
The "Window Resizer" extension for Chrome now contains malware (2013) - iamartnez
http://productforums.google.com/forum/#!msg/chrome/mlAD1ygc0v0/Cc7IrHdmE5AJ
======
8ig8
Reddit discussion from last month:

[http://www.reddit.com/r/YouShouldKnow/comments/1snyyl/ysk_th...](http://www.reddit.com/r/YouShouldKnow/comments/1snyyl/ysk_the_chrome_extension_called_window_resizer/)

Also, alternative as discussed on SO:

[http://stackoverflow.com/questions/20775775/alternative-
to-c...](http://stackoverflow.com/questions/20775775/alternative-to-chrome-
extension-window-resizer)

See it in action:

[http://chrisbalt.com/blog/2013/12/20/link-hijacking-
through-...](http://chrisbalt.com/blog/2013/12/20/link-hijacking-through-
chrome-extensions-and-other-security-risks.html)

Edit: Related:

[http://superuser.com/questions/694825/why-my-google-
search-r...](http://superuser.com/questions/694825/why-my-google-search-
results-are-all-directed-via-http-www-ecosia-org)

[http://windowresizer.userecho.com/topic/353032-did-you-
pull-...](http://windowresizer.userecho.com/topic/353032-did-you-pull-your-
extension-from-the-google-store/)

~~~
chrisbalt
One thing I wish I had called out more clearly in my post ("See it in action")
was the fact that the "feature" would re-enable itself after every update of
the extension, which seemed to be quite frequently.

It's a shame; it really was a feature-packed, helpful extension.

~~~
prafuitu
No it doesn't re-enable after any update. It only re-enables if you uninstall
the extension and install it back, because settings are lost and it switches
to the default. Please check your facts before making such claims, ok? Anyone
with minimal JavaScript skills can look at the source code and see exactly
what's happening!

Thanks!

~~~
chrisbalt
Whether or not it was your intention or the design of your extension, that was
the behavior I observed - hence my factual claim.

I've looked deeply into your extension and you did a very nice, impressive
job. I don't believe anyone is discounting the quality of your work here. The
pattern you exhibited by enabling the ecolinks feature by default (right or
wrong) simply highlighted, for many, the risks inherent in granting browser
extensions such great permissions to the browser.

------
Svip
What is more interesting is the reaction from the developer himself. He seems
to be completely unimpressed by the criticism. Noting that one permits Chrome
extensions to do stuff, and they would have seen this permission the extension
required when they updated or installed it.

Furthermore, he is quoted as joking about how he could have sold the extension
to someone to get your passwords and whatnot (but ensures us that he hasn't
done so).

~~~
shurcooL
That is interesting.

It could be criticism of the existing system. Or he could have other
goals/intentions.

~~~
Svip
He asks specifically if he has broken some rules in Google Chrome's terms of
service, where another user replies with quotations from the ToS. He barks at
that saying his extension is allowed to do what he does, because his extension
does reveal exactly what it does, if you read its permissions carefully.

Although, I cannot confirm whether that is true, but that's what he is saying.

I have no idea what he is up to; but aren't extensions supposed to be reviewed
if they in the extension catalogue?

~~~
darklrd
They seem to have an automated review process unless the extension is flagged
for manual review. Source - [https://developers.google.com/chrome/web-
store/faq#faq-gen-0...](https://developers.google.com/chrome/web-
store/faq#faq-gen-08).

~~~
bronsoja
Yeah, seems like they should maybe institute some type of manual review for
any type of "global" permissions. It would impede the well-behaving apps that
legitimately need global permissions, but it might be worth it.

~~~
aragot
... or incentive them not to request universe permissions.

------
iamartnez
Since Chrome auto-updates extensions, users are likely not aware of this
change.

I've been using the extension for several months until I noticed the
transparent redirection. In fact, the only reason I noticed the redirect is
when it failed. I clicked on a Google search result and got stuck on a blank
page like this:

    
    
        http://ecolink3.ecosia.org/?key=3cdcd4dc082e3c7b860abe4608b6925d&out=http%3A%2F%2Fwww.usatoday.com%2Fstory%2Fpopcandy%2F2013%2F01%2F15%2Ffred-armisen-ira-glass-this-american-life%2F1836079%2F&cuid=2

~~~
wfunction
> Since Chrome auto-updates extensions

How do you disable this?

