There is a gaping security flaw in the Chrome browser and I don't know what to do about it.
What happened was I wrote a couple of simple html5 pages and uploaded them to my web host. While testing them in Chrome on OSX a new tab opened claiming I wasn't running the latest chrome browser (I was) the url had some random letter .info address so I was suspicious but decided to play along a little where I was invited to download setup.exe (yes on a mac).
had I been on windows this might have been almost plausible.
So where had this tab come from as I only had my page open at the time.
Well, it was my page! Looking at the source in the browser it was identical to the source I had written. However downloading the webpage complete through the browser also downloaded app.js and when I loaded the html into my editor Ifound the header had acquired two additional javascript files and an additional css file.
This was also the case on Linux Mint with the Chrome browser but not with Firefox. with some googling I found one link was privacy badger and I joined the mailing list to find out they inject code into webpages to replace the Facebook like buttons. but the other 2 were not theirs.
In the meantime I found removing the Privacy Badger extension removed their injection but not the other 2
So at this point I removed all extensions from Chrome and it removed the other 2 injections.
It seems conclusive to me at least that Google's extension repository is not to be trusted.
While I was targeted with Windows malware of some description a little more work could have pushed a dmg or deb or rpm file instead.
To be fair the possibilities are endless, it would be fairly easy to log all of a persons web activity even the emails they write with these trojan extensions. Trouble is people trust Google's repository but Google can't be really maintaining any security if this is occurring.
I am very worried about this, as so many people use Chrome, extensions are for the most part cross platform
If you install an extension on one platform if you login to Google on another using Chrome your extensions get sync'd and that security hole is now on your Linux box or OSX box.
So what should be done about this?
(Score: 3, Insightful) by sjames on Sunday December 07 2014, @06:25AM
Figure out which extension is responsible using a binary search. Then report (or attempt to report) it to Google. Tell us which extension did the deed and let us know how/if Google handles it.
(Score: 2) by kaszz on Sunday December 07 2014, @10:03AM
Better to publish it right away or perhaps wait a few days. Otherwise various light shy organizations will exploit it for nefarious objectives.
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @10:50AM
Stop running proprietary software?
(Score: 1) by Rosco P. Coltrane on Sunday December 07 2014, @07:50PM
I hate and distrust Google as much as the next guy, but honestly, on what basis do you trust Firefox more than Chrome? Have you audited the FF codebase? Have you audited ANY open-source application that you use? Has anybody else really audited any major FOSS application seriously?
Having said that though, what's certain is that Google - the developer of Chrome - doesn't have the users' interests in mind, while Mozilla - the developer of FF - supposedly does. But that's a pretty weak reason to trust one over the other if you ask me...
(Score: 2) by maxwell demon on Sunday December 07 2014, @10:16PM
If it was an extension doing it, then Chrome is not to blame for that one. An extension can do about everything also in Firefox.
The error was to assume that just because the extension repository is managed by Google, all extensions found there must be trustworthy.
The same error you might make for addons.mozilla.org, of course.
Downloading and installing a random browser extension from the net is exactly equivalent to downloading and running a random program from the net, as far as security is concerned.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Teckla on Monday December 08 2014, @05:07PM
Web browsers have become too big and too complex to trust them, full stop. Proprietary, open source, it doesn't matter.
Putting on my tinfoil hat for a moment, I wonder if certain powers encourage this size and complexity, because it allows them to exploit the inevitable flaws.
(Score: -1, Troll) by Anonymous Coward on Sunday December 07 2014, @07:25AM
a lot of chrome extensions are risky to use, I experienced something similar to what the OP talked about with some highly rated addons that were serving advertisements even in the options page for the addon itself, not only were there ads, but they were mixed in with the settings, I honestly hate the fact that remote ads in addons are even a thing, because what happens when the developer goes full jew and decides to start serving pay per install ads (malware) , or the cdn serving ads gets hacked and begins distributing 0days ( happens all the time )? you get pwned by your own browser without having to do anything. of all the years of me using Firefox (Firebird, even), I have never encountered such a shitty policy of policing bad addons like I have with chrome.
Google really needs to get their shit together if they ever want chrome to be considered even remotely secure, the fact that addon developers are even allowed to do such things is disgusting and until that changes I will continue using firefox.
