
37k Chrome users downloaded a fake Adblock Plus extension - sus_007
https://www.engadget.com/2017/10/09/fake-adblock-plus-chrome-extension/
======
sengork
Extensions are the new "Let's play find the download button on a webpage"
that's been around for years. [1]

So many users download replicas of uBlock and find it hard to install the
original uBlock Origin extension. Countless times have I had to send them
direct link to Chrome's extension site just to make sure they're installing
the right one. This is the case especially as the genuine extension in this
case has no direct author website and instead lists a repo on Github (average
users feel this indicates a knockoff and look elsewhere).

[1] [https://www.pcworld.com/article/2012958/how-to-avoid-fake-
do...](https://www.pcworld.com/article/2012958/how-to-avoid-fake-download-
buttons.html)

~~~
krackers
This is especially a problem when you try looking for new extensions. It's not
sufficient to just look at the reviews or popularity since often times the
users themselves have no idea their browsing history is being captured and
sold. Also it seems that Google is in no hurry to fix this issue as even
having discovered and reported malicious extensions they remain up (see:
[https://news.ycombinator.com/item?id=14889619](https://news.ycombinator.com/item?id=14889619)).

From the client side one mitigation might be to have all extensions denied
network access by default and have the user manually whitelist those in a
little-snitch like manner. There is an experimental flag for something similar
to this called "User consent for extension scripts." From Google's side the
best thing would be to run all extensions in a sandbox like they supposedly do
for Android apps and monitor its activity to see if it does anything
suspicious like record browsing history, redirect pages, or call out to
sketchy URLs.

~~~
482794793792894
> From the client side one mitigation might be to have all extensions denied
> network access by default and have the user manually whitelist those in a
> little-snitch like manner.

I don't think, Google has any interest in doing that. You can't either block
internet access on a per-app basis on Android, even though this would close
tons of information leaks, that the clunky permission system they currently
have in place just can't fix.

And as for the best thing to do from Google's side, that would probably be
what Mozilla is doing. Sit actual human beings down to look at the code of
newly submitted extensions and of extension updates.

No, this does not scale, can't be automated by some algorithm, but it actually
works. And it's not like it needs to scale into the millions.

~~~
krackers
A good middle ground might be to review only the top 1000 extensions or so and
put a trusted checkmark on them.

Reflecting back on the automated extension review, I just realized that the
problem is more complex that it seems at first glance since extensions can
also contain content scripts that inject JS directly into pages themselves, so
it's easy to mask the source of a POST by injecting the xhr directly into the
webpage.

------
ocdtrekkie
This is, unfortunately, remarkably common. It only received a lot of attention
here because it pretended to be a well-known extension: The Web Store is full
of extensions which hijack your start page and search provider and have full
access to all of your web content. They're often installed via pages through
malicious ads which state that you must accept Chrome's install extension
request to continue web browsing and use a variety of JavaScript-based tricks
to keep you on the page until you do. (The other thing that occasionally gets
mentioned: Extensions get bought out so that adware and spyware is
automatically pushed down to Chrome users silently.)

Many times, I've reported malicious extensions I've found on user's PCs, and
months later they are still alive and well on the Web Store. Google has not
taken significant steps to vet browser extensions despite the massive amount
of access to your personal data they have, particularly if they use
permissions like accessing the content of pages you're on.

Microsoft appears to only permit Edge extensions on a case-by-case, human-
vetted basis. I strongly recommend instructing lay users to use Edge over
Chrome, and those who insist on Chrome should have --no-extensions added to
their shortcuts to ensure Google's extension interface is wholly disabled. (At
the office, I use a group policy to block all extensions on all Chrome
installs network-wide. Google provides surprisingly decent tools to do this.)

Unfortunately, while Chrome regularly brags about their security measures, it
does very little when they permit (and distribute) malicious extensions in
their store with permissions to do whatever they want with user data. Their
Pwn2Own records, their bug bounties, it's all irrelevant while they don't
consider this a serious issue. It is akin to bragging about how good your
deadbolt is while leaving the door wide open.

------
joshfraser
I audit every extension before I install it. You should too.
[https://chrome.google.com/webstore/detail/chrome-
extension-s...](https://chrome.google.com/webstore/detail/chrome-extension-
source-v/jifpbeccnghkjeaalbbjmodiffmgedin)