~~~
joshschreuder
Not sure if you can or not, but you can use this:
[https://chrome.google.com/webstore/detail/extensions-
update-...](https://chrome.google.com/webstore/detail/extensions-update-
notifie/nlldbplhbaopldicmcoogopmkonpebjm)

Which pops up a toast notification whenever an extension gets updated so you
can investigate (Chrome doesn't force changelogs on updates either so you
might have to dig deeper into the code).

If you don't mind having another extension which could be doing nefarious
things.

~~~
wfunction
Thanks, it's better than nothing at least.

[Rant: the whole concept of auto-update-by-default is stupid. /Rant]

~~~
ygra
If there was something like »Updates for your extensions are available,
install them now?« would it really help or would most users just say »yes«?
They'd have no way of verifying that the update is benign or not anyway.

~~~
wfunction
It should be more like "Updates for your extensions are available; they will
be installed when Chrome is restarted. [OK] [Cancel automatic updates]".

Or basically anything that gives you the option to avoid doing so.

------
silverlight
Whoa, wait. One guy in this thread is claiming that Window Resizer was sending
all your keystrokes back to a central server based on what he saw in
Wireshark. Can anyone else verify this? I've had this extension installed
for...a year, at least. Do I need to now go change every single password on
every site because chances are it's been keylogged? This is insane.

~~~
Svip
The developer also seems to claim that the keylogger exists as well. If you
want to take his word for it as well.

~~~
silverlight
I just can't even fathom. Like, every email I've typed. Every interaction with
any site. Credit card numbers.

How is this not entirely illegal?

And it certainly shows an incredible flaw in Chrome extensions. This extension
didn't do this when I installed it. A silent auto-update though basically
turned it into the worst malware I've ever had installed on my computer. How
can any Chrome extension ever be trusted?

Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab
and I are no stranger. I would easily have noticed if my keystrokes were being
sent back to a server and it was shown in there. So not only can an extension
be silently updated, but it's capable of using a network connection that
doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That
seems almost as ridiculous as what the extension author did.

~~~
ssafejava
A chrome extension can make network connections that you won't (normally) see
in Dev Tools using a background page. You'll see the connections if you
inspect the background page directly but most users won't.

Unfortunately this is simply a byproduct of the web's (and browsers') botched
security model; there is no way to allow extensions to modify pages without
them being able to read the pages, and if they can read the pages they
naturally can catch events, including keystrokes.

This is why you should think - hard - whenever allowing _any_ extension with
that permission. It could autoupdate at any time to include malware.

There are a lot of bad extensions out there. I've encountered quite a few.
It's a wide-open vector for exploitation and it happens all the time. Just
last month I came across a game extension (super mario clone) that contained
jQuery. Upon further inspection, it turned out it had been re-minified (making
diffs difficult) and had a few lines deep inside that hijacked ads and
replaced them with the author's ad network. Silent, effective, and this
extension was on the 'top lists' for months. It might even still be there.

Be very aware of the permissions an extension asks for.

~~~
imdsm
Pop fiddler on your machines and look for yourselves.

------
miles
The linked discussion is back from mid-December and the extension has been
removed from the Chrome Web Store:

[https://chrome.google.com/webstore/detail/window-
resizer/kke...](https://chrome.google.com/webstore/detail/window-
resizer/kkelicaakdanhinjdeammmilcgefonfh)

~~~
hendersoon
Smooth Gestures (lfkgmnnajiljnolcgolmmgnecgldgeld) has done the same thing for
well over a year now. I (and many others) reported the addon to Google, but it
still remains.