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @08:22AM
In one account, one Jew [biblehub.com] does not fit that stereotype. [biblegateway.com]
(Score: 2, Insightful) by dlb on Sunday December 07 2014, @03:20PM
(Score: 1) by linuxrocks123 on Sunday December 07 2014, @06:30PM
No one needs to waste their time on those who by design have stunted intellects.
You mean, in your view, he went full retard?
(Score: 0, Troll) by Ethanol-fueled on Sunday December 07 2014, @11:38PM
Yes, see one word and totally ignore everything else, because you're totally righteous, aren't you? I bet your shit smells like Aqua di Gio.
(Score: 0) by Anonymous Coward on Monday December 08 2014, @12:52AM
I think it's funny that your name has a gold star next to it.
(Score: 1) by Ethanol-fueled on Monday December 08 2014, @01:11AM
Reveal yourself, grand decider, who decided that somebody cannot enjoy and support a website* because they say, "Fuck" every now and then.
And, for the record, there are far worse slurs than "Jew."
* Disclaimer: a subscription does NOT constitute an endorsement by the staff of anybody who misbehaves on the site, gold star or not. They have their own ways of dealing with those. Anybody can buy a subscription, especially Jews. In fact, Jews pioneered the use of the gold star and even wore it on their clothing for awhile.
(Score: 0) by Anonymous Coward on Monday December 08 2014, @02:32PM
I dub thee Fucktard Extraordinaire!
(Score: 0) by Anonymous Coward on Monday December 08 2014, @02:46PM
Why is it funny? He has a vested interest in the web site to remain operative, so he can continue to troll on it. There are two ways to help the web site: By posting valuable content (which apparently is out of question for him) and by donating money.
Or maybe you thought he should be out of money because he spent all of it for ethanol? ;-)
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @05:20PM
(Score: 2) by kaszz on Sunday December 07 2014, @10:00AM
The extension could demand that all CDN served ads are signed with its authorization key?
(and Google should isolate extensions from the core browser in the way the kernel keeps userland out)
(Score: 2) by RedBear on Sunday December 07 2014, @07:45AM
Seems like a simple process of elimination would tell you which specific extension was attempting to spread malware, if indeed that is what it was trying to get you to install. It may have simply been "adware" trying to sell you something or inject ads into your pages. Still malware by most definitions, but oftentimes more of an annoyance than some huge malicious security risk. Without knowing more about the relevant extension's stated purpose and origin it is difficult for anyone to replicate the issue, and replication is important prior to having any sort of meltdown about Google's entire extension library being "compromised".
This does not seem the proper forum to be talking about one individual's unverified security issue with some unnamed Chrome extension, which, being unnamed, we can't even verify as having originated in Google's official extension library in the first place.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:27AM
He can upload the setup.exe file to Virus Total [virustotal.com] and they'll identify what the malicious executable is. Not that any misleading information or automatic download is acceptable, but knowing more information about this incident is important.
(Score: 1) by blackest_k on Sunday December 07 2014, @12:36PM
I made a mistake in deleting out all the extensions on chrome which makes finding it again tricky.
however one safe example is privacybadger. make a simple webpage upload it to a host load it into chrome choose view source it looks identical to what you wrote. now save the page as webpage complete. Check to see what is in the folder and the source of the downloaded webpage. You should find that there are additions to that html.
With privacybadger its to remove facebook like buttons. That I think we can live with.
however I found app.js downloaded as part of my page and other injections which i haven't been able to identify fully I am not a security expert.
script type="text/javascript" src="http://www.youradexchange.com/ad/display.php?r=32796"
this line was in my header, can you tell me what it does?
http://jsbeautifier.org/ [jsbeautifier.org] will clean it up a bit there are a few url's in there the first one is hotchatdate.com and a bot called evie
Anyone care to investigate ?
app.js can be found at http://jsbin.com/jehikazapu/1/edit?js [jsbin.com]
the youradexchange link is pasted at http://jsbin.com/xudehusowa/1/edit?js,output [jsbin.com]
Hope someone can make some sense out of this. These injections are client side and have to be from extensions installed in chrome. They have a brilliant propagation method as everytime you login to google using chrome your extensions come with you.
(Score: 2) by pkrasimirov on Sunday December 07 2014, @12:54PM
Did you use HTTPS ? You know some ISPs deliberately inject bullshit into your HTML when you transfer it in plaintext over the web.
