Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday March 04 2020, @01:09AM   Printer-friendly
from the good-advice dept.

The Case for Limiting Your Browser Extensions:

The health insurance site was compromised after an employee at the company edited content on the site while using a Web browser equipped with a once-benign but now-compromised extension which quietly injected code into the page.

The extension in question was Page Ruler, a Chrome addition with some 400,000 downloads. Page Ruler lets users measure the inch/pixel width of images and other objects on a Web page. But the extension was sold by the original developer a few years back, and for some reason it's still available from the Google Chrome store despite multiple recent reports from people blaming it for spreading malicious code.

How did a browser extension lead to a malicious link being added to the health insurance company Web site? This compromised extension tries to determine if the person using it is typing content into specific Web forms, such as a blog post editing system like WordPress or Joomla.

In that case, the extension silently adds a request for a javascript link to the end of whatever the user types and saves on the page. When that altered HTML content is saved and published to the Web, the hidden javascript code causes a visitor's browser to display ads under certain conditions.

[...] Contacted by KrebsOnSecurity, Page Ruler's original developer Peter Newnham confirmed he sold his extension to MonetizUs in 2017.

"They didn't say what they were going to do with it but I assumed they were going to try to monetize it somehow, probably with the scripts their website mentions," Newnham said.

"I could have probably made a lot more running ad code myself but I didn't want the hassle of managing all of that and Google seemed to be making noises at the time about cracking down on that kind of behaviour so the one off payment suited me fine," Newnham said. "Especially as I hadn't updated the extension for about 3 years and work and family life meant I was unlikely to do anything with it in the future as well."

Monetizus did not respond to requests for comment.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by darkfeline on Wednesday March 04 2020, @04:51AM (4 children)

    by darkfeline (1030) on Wednesday March 04 2020, @04:51AM (#966352) Homepage

    > If it's health care or insurance, my position is ZERO extensions. Logging into your own "browser" and syncing with Google, including your extensions, is a fireable offense.

    Mm...

    > I'd use unGoogled Chromium, built from source

    HAHA BIG NOPE. You know what Chromium is licensed with? BSD. You know what the license says? NO WARRANTY. Same goes for any compiler you're going to use to compile it with. When HIPAA comes for your ass, you are 100% liable.

    What you want to do is sign a HIPAA compliant contract with Google or some other cloud provider or perhaps a non-cloud vendor, so that they take on the work and liability for handling data correctly. HIPAA is one of those few regulations that actually hurt, so you want to deal with it yourself as little as possible.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Informative) by Anonymous Coward on Wednesday March 04 2020, @05:14AM

    by Anonymous Coward on Wednesday March 04 2020, @05:14AM (#966363)

    You know every piece of software comes with similar exclusion. Chrome has that exclusion in Section 13 [google.com], Firefox under Section 6 [mozilla.org], and Safari in Section 7 [apple.com] (using iOS as an example but the others have it too).

  • (Score: 4, Insightful) by edIII on Wednesday March 04 2020, @05:35AM (1 child)

    by edIII (791) on Wednesday March 04 2020, @05:35AM (#966365)

    Warranty? That's because the current agreement I have using a Chrome browser provides for me to shift legal liability to Google? That's new to me. Not sure that is actually true though.

    I'd probably let HIPAA come for me. I wouldn't let PCI compliance dictate I be at a lower level of security just because it's policy at that time, so why would I allow HIPAA? You fight that bullshit, because PCI compliance was (and may still be), demanding everything be updated all the time. Funny you mention BSD, because in some cases there is no way to do that. When there is a security problem in OpenBSD, you receive patches, but that is not the same as packages being updated in the repo at will by the maintainers. That's one reason I trust the OpenBSD repositories so much more than the Wild West bullshit going on in Python, and other repos.

    Blind updates are part of the security problem too.

    I'm not letting fucking dipshits at HIPAA tell me I need to use IE, Edge, or some mainline browser that is often part of the problem. There's nothing wrong with building something from source, and then security hardening it. Done with OpenBSD all the time in some special use cases. I don't see the BSD license holding those people back.

    Last thing I want is a contract with cloud-provider-fucking-anything. The very fact that HIPAA would think that's more secure than a local solution, implemented correctly, just shows you that just because they're a big name, and just because they're tasked with data privacy, that they don't necessarily know what the fuck they are doing.

    I'll take on that bullshit gladly, because I know I can in a court room that a locked down custom browser from source, which is in of itself source from Google's browser, can be security hardened. Far higher levels of security than a plain vanilla Chrome install. Especially when I can explain to any auditor that it's wholly impossible to visit any unapproved website, load any unapproved javascript, run any unapproved web app/chrome app, and that only extremely specific domains with vendors and work interfaces are white-listed at all. Fuck, I would make a headless browser translate it to a custom native GUI if it were possible. The last thing I would do is run a plain vanilla web browser that can access any URL, load any extension, etc. just because it gets past the government easier.

    I'm always going to go with the higher level of security, HIPAA be damned, because I'm more concerned with keeping the business data private, than I am with mere HIPAA compliance. I'm always trying to go above and beyond recommendations, which isn't hard, because the people writing them are not always the people who also providing the highest levels of security. I'd go with recommendations from a group of black/white hats at a conference before I got with a career government employee who's core skills are padding their resume.

    The only takeaway from your saying, is to hire an outside development team to do it, and then a separate pentesting group to audit it. After that, a few white paper documents, some auditing trails, and there is a package for HIPAA. I'd love to make a PR campaign about how we're fighting HIPAA to be more secure than what government bureaucracy can bring you.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 0) by Anonymous Coward on Wednesday March 04 2020, @09:37AM

      by Anonymous Coward on Wednesday March 04 2020, @09:37AM (#966413)

      Good thing it isn't true. Unlike PCI, it doesn't require you to run certain software. It also doesn't require you to use vendors with HIPAA-compliant setups either. They are more worried about access control, privilege tracking, and at-rest/in-transit encryption existing, then they are about what is running on the systems. In fact, their guidance suggests local systems on air gapped networks with centralized auditing, but that doesn't prevent anyone from using cloud services that meet the specs either. Again, they care more about access control, auditing reports, and the like than software or stack requirements.

  • (Score: 2) by Thexalon on Wednesday March 04 2020, @02:18PM

    by Thexalon (636) on Wednesday March 04 2020, @02:18PM (#966461)

    You know what the license says? NO WARRANTY.

    I don't know of a single piece of software, either open-source or proprietary, that comes with any kind of warranty of any kind. Quite the opposite: Boilerplate in any EULA says that not only is there no specific warranty or guarantee offered, but that there specifically isn't the implied warranties of merchantability and fitness for a particular purpose. In short, there's absolutely no legal guarantees that any software is going to do anything useful and not, say, erase your entire hard drive.

    And if you think that affects the quality of software, you're absolutely right.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.