What does it take to get something like this removed?

~~~
paulirish
In the extension text, they say: "This extension is ad supported, you can
disable your support by going to the options and making a one-time donation.
We depend on your support, but we understand if you would prefer to withhold
it."

This, from what I can tell, plays within the bounds of Chrome's policy on
extensions.

(I also spent some time looking at the extension source to verify that the
only annoying thing they do is inject ads according to this whitelist:
[http://goo.gl/3WAej6](http://goo.gl/3WAej6) Nothing else caught my eye. )

~~~
gorhill
The extension did more than just add ads. A javascript listener for the click
event was attach to each link on the result page.

If the user hovered with his mouse over a link, he couldn't tell the link
would lead him to [http://www.ecosia.org/](http://www.ecosia.org/). But this
is exactly what was happening, because the click listener was changing the URL
_only_ after the user clicked.

So now the user was redirected to
[http://www.ecosia.org/](http://www.ecosia.org/) along with a bunch of
parameters, including the original query and the original URL, and from there
[http://www.ecosia.org/](http://www.ecosia.org/) redirected the user to the
original URL (after logging whatever it wanted to log), without the user
having a way to notice what had just happened (unless looking in the dev
console).

The fact that the URL was changed _only_ after the user clicked is quite a
hint that deception was intended there.

~~~
prafuitu
Paul was talking about a different extension, but anyway...

The onclick event listener is the same thing Google does with the search
results. Perform a search on Google and right-click a link, then you'll see
the URL changes to the a Google proxy server that collects data about your
click for analytics purposes. The reason is so the whole process is more
transparent and the users can see the actual URL they end up with when
clicking the link. The intention was not to hide anything, but to keep things
as unobtrusive as possible. I'm sorry if it felt any other way!

------
sergiotapia
Google really REALLY needs to up their game.
[https://news.ycombinator.com/item?id=7046240](https://news.ycombinator.com/item?id=7046240)

I don't feel safe using their services anymore.

~~~
AJ007
Theory: Google decided to have relaxed rules to play catch up with Apple's App
Store.

After hearing from other Android devs and what they were getting away with I
decided to stick to Apple for a while.

~~~
oneeyedpigeon
This is a Chrome extension, not an App.

~~~
tomswartz07
To be more specific, not an Android app. Chrome has web apps, but that's not
the case here.

------
teknover
Story sharing time!

I run a local user group that educates developers on Google's technologies
that while proudly independent from Google, has a great working relationship
with their developer relations teams.

Back in March of 2012 (that's almost two years ago) I first brought to the
attention of the Chrome developer relations team an extension called Bookmark
Sentry that essentially contained a trojan that hijacks links to serve up spam
ads. You can read more about it here:
[http://stopmalvertising.com/malvertisements/beware-of-the-
go...](http://stopmalvertising.com/malvertisements/beware-of-the-google-
chrome-extension-neat-bookmarks.html)

What I found troubling was the response back. I received an official response
that it was within compliance of Chrome App Store policies. Specifically I was
told:

"Ad injections are not in violation of the Chrome Web Store program policies.
The policy requires that ads must be presented in the context of the extension
or, when present within another page, ads must be outside the page's normal
flow and clearly state which extension they are bundled with. We believe that
ads are a legitimate way to monetize, but that they should be a known cost to
the extension user."

I certainly hope since then they've changed their policy on this issue and are
actively policing and enforcing against spyware and malware.

Chrome App extensions can access extremely sensitive data such as webforms
with credit card, contact details, passwords and more and in the wrong hands
can do untold damage.

------
chrislomax
I noticed this about a month back. I was browsing the web one Saturday morning
and spotted an "Eco link" next to the search results. Most of them were big
sites, like Amazon and eBay etc.

I immediately emailed one of our SEO guys with a snippet of the page and said,
"we need to know how to do this in Google, it must be a new feature". I
stupidly assumed it was a new feature Google had rolled out. When he replied
that he can't see it I started googling the problem, most of the results
pertained to Malware and I was shocked, I'm a very careful browser in general.

When I started digging around it was only then I started switching off my
plugins 1 by 1 and the eco link went when I switched off the browser resizer,
I was honestly shocked. I knew the developer wasn't supporting the plugin any
more due to funding but I didn't think it would go in that direction, I
expected it to just fade away.