(Score: 2, Informative) by blackest_k on Sunday December 07 2014, @01:40PM
it was http however i did experiment with firefox to see if it had similar results but with firefox everything was normal
i did a few downloads with chrome on osx and linux mint and the injections were there.
href="chrome-extension://pkehgijcmpdhfbdbbnkijodmdjhbjlgp/skin/socialwidgets.css" was injected by privacy badger on chrome
it was by googling pkehgijcmpdhfbdbbnkijodmdjhbjlgp that i found it belonged to privacybadger I joined the mailing list and was told it was injected into all pages to remove facebook like buttons from pages.
While that is harmless (its from the EFF they must be trustworthy) it does demonstrate that it is possible to inject from a chrome extension.
if you have privacybadger installed in chrome you can see it for yourself just hit ctrl-s and download this page last item in the page header will be
link rel="stylesheet" type="text/css" href="chrome-extension://pkehgijcmpdhfbdbbnkijodmdjhbjlgp/skin/socialwidgets.css"
now try ctrl+u to view the page source of this web page look at the end of the header that link is not in the page.
try it in firefox you will see that there is no injection there.
A stylesheet is harmless but javascript has much more potential to wreak havoc. I knew that I did have the latest version of chrome on OSX I also know that I wouldn't be getting directed by google to download chrome from a .info site. I also know you don't run a web installer called setup.exe on OSX. However most people are not that aware.
I can only suggest that people do a simple test save this web page now in chrome open up the html page and see what is at the bottom of the header, is there a file called app.js ? is there a url for youradexchange.com ?
If so you have a malicious extension installed.
I don't think it will be just one extension that does this, so it really needs to be a group effort.
(Score: 2) by pkrasimirov on Sunday December 07 2014, @01:50PM
Maybe the attackers had hard time keeping up-to-date with Firefox versions so they just abandoned the extension? Just kidding :)
Sorry, I've got no Chrome and I don't plan to have it.
(Score: 1, Informative) by Anonymous Coward on Sunday December 07 2014, @01:51PM
FWIW, according to your post, the privacy badger injection pulls javascript from the extension itself, not some random website. I'm not an extension developer, but my understanding is that "injecting" javascript like that is standard operating procedure for tons of extensions. Probably on firefox too.
While I am sure the extension API could be (probably already does) enforce "local" injections, I think that it is impossible to enforce in the general case because any extension that can rewrite a web page on the fly could insert random URLs simply as text.
(Score: 2, Informative) by blackest_k on Sunday December 07 2014, @04:43PM
http://lp.down2208.info/player/LP5_1/?pid=2777&distid=24601&clickid=ub2a7fe855470ce7ecfedd21ef# [down2208.info] The page opened on osx (virustotal has just bitdefender recognising it as a malware site).
setup.exe is identified by 8 av programs:
AVG Generic.106 20141207
Avast NSIS:OutBrowse-AH [PUP] 20141207
DrWeb Trojan.OutBrowse.1 20141207
ESET-NOD32 Win32/OutBrowse.BK 20141207
K7AntiVirus Unwanted-Program ( 004b04b21 ) 20141205
K7GW Unwanted-Program ( 004b04b21 ) 20141205
McAfee Adware-OutBrowse.c 20141207
McAfee-GW-Edition BehavesLike.Win32.Downloader.hc
I'm pretty sure this constitutes a problem.
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:27PM
Which extensions did you have installed when this happened?
(Score: 1) by Urlax on Sunday December 07 2014, @09:53PM
i don't get the problem.
switching out ads or inserting them on somebody elses domain, violates your trust in that domain. from serving ads to serving viruses is just a minor step if you're already screwing the end user.
if the developer violates your trust by being dishonest or even impersonating someone else, the extension itself is by definition malware.
so the whole article boils down to 'malware in extension store', which is also true for firefox, and maybe others.
(Score: 2, Informative) by Urlax on Sunday December 07 2014, @09:21PM
that link looks like a bog standard referrer link. you see the ad, the developer gets paid. (in fact, the developer probably has account number 32796).
it loads a javascript file, in which the account info is embedded, so the server generates adds on the fly, based on the advertiser.
(in this case the advertiser is not the site you visit, but the plugin/extension programmer. he 'stole' the add space, by injecting his .js file)
my father-in-law suddenly had Green Double Underlined adware, after installing 'video download helper' extension in firefox. it's the same thing, any extension has access to the page in order to work. chrome even mentions this during install:"this extension can "access your data on all websites""