
Google purges bad extensions from Chrome - angeNoble
http://www.bbc.com/news/technology-32206511
======
dankohn1
This is fantastic news.

The Quick Note Chrome extension from Diigo (now removed) submits every URL
visited to a third-party server and those URLs are then crawled the next day.

We just switched our 25 member customer service team to Chromeboxes and were
very concerned to find soon after that an EC2-based crawler was querying
private URLs of our platform.

Because the Chrome Web Store had not banned bad actors like Diigo, we now
blacklisted all Chrome extensions except for a very small number that I
personally approve. Rather than feeling that ChromeOS was improving our
security, we had our chief software architect spend most of the weekend
figuring out who was targeting our platform. (All queries received 404 errors,
but we remained concerned whether the rogue extension could read the submitted
form credentials or the cookie store to get access.)

Rogue extensions are wasting a huge amount of time and destroying trust in the
Chrome platform. Here's some more detail on similar stories about Diigo:

[https://chrisa.wordpress.com/2014/08/25/chrome-extensions-
go...](https://chrisa.wordpress.com/2014/08/25/chrome-extensions-going-rogue/)
[https://mig5.net/content/awesome-screenshot-and-niki-
bot](https://mig5.net/content/awesome-screenshot-and-niki-bot)

I am thrilled to see Google finally acting to restore trust in their platform.

Update: Google removed Diigo Quick Note, but still has Awesome Screenshot
<[https://chrome.google.com/webstore/search/diigo?hl=en-
US>](https://chrome.google.com/webstore/search/diigo?hl=en-US>) which captures
the identical data and sells it to third party crawlers.

~~~
ebtalley
Agh, damn. Just removed Awesome Screenshot due to your comment and I liked it
as an extension too. Not enough to leak information to third parties though..

~~~
x0x0
And this is why google sucks: even technically apt people can get suckered.
Google bears responsibility for what's in the chrome web store, except they
(as standard) duck it and dump all responsibility onto the users. If even
sophisticated users can get fooled, what hope do most folks have?

The answer is for google to own what is in their store, but that costs money.

------
mmahemoff
"This extension will have access to your browsing history and private data on
all websites".

Which is usually accompanied by the developer apologising and explaining they
have to declare this in order to provide the extension's core functionality.
Users then learn to ignore these warnings, malicious extensions ensue.

I'm glad Google is taking malicious extensions seriously, but purging is a
difficult semi-manual effort when extensions can update any time. A lot more
effective would be to bake security into the whole model. Extensions shouldn't
need to see your entire browsing history on all sites just to enhance some
links or do syntax highlighting.

It should also be possible to request permissions on demand, and for certain
URLs, instead of blanket-consenting before the extension is even installed. I
know these things are a trade-off with simplicity, but should at least be
there for orgs and individuals who want to take advantage of them.

~~~
TazeTSchnitzel
Sounds like Chrome's "security model" for extensions is just as awful as
Android? Large, sweeping permissions categories rather than fine-grained
control, and all-or-nothing acceptance.

~~~
mmahemoff
Pretty much the same, which is different to general websites, which do on-
demand permissions (as with iOS model).

Chrome extensions _can_ request only access to specific URL regex's, so they
can be fine-grained about location, but the actual permissions tend to be
coarse-grained. And as a user, you can't change the URL regex (that's some
low-hanging fruit right there - users should be able to edit the URL pattern
for any extension).

In some respects, Chrome apps are morphing to be general websites (e.g. with
manifest.json and installing to home screen on Android), so hopefully things
will move more in the direction of the web. There were also some hints towards
on-demand permissions in the security talk at the most recent Chrome Web
Summit, I'm not sure it's proceeding.

~~~
tracker1
I really appreciate that an SPA can function more as an offline application,
not just a website. I wish that there were a standard endorsed beyond just the
manifest.json though... I wish there were a .{someExtensionThatIsReallyZip}
package that contained a manifest.json, as well as all other files that
package needed... this is how chrome extensions are, but it would be nice to
see a standard model for apps supported by more browsers for this.

For all the things I didn't/don't care for regarding flash and silverlight,
having a single compressed downloadable package is a nicety. I think
Silverlight did a better job of it though. When Adobe bought Macromedia, my
sincere hope was that they'd turn flash into a more open format that was an
archive manifest with svg, mp3 and other assets with closer to plain
JavaScript for their part. That could have been something browsers would be
more likely to have embraced.

------
wiradikusuma
Just FYI, there are many cases of malware (presumably browser extensions)
targeting online bankings in Indonesia recently. The typical flow is like
this:

    
    
      1. The user logs in to his/her online banking website.
      2. The malware gets triggered and phones home with user's credentials.
      3. The bad guy logs in using user's credentials in own computer.
      4. The bad guy initiates bank transfer from user's account to his account.
      4. The bad guy is presented with "enter auth code" to confirm the transaction.
      5. The malware pops up "Verify your auth code" into user's computer.
      6. Thinking "it must be new method from my bank", user types his/her auth code.
      7. The auth code gets sent to the bad guy, allowing him to complete transaction.
      8. Profit.
    

Even tech savvy people can be a victim if he's being careless.