No, I didn't read the updates on the product. I don't have time to read
updates on products, especially plugins. After reading his comments on there,
there is no remorse for his actions. He is nothing more than a simple malware
spreader, he should apply for a job at SourceForge.

~~~
chrome-resizer
Here is a version from before the takedown:
[http://ge.tt/8PSuzxD1/v/0](http://ge.tt/8PSuzxD1/v/0)

(I zipped the '3rd-party' directory and removed references to those scripts in
the manifest file. So it's there if you wanna inspect it, but ecolinks won't
run. I don't have time to restructure the options page though :-)

~~~
chrislomax
I'm assuming you are the developer?

Now I see these pages I can see you were quite transparent about the eco links
update. I still didn't see it though.

It's a shame it went in this direction as I used it all the time.

------
nestlequ1k
I ran into this. I only found out because ecolink went down for a while. So
when I clicked on google search results, it would error out while trying to
redirect.

Valuable lesson learned. I never thought a chrome developer would be quite so
stupid to pull something like this. Now I'll keep my eye on every extension.

And yes, you should never install Window Resizer, or anything else Ionut
Botizan (the developer) releases again.

------
morgante
This is completely egregious. Deleting now.

I love that the developer's defense is that he could have sold our passwords
to someone but (supposedly) didn't. That really instills confidence in his
morals, doesn't it?

~~~
csmattryder
It's almost akin to "I stabbed you in the leg, but see, I could've stabbed you
in the heart!".

Would avoid this developer 100% from now on, Chrome or otherwise.

------
tmikaeld
When developing my first Chrome Extension, it didn't take me long until i got
the thought of "keylogging might be possible".

So i tried it, and sure - i was even able to replace password logins in the
DOM with fake ones.

Firefox extensions does the same thing really, so now i only use a few "safe"
extensions.

I'm surprised that this hasen't gotten more attention.

~~~
daveid
Now I have to wonder... What permissions do Firefox extensions have? How do I
check or verify these things?

~~~
anonymfus
Firefox extensions have the same permissions as browser itself.

------
taspeotis
Is it correct to class this as malware? I get that the portmanteau is
"malicious software" and hijacking your Google search results isn't the
friendliest thing to do but I think this is closer to "adware" than "malware".

Although the author seems like a bit of a di- ...fficult person, maybe we
should coin the term "dickware" to cover this sort of software.

EDIT: I missed the keylogging bit, thanks to everybody that pointed it out.
Adware + Spyware = Malware.

~~~
Bud
It's inserting fake search results and running a keystroke monitor. To me this
isn't even a close call; of course it's malware. I would also say that any
developer who would do this simply can't be trusted; if he will do this, he
might do just about anything else. He doesn't seem to have any regard for
others.

~~~
orf
a hell of a lot of chrome extensions inject adverts and other tracking code
into websites you visit, like Facebook and youtube. would you class those
extensions as malware as well?

~~~
dudus
I would. Why wouldn't you?

~~~
orf
I would, but that then means that the chrome web store is riddled with malware
which isn't a nice thought and doesn't bode well for its future as something
that is supposed to be more secure than traditional native platforms.

~~~
hrjet
Something that was supposed to be secure is not. So you stop calling malware,
malware?

Move on.

~~~
orf
I was agreeing with him, perhaps I should have phrased it better.

------
Erwin
Hover Zoom had a similar problem recently, but still exists on the Chrome
store. Up until a certain version, their data collection did nothing much
(perhaps save non-existing domain hits).

Then they partnered with someone and started sending certain form data (!!) to
a third party -- claiming they wanted to collect anonymous demographic
information. It didn't help that the script injection on all pages (which I
discovered when debugging with the web tools) used some shady domains with no
web presence.

They claim they did not send e.g. any password data -- but they perfectly
could have. I tried reporting the extension on the store as did many others,
but that had no effect. The developer seems to have reverted that bit of the
code -- for now.

~~~
Xdes
Looks like it's time to find a replacement for Hover Zoom.

