot harder to notice than ham-fistedly popping up ads everywhere like the early malware did.
posted by Nelson at 12:38 PM on January 27, 2014 [2 favorites]


NSA, GCHQ Spying On Angry Birds And Lots Of Phone Apps: Time For Mobile Security To Up Its Game
At least Apple apparently collaborated with them too because "iOS implantation always succeeds".
I'd imagine any phone from AT&T, Verizon, etc. comes weakened as well.

posted by jeffburdges at 5:08 PM on January 27, 2014


« Older Neil Young at the GRAMMY Producers & Engineers...   |   Enhance 57 to 19. Track 45 left. Stop. What the...... Newer »


This thread has been archived and is closed to new comments