~~~
IkmoIkmo
Ew, bank fail. My bank will send me a 2FA code to my phone, it'll explain what
it's for first. So the message will say 'you're trying to send $200 to xyz at
date yxz. Enter this code'.

You'd then have to go to a screen on your computer with that particular
transaction, find it, and enter the code. You don't suddenly get some kind of
authentication pop up, and know to enter a particular code that authorises
anything that isn't your password. That's the whole point of 2FA?

Beyond that, it's surprising that bank fraud still happens seeing as in most
countries there are very strict KYC/AML requirements, meaning you can only
open a bank acc with an ID in person, with a registered address. I got hit by
this myself a while ago when I sent some money for an online purchase that
never delivered. I was really bummed out, got scammed but thought at least I
had an acc number with a name and address. I looked into it more and it turns
out there's a big network of low-end criminals who will approach some 16 year
old on his way home from High School. He'll have $50 on his account. Is given
$100 straight up, and promised $200 additionally later on, in exchange for his
debit card. Youth thinks 'why the hell not, got $50 to lose, just gained $100
and potentially more'. The criminal will use that bank acc to collect money,
retrieves it from an ATM with the card, then disappears. Police investigation
into the scam will turn up with a 16 year old unaware of the risk of 'identity
theft' (weird semi-bs concept itself) who lent out his card and didn't
understand the consequences. The criminal goes free without a trace.

~~~
r00fus
Even contextual messages are game-able - the default text "enter your
verification code" showing up on the website will likely catch a LOT of
people, since they're thinking it's from the bank.

Extensions are Apps.

Without a meaningfully robust (and mandatory) security model and some basic
security audits to prevent over-reaching security defaults/requests, you might
as well be running Windows XP.

------
bad_user
> _" You would expect that an extension that injects or replaces
> advertisements is malicious, but then you have AdBlock that creates an ad-
> free browsing experience and is technically very similar."_

AdBlock is very clear in what it does and users install it because they want
to block ads, whereas users are usually not aware when an extension injects
ads. As a note, the Awesome Screenshot extension for Firefox asks you if you
want ads injected, probably because of Mozilla's review process, whereas the
Chrome version does not.

It's one thing for websites to be ripped of the opportunity to make money from
your eyeballs, with your consent, it's quite another for those same websites
to generate money unknowingly for an obscure third-party. We are probably
talking about copyright infringement done for commercial for-profit reasons.

Google is annoying me lately. I now use Firefox on my Android and I do that
because AdBlock Plus and uBlock are working on it, whereas Chrome for Android
still doesn't have plugins, probably because they don't want ad blockers in
it.

~~~
seanp2k2
Yeah, but ABP also has white listed ads:
[http://techcrunch.com/2013/07/06/google-and-others-
reportedl...](http://techcrunch.com/2013/07/06/google-and-others-reportedly-
pay-adblock-plus-to-show-you-ads-anyway/)

Ghostery has a bit of a different model, but they're no saints:
[http://www.technologyreview.com/news/516156/a-popular-ad-
blo...](http://www.technologyreview.com/news/516156/a-popular-ad-blocker-also-
helps-the-ad-industry/)