------
chippy
Someone should (and I just might) write an extension that updates a list of
evil extensions and authors and warns the user when they have a bad extension
or try to install a new extension on that list. Powered by a blocklist type of
listing and community moderated.

------
chrisbalt
Really what this boils down to, imho, is a need to educate users on the
meaning of the permissions that are granted (with approval) to these
extensions. Certainly the vast majority of users confirm the security
permissions without comprehending the weight of access they've just provided
the extension author.

With JavaScript, it's nearly impossible for Chrome to reasonably explain, with
any level of granularity, what exactly an extension will do with its access -
hence the "access your data on all websites" warning.

A proof of concept to demonstrate how you can take advantage of this access
for nefarious reasons, even after getting approval into the Chrome Web Store,
would be quite simple.

Long/short of it is: make sure you trust the author of any extension you
install!

------
Chirael
Wow, I had noticed the clickjacking of my Google result links (to ecolink) but
had no idea who/what was doing it. Very glad this mystery is finally solved!
Thanks for posting this.

------
callesgg
What a dickhead.

------
siliconviking
Classic!

"There is no such thing as bad publicity" by Ionut Botizan

(Source:
[http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/1MP...](http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/1MP8G-WsfFkJ))

------
susi22
Same with Read later fast: It rewrites all your URLs:

[https://chrome.google.com/webstore/detail/read-later-
fast/de...](https://chrome.google.com/webstore/detail/read-later-
fast/decdfngdidijkdjgbknlnepdljfaepji)

------
timmclean
I'm most concerned about the keylogging claims. Does anyone have a copy of the
CRX so that we can determine if keystrokes were in fact being transmitted?

~~~
TheAcen
Seems as though he's aware of such a thing.

"No, that's bundled adware. If I wanted to give you malware, I would have
added a keylogger which you wouldn't have ever discovered (ask around; it's
technically possible). So stop whining already, uninstall the extension and
move on with your life!"
[http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/FL6...](http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/FL6w_Z0WoIQJ)

(Also, he's now posting on the linked thread. 7 minutes ago last reply.)

~~~
timmclean
> I would have added a keylogger

seems to imply that he was not logging keystrokes, which conflicts directly
with the first post in that thread:

> they are tracking all data and keystrokes. checked with wireshark.

It'd be nice to have a copy so that we can find out for ourselves.

------
cristiantincu
Here’s how you disable “EcoLinks” if you have this extension installed and
enabled:

chrome-extension://kkelicaakdanhinjdeammmilcgefonfh/ecosia.html

Uncheck “Enable EcoLinks”.

~~~
jnbiche
Yeah, and then it re-enables itself hours later, according to countless
commenters.

------
chriscareycode
Ive been having those bad URLs for a couple weeks now and thought Google was
really off their game since many times the pages came up dead. Wow.

------
aragot
Note to the developer: Next time you make a malware, also use it to remove all
bad references to your extension from HN and newspapers...

------
jhwhite
I saw the ecosia redirects popping up in some instances but couldn't figure
out where they were coming from.

The extension is now uninstalled.

------
jbrooksuk
Shame, because it's a good resizer. I happened to uninstall it back in
November, but my co-worker is still (was) using it.

------
pawelkomarnicki
Monday started with a massive WTF ;)

------
nailer
Do we know where he was _sending_ the keystrokes?

Was it logging all keystrokes in Chrome ever?

------
wnevets
The extension hasn't existed on the chrome app store for months. Why is this
news on HN now? It wasnt malware either, it was ecolinks garbage for google
search results that you could opt-out of.

~~~
james-skemp
I'm glad it hit the home page. Had this on one of my machines as of December
(booted it up a few minutes ago and it was no longer installed). Luckily my
usage of the machine was limited, but ... now I've got to change passwords for
the few sites I did visit.

Does anyone know if the Chrome Remote Desktop extension would have been
impacted by the keylogging?

------
prafuitu
It is adware, not malware!

The original post on productforums.google.com is complete _BS_ and the
extension was NOT suspended because of that, but because it failed to make it
clear, in the context of the ads, which extension enabled the EcoLinks. This
is not the first, nor last, piece of software that uses ads in order to
support its development.

