Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday October 23 2020, @10:24AM   Printer-friendly [Skip to comment(s)]
from the uninstall-this-malware-immediately dept.

Adblockers installed 300,000 times are malicious and should be removed now:

Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github.

Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google's Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code.

[...] The incident is the latest example of someone acquiring an established browser extension or Android app and using it to infect the large user base that already has it installed. It's hard to provide actionable advice for preventing this kind of abuse. The Nano extensions weren't some fly-by-night operation. Users had every reason to believe they were safe until, of course, that was no longer the case. The best advice is to routinely review the extensions that are installed. Any that are no longer of use should be removed.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Friday October 23 2020, @10:47AM (4 children)

    by Anonymous Coward on Friday October 23 2020, @10:47AM (#1067835)

    Reviewing something after it's already compromised the system is snake oil. Reviewing must occur before something is installed/updated for it to be meaningful.

    • (Score: 2) by Bethany.Saint on Friday October 23 2020, @12:03PM (3 children)

      by Bethany.Saint (5900) on Friday October 23 2020, @12:03PM (#1067845)

      I don't understand. Who do you think is supposed to be reviewing extensions prior to release? I'm not sure Google or Mozilla pours over the code to make sure it's all good.

      • (Score: 2, Insightful) by Anonymous Coward on Friday October 23 2020, @02:28PM (2 children)

        by Anonymous Coward on Friday October 23 2020, @02:28PM (#1067882)

        This is not about Google or Mozilla but about users being unable to review things before they are installed because of forced automatic updates. No automatic updates = this entire attack vector doesn't exist/isn't as lucrative. As far as Google or Mozilla are concerned, Mozilla used to manually review all extensions before they were published on AMO. So even that angle is possible: Don't make available unreviewed code (automatic review = equivalent to no review).

        • (Score: 0) by Anonymous Coward on Friday October 23 2020, @10:29PM (1 child)

          by Anonymous Coward on Friday October 23 2020, @10:29PM (#1068082)

          users being unable

          You're wrong, users are able to disable firefox plugin auto-update. I have disabled auto-update of plugins for this reason, and though I've only twice actually reviewed code beyond changelogs, I appreciate being able to.

          Your beef is maybe with users who aren't savvy enough to?

          • (Score: 0) by Anonymous Coward on Saturday October 24 2020, @05:23AM

            by Anonymous Coward on Saturday October 24 2020, @05:23AM (#1068164)

            For the present. The fact that this is enabled by default should be a warning sign given Mozilla's past pattern of first enabling something by default + offering a way to opt out and then removing said opt out because "only a statistically insignificant amount of users was making use of that option, and it's oh so expensive to maintain --- our devs just can't stomach maintaining that one line boilerplate check --- we better just axe it in the next build (which, unless users go to considerable lengths on Windows, is a forced update) kthxbye."

            It's basic human decency to never apply changes behind the user's back and always prompt before applying them even if it is an automated process --- unless the user explicitly opted into an alternate, silent, approach (id est, the setting should be off by default, same with updates to the browser itself --- where this freedom was mostly curtailed already).

  • (Score: 5, Insightful) by zocalo on Friday October 23 2020, @11:12AM

    by zocalo (302) on Friday October 23 2020, @11:12AM (#1067840)
    When Raymond Hill annouced that he was discontinuing UMatrix he covered this exact point. He'd been burnt previously by transferring rights to an existing project to another developer, who had then inserted some sketchy code into it which was then pushed out to all existing users, and this was why he would be fine with someone forking UMatrix and continuing to develop it under a new name, but would not be transferring control of the project to another dev. There are multiple other examples of this kind of thing happening as well, particularly with ad-blockers and other security/VPN and other types of extension which come ready made with low-level access to the browser and/or user data.

    Realistically, it's too much to expect end users to be able to keep on top of this, especially when you've got browser vendors that insist on resetting user prefererances NOT to auto-update the browser and/or extensions, so if you're going to try and stop this kind of attack vector then it really has to fall to those operating the extension "stores". Not sure you could achieve that though; a policy update requiring project control ownership transfers be notified to the store might help, but that's probably going to need to be supplemented by things like monitoring of accounts/IP ranges used to upload updates to the store - any such red flags could then trigger a period of increased scrutiny of the code before it is made available for users to download. Not a perfect solution, but it would at least raise the bar enough to deter a bunch of the also-rans and script kiddies, which is still better than nothing.
    --
    UNIX? They're not even circumcised! Savages!
  • (Score: 5, Insightful) by SomeGuy on Friday October 23 2020, @12:33PM (2 children)

    by SomeGuy (5632) on Friday October 23 2020, @12:33PM (#1067847)

    I wonder if this malware was an attempt to discredit ad blockers in general? Advertisers would pay big money to make users think they are not "safe" with an ad blockers. Ironically a big part of the reason to install an ad blocker is to keep a user's computer or mobile toy safe from ad-injected malware, not just hiding seizure inducing advertisements.