I guess the lure of selling use data is just too great for any commercial
entity to control the source of these as blockers. uBlock and PrivacyBadger
are still clean AFAIK.

~~~
username223
From what I've read, ABP are just plain extortionists: "those are nice
'acceptable' ads you have; shame if something were to happen to them."
Ghostery's business model makes it a bit untrustworthy, but it works pretty
well as far as I can tell. uBlock is "you get what you pay for" freeware, so
you can trust it as long as not many people use it. PrivacyBadger is developed
by a small number of honest-to-God privacy zealots (in the best possible
sense), so it won't get sold out, but will probably lag behind the curve.

I use a couple of them at once, block most JavaScript, usually run with
cookies disabled, and pay a bit of attention to what's going on in the privacy
news. For less tech-savvy relatives, I just install Ghostery and disable
third-party cookies, since that seems least likely to break websites, and
blocks most of the worst tracking.

Oh, and hosts-block tynt. Those guys should drown in burning kerosene.

------
angeNoble
Does anyone know where one could find a list of offending plugins? I tried,
but came up empty handed.

~~~
obisw4n
I've been in contact with someone from Google Security and this was their
answer:

"I spoke to the team that maintains that list and they don't have plans to
make it public, if you would be willing to share some ideas on how to better
protect people from this unwanted software I would be happy to pass it on but
due to the nature of the work (trying to stay one step ahead of bad guys) we
probably won't be able to share anything back."

I'm the author of this anti-adware addon called "Extension Defender" and it
would greatly help my users if I could use their list, because while they
extensions were removed from the Webstore, does that mean it was forcibly
removed from their PC? Probably not.

Plug: [https://chrome.google.com/webstore/detail/extension-
defender...](https://chrome.google.com/webstore/detail/extension-
defender/lkakdehcmmnojcdalpkfgmhphnicaonm)

------
ocdtrekkie
Should say "Google does a lousy job purging bad extensions from Chrome". A:
Because all of the malware I reported is still there. And B: Because actually
policing your store for malware for once shouldn't be a news item.

~~~
slacka
Could you give some examples of malware that you reported that are still
there? What conditions do you use to classify extensions as malware?

~~~
ocdtrekkie
A good example of Vosteran New Tab. Almost two million users, none or near
none of which are consensual users. Nobody I've ever uninstalled that from
ever intended to install it. It hijacks your new tab page and search.

Interestingly enough, Vosteran also produces a rogue fork of Chrome which
makes Vosteran's own search/ad platform built-in and unavoidable. Said rogue
fork is also installed without users' permission.

[https://chrome.google.com/webstore/detail/vosteran-new-
tab/o...](https://chrome.google.com/webstore/detail/vosteran-new-
tab/oilkkkefbalmbfppgjmgjoefbclebkce)

I invite you to peruse the first five pages of search results here and make
your own assumptions about the legitimacy of all it's five star ratings:
[https://www.google.com/?gws_rd=ssl#q=vosteran](https://www.google.com/?gws_rd=ssl#q=vosteran)

~~~
username223
Hm, let's take a look at Vosteran. From Wikipedia[1]: "Vosteran is a browser
hijacker that changes a browser's home page and default search provider to
vosteran.com. This infection is essentially distributed bundled with other
third-party applications. Vosteran carries the PUP virus. The identity of
Vosteran is protected by privacyprotect.org from Australia."

Okay, so it's malware. Let's check out their webpage[2]! Hm, they give a
physical address at 28 Lilienbulm St. in Tel Aviv... as an image, to avoid
search engines. Let's look at their "how-to-get-rid-of-this-crap-I-don't-want"
process[3], which "shouldn't take more than 10 minutes": so they basically put
their tentacles into any crevice they can find, and make it annoying to pry
them out.

Let's see if it's easy to see who runs this bit of evil... nope. They're
amoral scum.

[1]
[https://en.wikipedia.org/wiki/Browser_hijacking#Vosteran](https://en.wikipedia.org/wiki/Browser_hijacking#Vosteran)

[2] [http://www.vosteransearch.com/contact-
us/](http://www.vosteransearch.com/contact-us/)

[3] [http://www.vosteransearch.com/how-to-
remove/](http://www.vosteransearch.com/how-to-remove/)

~~~
ocdtrekkie
And Google has received reports for it, but clearly thinks there's nothing
wrong with it being there.

------
27182818284
The security model of chrome extensions is such that I only use one--and
that's one from a well-known company that I already trust with sensitive
items.

I just can't talk myself into the "This extension will have access to your
browsing history and private data on all websites" warning that appears
beforehand, and it looks like with extensions sending private URLs away to be
crawled, I was at least a little correct to worry.