Also, the extension never logged anything from the users. All the "keylogger"
stuff is just rumors started by people who are either incapable of reading a
sentence from start to end or are knowingly lying about it.

It didn't alter the search results either. Those were exactly what Google
returned for your search, nothing more, nothing less.

There was no malicious intent whatsoever. The whole purpose was to support
further development of the extension through some form of advertising which
you could disable at any point. The disable option was not even hidden among
the other options; it had a dedicated page with a link in the main menu that
only consisted of a checkbox - it was that simple and obvious.

Another false rumor is that the setting would enable itself automatically. No,
it didn't! The only way that it would re-enable itself was to remove the
extension and then install it right back. On uninstall all settings are lost
and it fallbacks to the defaults.

The source code is plain HTML & JavaScript and it has always been available
for anyone to review. Anyone could download the .CRX file and unzip it (it's
just a _special_ ZIP file) or take a look in the
/%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh
folder (this varies based on your operating system) where the installed
extension is. The source code has also been available at [http://ionut-
botizan.net](http://ionut-botizan.net)

If you don't know JavaScript, you don't have to take my word for it; there is
this prominent person in the web industry that, although he does not endorse
this extension, has reviewed the code and confirmed there was no keylogger
there:
[https://news.ycombinator.com/item?id=7048156#up_7056031](https://news.ycombinator.com/item?id=7048156#up_7056031)

Another false accusation is that I bragged about how "I could sell your
personal data and it wouldn't matter to me".

What I actually said is that "I could sell MY EXTENSION (as in transfer all
rights and ownership to someone else) and it shouldn't matter to me (from a
legal standpoint) what the buyer would do with it, be it collecting your
private data or whatever". That claim was made just to point out that in fact
I do care about the users' privacy and I chose not to sell the extension, even
though I received plenty of offers. Some people asked "how could I even think
of that"? Well, the extension is my property and receiving all those offers
put me in the position where I had to think about it, whether I liked it or
not.

In conclusion, yes, I admit the opt-out pattern is not the friendliest one and
the whole thing could have been handled in some other way, but the reality is
far from all these claims that I sneakily added malware to the extension,
logged your keys and private data and sell all that to third parties or
whatever.

The reality is I took your Google search results and converted them to
sponsored links, plain and simple. All data that was transmitted when you
clicked a search result was about the same that is sent whenever you click on
any other ad or banner, which can not, in any circumstances, be used to
identify you personally.

I am the developer and this is my answer; no excuses, just stating the facts.
Learn what you want from it.

~~~
gorhill
> All the "keylogger" stuff is just rumors started by people who are either
> incapable of reading a sentence from start to end or are knowingly lying
> about it

I went ahead and looked at the code after downloading the zipped extension you
linked too, and I effectively cannot see anything re. key logger. Where was
that first reported? I would like to ask the original reporter on what piece
of code he based his conclusion that there was a key logger in there.

Edit: Never mind, I see this apparently comes from original poster on google
groups, so I asked him exactly how he came to this conclusion.

~~~
prafuitu
Ok, that guy just explained what he meant by _keylogging_. Leaving aside the
fact that he's wrong about how it all works (the results are provided by
Google; nothing about the search was changed by the extension) and he never
ever looked at the source code and what it is doing (probably because he's too
dumb to understand any of it), what he means by _keylogging_ is adding the
search terms to the URL query string when clicking on a link. (Ex:
www.ecosia.org/url?url=http%3A%2F%2Fmicrosoftstore.com&v= _microsoft store_
<\- this italic text right here is the result of the _keylogger_ in his
opinion)

[https://productforums.google.com/forum/#!msg/chrome/mlAD1ygc...](https://productforums.google.com/forum/#!msg/chrome/mlAD1ygc0v0/onn5FV6ektsJ)

So, this is what caused all this shit storm...

------
aabalkan
Haha that's so funny. The developer has involved in the discussion and he is
seriously defending himself. What is wrong with him lol.

