There is a gaping security flaw in the Chrome browser and I don't know what to do about it.
What happened was I wrote a couple of simple html5 pages and uploaded them to my web host. While testing them in Chrome on OSX a new tab opened claiming I wasn't running the latest chrome browser (I was) the url had some random letter .info address so I was suspicious but decided to play along a little where I was invited to download setup.exe (yes on a mac).
had I been on windows this might have been almost plausible.
So where had this tab come from as I only had my page open at the time.
Well, it was my page! Looking at the source in the browser it was identical to the source I had written. However downloading the webpage complete through the browser also downloaded app.js and when I loaded the html into my editor Ifound the header had acquired two additional javascript files and an additional css file.
This was also the case on Linux Mint with the Chrome browser but not with Firefox. with some googling I found one link was privacy badger and I joined the mailing list to find out they inject code into webpages to replace the Facebook like buttons. but the other 2 were not theirs.
In the meantime I found removing the Privacy Badger extension removed their injection but not the other 2
So at this point I removed all extensions from Chrome and it removed the other 2 injections.
It seems conclusive to me at least that Google's extension repository is not to be trusted.
While I was targeted with Windows malware of some description a little more work could have pushed a dmg or deb or rpm file instead.
To be fair the possibilities are endless, it would be fairly easy to log all of a persons web activity even the emails they write with these trojan extensions. Trouble is people trust Google's repository but Google can't be really maintaining any security if this is occurring.
I am very worried about this, as so many people use Chrome, extensions are for the most part cross platform
If you install an extension on one platform if you login to Google on another using Chrome your extensions get sync'd and that security hole is now on your Linux box or OSX box.
So what should be done about this?
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @08:22AM
In one account, one Jew [biblehub.com] does not fit that stereotype. [biblegateway.com]
(Score: 2, Insightful) by dlb on Sunday December 07 2014, @03:20PM
(Score: 1) by linuxrocks123 on Sunday December 07 2014, @06:30PM
No one needs to waste their time on those who by design have stunted intellects.
You mean, in your view, he went full retard?
(Score: 0, Troll) by Ethanol-fueled on Sunday December 07 2014, @11:38PM
Yes, see one word and totally ignore everything else, because you're totally righteous, aren't you? I bet your shit smells like Aqua di Gio.
(Score: 0) by Anonymous Coward on Monday December 08 2014, @12:52AM
I think it's funny that your name has a gold star next to it.
(Score: 1) by Ethanol-fueled on Monday December 08 2014, @01:11AM
Reveal yourself, grand decider, who decided that somebody cannot enjoy and support a website* because they say, "Fuck" every now and then.
And, for the record, there are far worse slurs than "Jew."
* Disclaimer: a subscription does NOT constitute an endorsement by the staff of anybody who misbehaves on the site, gold star or not. They have their own ways of dealing with those. Anybody can buy a subscription, especially Jews. In fact, Jews pioneered the use of the gold star and even wore it on their clothing for awhile.
(Score: 0) by Anonymous Coward on Monday December 08 2014, @02:32PM
I dub thee Fucktard Extraordinaire!
(Score: 0) by Anonymous Coward on Monday December 08 2014, @02:46PM
Why is it funny? He has a vested interest in the web site to remain operative, so he can continue to troll on it. There are two ways to help the web site: By posting valuable content (which apparently is out of question for him) and by donating money.
Or maybe you thought he should be out of money because he spent all of it for ethanol? ;-)
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @05:20PM