------
sandinmyjoints
> _Preliminary results revealed that 5% of people accessing Google every day
> have been caught out by at least one malicious extension._

How might they have detected what extensions are installed in their visitor's
browsers?

Is there a way to enumerate installed extensions?

[http://browserspy.dk/](http://browserspy.dk/) and
[https://panopticlick.eff.org/](https://panopticlick.eff.org/) detect plugins,
but those aren't the same as extensions.

~~~
kuschku
Google probably compares all the JS and HTML of the resulting page in-browser
with the code that they originally delivered, allowing them to see if an
extension or userscript manipulated it.

------
miander
When the extensions are removed from the Chrome Web Store are they removed
from everyone's browsers automatically? I didn't see it mentioned here or in
the article.

~~~
unreal37
No. Google uninstalling things from your computer without your permission? Now
that would be news.

~~~
james-skemp
Actually I think the answer is yes. Or at least they're disabled.

I forget the name but I had one that allowed for a custom new tab page. It had
opt-out ads, but I otherwise loved it. It kept getting disabled after each
fresh start of Chrome. Debated forking it but haven't yet.

It might matter that I do have my extensions sync between machines. Extension
is eventually disabled on the others as well.

EDIT: "This extension violates the Chrome Web Store policy." The extension is
Modern New Tab Page. The store page is gone, so no clue what policies are
violated, what I need to fear, etcetera.

I can still enable it, but it will be disabled at some point.

Does it have questionable practices? Yes. There's a settings option but it's
different than the settings I see by going to chrome://extensions/ as the sole
option on the latter is to disable ads.

EDIT 2: To be clear, this extension was blocked late last year, and is not
part of this recent batch. At that time there were questions about whether
there was a list as well. There was, like this time, no notification to
impacted users.

~~~
unreal37
Hmm, disabling with a notice is not a bad middle-ground actually. For the
worst offenders.

~~~
james-skemp
It's a horrible middle-ground. Google definitely dropped the ball with
alerting users of a possible breach. If there's strong evidence a plugin was
capturing and using credentials I need to know to change credentials.

------
userbinator
Aren't extensions written in JavaScript? That alone sounds like it'd make it
pretty easy to examine and remove any "unwanted functionality" from one, or to
show that it's doing something it shouldn't be. It only takes one
knowledgeable user to find out and spread the news...

As an aside, I'm surprised at how willing most users seem to be to install any
software, be it browser extensions or random apps on their phones/tablets/PCs.
Especially in the case of deliberately malicious extensions mentioned in the
article, I wonder if they were installed without the user ever considering
"What is this for? Do I really need it?"

~~~
tomjen3
>That alone sounds like it'd make it pretty easy to examine and remove

Minified and obfuscated Javascript is not much easier to check than binary
files and more difficult than e.g Java class files, at least without ProGuard.

~~~
STRML
Just as a reference, you might like this tool - I've gotten great results with
some really gnarly minified/obfuscated JS.

[http://www.jsnice.org/](http://www.jsnice.org/)

~~~
tomjen3
Oh there is a built in version in the Chrome debugger.

And it can sure handle js uglify, etc there are tools and systems that allow
you to remove more than that and then it becomes really difficult to get a
handle on WTF is going on.

~~~
STRML
Sure, but this one is much more advanced than the the one in the Chrome
Inspector, which only formats. This one renames variables and functions, adds
comments, and even annotates types.

------
rip747
I don't understand why you can't block (or lockout) certain permissions for
extensions. If an extension requests permission to browsing history, you
should be able to install the extension by deny it access. this is the same
problem that I see on Android.

------
wnevets
its too easy to bait and switch with chrome extensions. Authors can sneak
malware into their code at any point and you have zero chance of stopping it

~~~
stevenh
I've created a few Chrome extensions, and I constantly get bombarded with
aggressive emails practically demanding that I accept financial compensation
in exchange for adding whatever sketchy javascript snippet they want me to
add. Some even have the nerve to follow up as if they are offended by my
silence when I don't respond to them. I'm not sure how those people even got
their hands on my email address.

What infuriates me is that even extensions that are widely known to have
succumbed to these sinister offers to include borderline malware in their
extension, such as Hover Zoom, are not punished in the slightest even after
being caught, or even required to remove the malicious javascript snippet.

