SoylentNews is people
SoylentNews
There is a gaping security flaw in the Chrome browser and I don't know what to do about it.
What happened was I wrote a couple of simple html5 pages and uploaded them to my web host. While testing them in Chrome on OSX a new tab opened claiming I wasn't running the latest chrome browser (I was) the url had some random letter .info address so I was suspicious but decided to play along a little where I was invited to download setup.exe (yes on a mac).
had I been on windows this might have been almost plausible.
So where had this tab come from as I only had my page open at the time.
Well, it was my page! Looking at the source in the browser it was identical to the source I had written. However downloading the webpage complete through the browser also downloaded app.js and when I loaded the html into my editor Ifound the header had acquired two additional javascript files and an additional css file.
This was also the case on Linux Mint with the Chrome browser but not with Firefox. with some googling I found one link was privacy badger and I joined the mailing list to find out they inject code into webpages to replace the Facebook like buttons. but the other 2 were not theirs.
In the meantime I found removing the Privacy Badger extension removed their injection but not the other 2
So at this point I removed all extensions from Chrome and it removed the other 2 injections.
It seems conclusive to me at least that Google's extension repository is not to be trusted.
While I was targeted with Windows malware of some description a little more work could have pushed a dmg or deb or rpm file instead.
To be fair the possibilities are endless, it would be fairly easy to log all of a persons web activity even the emails they write with these trojan extensions. Trouble is people trust Google's repository but Google can't be really maintaining any security if this is occurring.
I am very worried about this, as so many people use Chrome, extensions are for the most part cross platform
If you install an extension on one platform if you login to Google on another using Chrome your extensions get sync'd and that security hole is now on your Linux box or OSX box.
So what should be done about this?
(Score: 1) by blackest_k on Sunday December 07 2014, @12:36PM
I made a mistake in deleting out all the extensions on chrome which makes finding it again tricky.
however one safe example is privacybadger. make a simple webpage upload it to a host load it into chrome choose view source it looks identical to what you wrote. now save the page as webpage complete. Check to see what is in the folder and the source of the downloaded webpage. You should find that there are additions to that html.
With privacybadger its to remove facebook like buttons. That I think we can live with.
however I found app.js downloaded as part of my page and other injections which i haven't been able to identify fully I am not a security expert.
script type="text/javascript" src="http://www.youradexchange.com/ad/display.php?r=32796"
this line was in my header, can you tell me what it does?
http://jsbeautifier.org/ [jsbeautifier.org] will clean it up a bit there are a few url's in there the first one is hotchatdate.com and a bot called evie
Anyone care to investigate ?
app.js can be found at http://jsbin.com/jehikazapu/1/edit?js [jsbin.com]
the youradexchange link is pasted at http://jsbin.com/xudehusowa/1/edit?js,output [jsbin.com]
Hope someone can make some sense out of this. These injections are client side and have to be from extensions installed in chrome. They have a brilliant propagation method as everytime you login to google using chrome your extensions come with you.
(Score: 2) by pkrasimirov on Sunday December 07 2014, @12:54PM
Did you use HTTPS ? You know some ISPs deliberately inject bullshit into your HTML when you transfer it in plaintext over the web.
(Score: 2, Informative) by blackest_k on Sunday December 07 2014, @01:40PM
it was http however i did experiment with firefox to see if it had similar results but with firefox everything was normal
i did a few downloads with chrome on osx and linux mint and the injections were there.
href="chrome-extension://pkehgijcmpdhfbdbbnkijodmdjhbjlgp/skin/socialwidgets.css" was injected by privacy badger on chrome
it was by googling pkehgijcmpdhfbdbbnkijodmdjhbjlgp that i found it belonged to privacybadger I joined the mailing list and was told it was injected into all pages to remove facebook like buttons from pages.
While that is harmless (its from the EFF they must be trustworthy) it does demonstrate that it is possible to inject from a chrome extension.
if you have privacybadger installed in chrome you can see it for yourself just hit ctrl-s and download this page last item in the page header will be
link rel="stylesheet" type="text/css" href="chrome-extension://pkehgijcmpdhfbdbbnkijodmdjhbjlgp/skin/socialwidgets.css"
now try ctrl+u to view the page source of this web page look at the end of the header that link is not in the page.
try it in firefox you will see that there is no injection there.
A stylesheet is harmless but javascript has much more potential to wreak havoc. I knew that I did have the latest version of chrome on OSX I also know that I wouldn't be getting directed by google to download chrome from a .info site. I also know you don't run a web installer called setup.exe on OSX. However most people are not that aware.
I can only suggest that people do a simple test save this web page now in chrome open up the html page and see what is at the bottom of the header, is there a file called app.js ? is there a url for youradexchange.com ?
If so you have a malicious extension installed.
I don't think it will be just one extension that does this, so it really needs to be a group effort.
(Score: 2) by pkrasimirov on Sunday December 07 2014, @01:50PM
Maybe the attackers had hard time keeping up-to-date with Firefox versions so they just abandoned the extension? Just kidding :)
Sorry, I've got no Chrome and I don't plan to have it.
(Score: 1, Informative) by Anonymous Coward on Sunday December 07 2014, @01:51PM
FWIW, according to your post, the privacy badger injection pulls javascript from the extension itself, not some random website. I'm not an extension developer, but my understanding is that "injecting" javascript like that is standard operating procedure for tons of extensions. Probably on firefox too.
While I am sure the extension API could be (probably already does) enforce "local" injections, I think that it is impossible to enforce in the general case because any extension that can rewrite a web page on the fly could insert random URLs simply as text.
(Score: 2, Informative) by blackest_k on Sunday December 07 2014, @04:43PM
http://lp.down2208.info/player/LP5_1/?pid=2777&distid=24601&clickid=ub2a7fe855470ce7ecfedd21ef# [down2208.info] The page opened on osx (virustotal has just bitdefender recognising it as a malware site).
setup.exe is identified by 8 av programs:
AVG Generic.106 20141207
Avast NSIS:OutBrowse-AH [PUP] 20141207
DrWeb Trojan.OutBrowse.1 20141207
ESET-NOD32 Win32/OutBrowse.BK 20141207
K7AntiVirus Unwanted-Program ( 004b04b21 ) 20141205
K7GW Unwanted-Program ( 004b04b21 ) 20141205
McAfee Adware-OutBrowse.c 20141207
McAfee-GW-Edition BehavesLike.Win32.Downloader.hc
I'm pretty sure this constitutes a problem.
(Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:27PM
Which extensions did you have installed when this happened?
(Score: 1) by Urlax on Sunday December 07 2014, @09:53PM
i don't get the problem.
switching out ads or inserting them on somebody elses domain, violates your trust in that domain. from serving ads to serving viruses is just a minor step if you're already screwing the end user.
if the developer violates your trust by being dishonest or even impersonating someone else, the extension itself is by definition malware.
so the whole article boils down to 'malware in extension store', which is also true for firefox, and maybe others.
(Score: 2, Informative) by Urlax on Sunday December 07 2014, @09:21PM
that link looks like a bog standard referrer link. you see the ad, the developer gets paid. (in fact, the developer probably has account number 32796).
it loads a javascript file, in which the account info is embedded, so the server generates adds on the fly, based on the advertiser.
(in this case the advertiser is not the site you visit, but the plugin/extension programmer. he 'stole' the add space, by injecting his .js file)
my father-in-law suddenly had Green Double Underlined adware, after installing 'video download helper' extension in firefox. it's the same thing, any extension has access to the page in order to work. chrome even mentions this during install:"this extension can "access your data on all websites""