    Also, keep in mind this sort of thing can, does, and will happen to ANY kind of wildly distributed software when someone can get away with it.

    I'm guessing no one will ever be punished for this.

    • (Score: 2) by Grishnakh on Friday October 23 2020, @04:03PM (1 child)

      by Grishnakh (2831) on Friday October 23 2020, @04:03PM (#1067921)

      I wonder if this malware was an attempt to discredit ad blockers in general?

      I wouldn't be too surprised; a lot of people in the advertising space seem to have ethics even worse than mafioso, and a particularly bad track record. Remember all the pop-up ads in the earlier days of the web, and how much advertisers fought to make users' web-browsing experience as miserable as possible? I wouldn't put any crime beyond these people.

      • (Score: 2, Interesting) by Anonymous Coward on Friday October 23 2020, @07:44PM

        by Anonymous Coward on Friday October 23 2020, @07:44PM (#1068023)

        There's historical overlap between advertisers and malware developers: See the CoolWebSearch fiasco.

  • (Score: 5, Interesting) by FatPhil on Friday October 23 2020, @01:42PM (3 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday October 23 2020, @01:42PM (#1067863) Homepage
    > ... sold the rights to the versions available in Google's Chrome Web Store

    What he actually sold was unfettered access to the internals of 300000 people's browsers, people who had already expressed explicit deep trust in that software.

    He's not innocent in this game by any means.

    Had he pushed out a version of the code that was self-terminating (asking the user to uninstall it, or at least just disabling it), then I'd let him off, but he didn't, he just handed over the master key (for money, as a cherry on top).

    Trust is a non-transferable commodity, and much of the brokenness in the world wide web (like CAs) is because of the pretence otherwise.
    --
    I know I'm God, because every time I pray to him, I find I'm talking to myself.
    • (Score: 2) by darkfeline on Saturday October 24 2020, @03:20AM (2 children)

      by darkfeline (1030) on Saturday October 24 2020, @03:20AM (#1068152) Homepage

      > Trust is a non-transferable commodity

      That's blatantly wrong. Society wouldn't function if trust wasn't transferable. Do you trust your grocer? Do you not then trust by proxy the farmers and deliverypersons that the grocers trust? Or must you personally trust every single person involved in the production and shipment of your food?

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 0) by Anonymous Coward on Saturday October 24 2020, @07:44AM

        by Anonymous Coward on Saturday October 24 2020, @07:44AM (#1068183)

        There are regulations in place for those. The question should rather be whether you trust those to be enforced and those enforcing them.

      • (Score: 2) by FatPhil on Sunday October 25 2020, @08:28PM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Sunday October 25 2020, @08:28PM (#1068638) Homepage
        You have binary thinking. Some trust can be inherited when trusting those that those you trust trust others, yes, but it's not the whole thing. With CAs, say, it's binary, and broken.
        --
        I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 4, Interesting) by RamiK on Friday October 23 2020, @02:10PM

    by RamiK (1813) on Friday October 23 2020, @02:10PM (#1067872)

    Only heard about the issue indirectly when uMatrix ceased development and when Firefox Mobile turned off support for most extensions while upgrading to Fenix. Fortunately I don't use any social network accounts on the browser other than Soylent and Github and was running uMatrix as well as AdAway on the mobile so...

    Regardless, it's actually worth noting Mozilla been blocking more and more extensions recently over remote code execution: https://blocked.cdn.mozilla.net/ [mozilla.net]

    Seems their response will be a partial and optional "Collections" walled garden of sorts where people will subscribe to addon lists that are associated with specific reviewers / devs that users may choose to trust. Shame they can't produce a technical solution to any of this but that's what you get when you allow arbitrary code execution over a network.

    --
    compiling...
  • (Score: 3, Funny) by leon_the_cat on Friday October 23 2020, @06:13PM

    by leon_the_cat (10052) on Friday October 23 2020, @06:13PM (#1067988) Journal

    are ok?

(1)