What the hell is the point of all these XSS prevention measures in modern
browsers, such as reflected XSS prevention, CSP, script nonces, etc. when all
you have to do to bypass all of them is make your own browser extension? Is
the team at Google that handles Chrome extensions completely unable to
communicate with the team that handles browser security? The left hand has
forgotten that the right hand even exists. I nominate Google as the company
that the movie The Cube was warning us about.

If the suspiciously nameless author of this article wasn't paid by Google to
write it, then he ripped himself off. If the author had performed the most
basic research into the topic he was writing about, he would have learned that
Firefox's approach to extensions is perfect and is the only reasonable
solution to the security problems that exist with Chrome's extensions. An
actual journalist writing about this topic would have swiftly concluded that
Google should be lambasted for its blunders and mocked for not living up to
Firefox's standards, rather than being borderline worshipped for barely doing
anything to fix a horrific problem they openly invited in the first place.

------
josteink
So how long until AdBlock Plus and uBlock are "bad" extensions?

Enjoy your walled garden. Soon enough the walls will be so high you wont even
_remember_ what a free browser felt like.

~~~
narrowrail
You can manually install extensions, which is how I install mine (e.g.
µMatrix). I'd rather not have to use the Chrome store (and I prefer Chromium ,
as well).

~~~
amyjess
> You can manually install extensions

Not on Chrome stable. You have to use beta, dev, or a Chromium build for that.

~~~
tim333
I think you can on regular Chrome. Just tick the 'Developer Mode' box at the
top of the extensions page.

~~~
gergles
I don't think you can on Windows.

~~~
sleazebreeze
Developer Mode in Chrome is most definitely available on Windows.

------
obisw4n
Chrome extensions can do some really nasty things.. Just last year while doing
adware research for extensions, I actually came across an extension
monetization company who was silently installing google android apps to the
users phone with no human interaction what so ever, I wrote a break down of
this on my blog:

[http://extensiondefender.com/blog/red-alert-dangerous-
exploi...](http://extensiondefender.com/blog/red-alert-dangerous-exploit-
poses-major-threat-to-all-android-users/)

------
xmodem
This probably isn't a popular view for the HN crowd but at this point I'm
convinced that for 90% of users, browser extensions are an anti-feature doing
way more harm than good.

~~~
username223
For almost 100% of users, the "modern web" is an anti-feature doing way more
harm than good. It's a giant pile of tracking scripts and animated "punch-the-
monkey" graphics wasting users' power and bandwidth while stealing their
personal data and providing nothing of value. Web browsers are creaking piles
of bloat trying (badly) to support this disaster while pretending to be
shinier than their competitors, or than last month's version of themselves.

Browser extensions offer a whole new host of evils, along with a marginally
effective way to fight back against the rising tsunami of web horrors. The web
is mostly about harming users, so I can hardly blame them for grasping at
whatever chance they have to defend themselves.

------
hackaflocka
Chrome always gives this really scary warning that the extension will be able
to read all my tabs etc. They need to sandbox everything so that I don't have
to feel worried while installing extensions. Worry is not a good UX.

------
speik
An extension I use regularly got zapped (Website Screenshot). There are
definitely alternatives out there, but it's a little annoying that there was
no indication as to WHY it was removed. Oh well.

------
c0l0nelpanic
This only addresses part of the problem. Chrome extensions are ONE method of
injecting into a page. What about more advanced methods including code hooks,
Proxy, LSP, TDI, WFP, etc... What is Chrome going to do about those?

------
yawz
Well... Wouldn't it be useful to publish a list of the offending extensions?

------
wahsd
That's amazing news ..... YEARS after it should have happened

------
brettbl
Whats googles protocol for approving apps? how do they not notice the problems
before the apps even hit the store?

------
wyclif
Google needs a better way to notify users when extensions are superseded. For
instance, I used to use the Google Voice extension even though it was buggy as
hell, and kept using it for too long because I didn't know about the much
better Hangouts extension that replaced it (I had been using Hangouts for a
while but never had the Chrome extension).

------
pjmlp
Better yet, disable all of them.

~~~
lkbm
Disable all extensions? No more Tampermonkey, Postman, LastPass? Seems like a
massive overkill. Extensions provide vital functionality.

~~~
pjmlp
What functionality? Never heard any of those.

Browsers are for interactive documents, for everything else there are native
applications, even though I also do web development gigs.