~~~
smnrchrds
I am a mechanical engineer not a software developer. Any advice for me?

~~~
kibwen
Personal auditing doesn't really solve the problem because extensions update
automatically, and there are numerous cases of the authors of popular
extensions being approached to sell out their userbase in exchange for cash,
providing a motive for formerly-audited extensions to go bad. Here's some
basic tips at defending yourself:

1\. Minimize the amount of extensions you use to the bare essentials. If you
can live without it, uninstall it. If you rarely use it, uninstall it.

2\. Prefer extensions from well-known organizations rather than unknown
individuals. Example: there are plenty of extensions that force HTTP requests
to HTTPS when possible, but I exclusively use the one from the EFF.
Organizations have less to gain and more to lose from breaching the trust of
their users in this way.

3\. Prefer extensions that multiple software developers have recommended
personally. This won't itself protect you from malware, but it does increase
the likelihood that emergent malware will be discovered promptly and loudly
publicized.

4\. If you absolutely need an extension and none of the above apply, download
the source code of the extension yourself and manually load it into your
browser, to keep it from being automatically updated. (Part of me is wary to
recommend this, as software that never gets updated is historically prone to
being exploited by lingering unpatched flaws, but I'm having a hard time
coming up with an attack vector of this sort for browser extensions.)

~~~
joshschreuder
Chrome does a good job of notifying you when an extension needs new
permissions, like if it's been hacked to keylog you on every page or
something.

Of course, most users have fatigue for these sorts of dialogues and just hit
accept (I have done the same in a lot of cases).

I also like Extension Update Notifier

[https://chrome.google.com/webstore/detail/nlldbplhbaopldicmc...](https://chrome.google.com/webstore/detail/nlldbplhbaopldicmcoogopmkonpebjm?utm_source=chrome-
app-launcher-info-dialog)

Which pops up a toast notification whenever your extensions get updated. At
least then it's not a silent upgrade and you can investigate if you wish.

------
topranks
What are Google's rules about names? Only difference I can see here is the
fake one is called "AdBlock" and the real one "Adblock".

Is changing the case of one letter enough to get an extension into the Chrome
store? Or even worse are overlapping names allowed?

~~~
extrapickles
It’s hard enough to tell someone which is best, telling them the particular
capitalization is impossible without giving them a direct link.

In addition, preventing duplicate names is fairly hard if you support unicode.
Characters like the zero width space, Mongolian vowel separator and many
others make it algorithmically different but visually they are the same.

~~~
myle
That's not really n issue. You can always compared normalized versions of the
name.

------
jzl
Reminiscent of the problem earlier this year where GOOGLE DOCS ITSELF was
spoofed with a Google-approved (for a brief window, at least) web app called
"Google Docs":

[https://www.theverge.com/2017/5/3/15534768/google-docs-
phish...](https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-
attack-share-this-document-with-you-spam)

It's pretty insane that Google keeps tripping over itself on this same issue.
Surely they have the means and know-how to prevent it.

------
shpx
It's even worse. 3,878,417 computers have a fake uBlock Origin clone called
uBlock Plus (playing on the fact that there's Adblock and Adblock Plus)
installed.

[https://chrome.google.com/webstore/detail/ublock-
plus/kjagjn...](https://chrome.google.com/webstore/detail/ublock-
plus/kjagjnchnnlgiafjjlahaedeagnmhefi)

------
leog7
Google in general is poor on security this should have been anticipated

------
jbverschoor
Where's the bashing about Apple's App Store policy?

