Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday January 28 2020, @02:19PM   Printer-friendly
from the batten-down-the-hatches dept.

Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox:

[...] Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.

Browser extensions are add-ons that users can install to enhance their web surfing experience – they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.

[...] While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code.

[...] In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component – those that are paid for, offer in-browser transactions and those that offer subscription services. It's a temporary measure, according to the internet giant – but one that doesn't yet have a timeline for resolution.

"Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users," it said in a notice, issued Friday. "Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse."

The notice added, "We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience."

[...] Mozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity. This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.

[...] That's not to say the extensions were intentionally malicious. Mozilla's policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its content security policy.

The blocked extensions include six add-ons deemed to be executing remote code, which were developed by Tamo Junto Caixa. Tamo Junto is a banking entity that offers Brazilian microentrepreneurs online courses, video classes, articles and management tools.

Other browser extensions, like Rolimons Plus (an extension linked to the Roblox online multiplayer video game), was blocked for "collecting ancillary user data against our policies," while others (unnamed in the bug ticket) were banned for "showing malicious behavior on third-party websites." Still others, including three unnamed add-ons, were determined to be "fake premium products."

We just need an add-on to tell if you have any 'bad' add-ons.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Disagree) by Anonymous Coward on Tuesday January 28 2020, @02:52PM (14 children)

    by Anonymous Coward on Tuesday January 28 2020, @02:52PM (#950067)

    its just not worth it.

    • (Score: 5, Insightful) by ikanreed on Tuesday January 28 2020, @02:54PM (1 child)

      by ikanreed (3164) Subscriber Badge on Tuesday January 28 2020, @02:54PM (#950068) Journal

      What kind of non adblock using psychopath would say such a thing?

    • (Score: 2) by Arik on Tuesday January 28 2020, @02:58PM (11 children)

      by Arik (4543) on Tuesday January 28 2020, @02:58PM (#950071) Journal
      That seems to be the end goal here.

      Browser makers used to be happy to make a useful tool. Now they seem to be dead-set on controlling users instead.

      If they really cared about protecting people, they certainly wouldn't allow ecmascript by default.
      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 4, Touché) by FatPhil on Tuesday January 28 2020, @03:03PM (8 children)

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday January 28 2020, @03:03PM (#950075) Homepage
        Or as it's sometimes called, "executing remote code".

        Wait, waaaaat?
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
        • (Score: 2) by Bot on Tuesday January 28 2020, @03:07PM (1 child)

          by Bot (3902) on Tuesday January 28 2020, @03:07PM (#950078) Journal

          Went to comment about the same thing, not disappointed.

          --
          Account abandoned.
          • (Score: 2) by FatPhil on Wednesday January 29 2020, @07:42PM

            by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday January 29 2020, @07:42PM (#950797) Homepage
            Thanks, Bot. Remember - always practice safe hex.
            --
            Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
        • (Score: 4, Insightful) by Arik on Tuesday January 28 2020, @03:11PM (5 children)

          by Arik (4543) on Tuesday January 28 2020, @03:11PM (#950080) Journal
          Exactly. They've spent years shoveling this shit down our throats to make the ad companies happy, and they still try to pretend they somehow care about protecting users.

          They don't. They want us to trust them to judge which extensions are malicious when they've proven they don't have that kind of judgement in regards to their core code?

          Well, maybe they don't. Maybe they just want to make the web so bad that people will willingly give it up, and then they can move in and save everyone by reinventing TV over IP to replace it.
          --
          If laughter is the best medicine, who are the best doctors?
          • (Score: 1, Interesting) by Anonymous Coward on Tuesday January 28 2020, @06:13PM (3 children)

            by Anonymous Coward on Tuesday January 28 2020, @06:13PM (#950148)

            I gave up on it a long time ago. Cool sideeffect of the webappification is that I now have all the neat remote JSON APIs I can use to pull all the data neccesary to get the content into my own UI. I don't really need their webapp.

            • (Score: 3, Interesting) by Arik on Tuesday January 28 2020, @07:25PM (2 children)

              by Arik (4543) on Tuesday January 28 2020, @07:25PM (#950193) Journal
              Put it on github?
              --
              If laughter is the best medicine, who are the best doctors?
              • (Score: 0) by Anonymous Coward on Wednesday January 29 2020, @04:20PM

                by Anonymous Coward on Wednesday January 29 2020, @04:20PM (#950695)

                Yea, but it's per site so it would need some sort of generic interface which I don't have. Most of the sites wouldn't be of interest to other people, but yes I get your point and I will keep it in mind to make stuff usable for others.

                Meanwhile there are projects doing something similar (Weboob [weboob.org]) and has a more modular approach than I (mine is C spaghetti code).

                Also Nitter and Invidious makes it nicer to read two crappy bigtech websites.

              • (Score: 2) by FatPhil on Wednesday January 29 2020, @07:45PM

                by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday January 29 2020, @07:45PM (#950800) Homepage
                Web Tools > Net Inspector ... [manually find the JSOB request that populates the page] ... > Save as cUrl
                --
                Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
          • (Score: 0) by Anonymous Coward on Tuesday January 28 2020, @10:41PM

            by Anonymous Coward on Tuesday January 28 2020, @10:41PM (#950286)

            Try loading a plugin locally on Chrome these days. Pain in the ass.
            If I want to download someone's extension from their website to load into the web browser on my computer then that is my business.
            Adding a virus scanner (?) was going too far.
            Dictating what software I can use is worse.

      • (Score: 2, Funny) by Anonymous Coward on Tuesday January 28 2020, @04:58PM

        by Anonymous Coward on Tuesday January 28 2020, @04:58PM (#950129)

        I suppose you'd be ok with vimscript though?

      • (Score: 0) by Anonymous Coward on Tuesday January 28 2020, @07:06PM

        by Anonymous Coward on Tuesday January 28 2020, @07:06PM (#950184)

        [...] Browser makers used to be happy to make a useful tool. Now they seem to be dead-set on controlling users instead. [...]

        Nope. They're dead-set on a successful fishing expedition.

  • (Score: 5, Funny) by DannyB on Tuesday January 28 2020, @03:25PM

    by DannyB (5839) Subscriber Badge on Tuesday January 28 2020, @03:25PM (#950089) Journal

    I'm good as long as I can still run systemd in my browser under a JS implementation of a PC emulator booting Linux.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2, Insightful) by Anonymous Coward on Tuesday January 28 2020, @06:07PM

    by Anonymous Coward on Tuesday January 28 2020, @06:07PM (#950145)

    Mozilla's policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its content security policy.

    Too bad I still need an extension to enforce that policy on websites.

  • (Score: 0) by Anonymous Coward on Wednesday January 29 2020, @11:48AM (1 child)

    by Anonymous Coward on Wednesday January 29 2020, @11:48AM (#950580)

    I hope they plan on blocking the new extension Microsoft is rolling out to Office 365 users, that hijacks your search engine settings to send you to bing.

    • (Score: 0) by Anonymous Coward on Wednesday February 05 2020, @10:13PM

      by Anonymous Coward on Wednesday February 05 2020, @10:13PM (#954447)

      We're still taking bets that MS will be taken to the cleaners, again, for this. Wait and see.

(1)