
Fake ad blockers in Chrome Web Store - mark_edward
https://palant.de/2018/04/18/the-ticking-time-bomb-fake-ad-blockers-in-chrome-web-store
======
paulgb
This was bound to happen. As a Chrome extension developer, I would love to
have a way to prove that an extension was created from a specific git commit
hash with no modifications. As it is, even if you read over the extension's
code on GitHub, there is no reason not to suspect that I added something
malicious when I submitted to the app store.

~~~
bochoh
Is there anything from a developer perspective that we could do now? I guess
anything thats voluntary could be bypassed by a malicious party either way.
Reproducibile builds published in a blockchain? Then a chrome plugin that only
loads the blockchain builds?

~~~
x1798DE
Why would you need a blockchain for this? Any sort of signed reproducible
build would work just fine.

~~~
craftyguy
Because these days everything needs a blockchain.

~~~
TTPrograms
Legitimately, if you used ex. Ethereum to compile your code could actually
prove that a given executable was compiled from given source. Otherwise the
only way to verify a build is to build it yourself and check the hashes.
Signing just verifies that the build came from a given person, not that they
used the source code they say they did.

This was one of the interesting use cases I thought about when I dug into
crypto.

~~~
jrkatz
The signature doesn't have to be from the developer; it could be a signature
from google that marks the extension was compiled from/matches the specified
source. If you're running chrome and installing extensions from the chrome web
store you're trusting google already.

As evinced by the article, the web store isn't perfectly trustworthy but this
kind of validation could be done automatically and I do trust their ability to
automate.

~~~
TTPrograms
If Google compiled the extensions that would work. Seems like it would take a
lot of standardization to make that possible. But in principle that would
certainly be better than the current situation.

------
aresant
So turns out granting poorly-verified extensions permission to literally take
over your browser after reading easily gamed reviews is a bad idea?

The worst of the spyware / download guys are now the best of the "legit"
extension affiliates.

I don't get why googles verification team is asleep at the wheel on this, I
feel the exact same way about amazon and their counterfeiters abusing the shit
out of fake reviews and buy counts.

~~~
dstroot
Umm... maybe they don’t want people using ad blockers. So having a malicious
minefield may inhibit users from installing them. Maybe...

~~~
gear54rus
Not impossible. Will take this opportunity to remind people of the ad blocker
that google censored from their web store:
[https://adnauseam.io/](https://adnauseam.io/)

This thing clicks ads for you so that parasites can't use data for anything
meaningful. Check it out!

~~~
joosters
Surely all that does is make Google more money?

~~~
gear54rus
But it dilutes the value of ads in the long run giving 0 conversion (or
whatever stupid term is appropriate). They took their shitty stand by blocking
this adblocker specifically, surely there's something about it others don't
have.

It could really be 'malware' of course, but my money's on the other
possibility.

------
jasonkostempski
The only upside to a walled garden is that this type of stuff isn't supposed
to get through. If it does, the store only servers to give users a false sense
of validity.

~~~
gear54rus
As a developer of an extension I can attest to the fact that 'review' takes
less than 1 minute when you upload new version. I think it's safe to say that
there is no upside to the bs walled garden.

~~~
kevingadd
It's really hard to overstate just how easy it is to exploit the garden. The
extension API itself limits the system-wide mischief you can get up to, but if
you have an extension with 100k+ users (either because you created it or you
bought it from its original developer), it's extremely easy to slip something
malicious in there, and you have a lot of data at your fingertips to sell.

I wish there at least seemed to be some degree of review or reasonable
sandboxing here. The closest they come is disabling eval-style behavior in
'background' scripts, but there's nothing stopping you from running command &
control scripts from a remote origin in a non-privileged context and then
getting up to your evil mischief anyway. Or injecting malicious code directly
into gmail tabs.

------
CM30
You have to wonder exactly how these services promise to 'review' their apps
posted there and seemingly have a ton of guidelines for what's allowed and
what isn't...

Then just completely ignore said guidelines while not doing anything close to
a review. Seriously, do none of these rules can checked at all?

[https://developer.chrome.com/webstore/program_policies?csw=1...](https://developer.chrome.com/webstore/program_policies?csw=1#extensions)

It's no better on the iOS store, Play Store, Steam, Windows Marketplace or
anything else of a similar kind. Poor quality, scam apps and programs seem to
waltz right through 'quality control' like it's non existent.

Honestly, at this point the best 'walled garden' marketplace would probably be
the fan game and mod equivalents. At least on the likes of MFGG and SMW
Central you have human moderators physically test every single submission ,
then give detailed feedback on every single aspect of said submission (down to
actual game design and mechanical implementations). Plus a perma ban system
for anyone continually trying to submit crap.

Makes me wonder what the Chrome Store or the Play Store or Steam would be like
if they did that. Probably better, and with less questionable extensions like
this in it.

~~~
andrewmcwatters
> Makes me wonder what the Chrome Store or the Play Store or Steam would be
> like if they did that.

You clearly don't remember when Valve Corporation required contractual
agreements outside of the Steam Store to get sold on Steam. Greenlight, and
its incarnations are all public options for selling on the digital
distribution store.

Most games sold then were by bonafide studios who had to reach out to Valve's
sales contacts, and not children operating out of their parent's bedrooms
making mods or "games" on Unity.

------
kevingadd
There's a reckoning coming here unless Google gets around to actually getting
Extension permissions under control. As currently constructed, there's not
much stopping a malicious extension from getting at all sorts of important
data stored in your gmail or dropbox tabs - just effort. Whenever I scan the
featured extensions on the CWS home page, upwards of 25% of them request the
permission to access websites from any origin, which means they can inject
script in there and basically do anything they want. Part of this is
convenience (it's an enormous pain to add permission requests to your
extension after first install) and part of it is bad API design that makes it
necessary to bake broad permission grants into an extension for it to do
simple things.

At some point the people behind sneaking ads or tracking into extensions are
going to pivot into higher-value scams, like harvesting account credentials or
important data.

As Chrome is constructed now, there's almost nothing stopping _any_ extension
with the 'Read and change all your data on the websites you visit' permission
from stealing literally any piece of data that moves through your browser if
the person in control of it is determined enough. With the push towards
running all your apps in the browser for "sandboxing", the risk this poses
keeps going up. Companies use Slack, Gmail, etc to collaborate and all of
those things are built to run in a browser tab (even if they have native apps)
- and basically any extension a user installs has the potential to silently
exfiltrate sensitive information, disguised as regular user traffic. Worse
still, if the user signs into their Google account, the malicious extension
can be synced to other machines. "Don't install stuff on your work PC" is
pretty easy to understand, but "don't sign in to Google" is a bit harder of a
policy to enforce, especially with the fuzzy boundary between Google-the-
platform, Google-the-website, and Google-the-browser, all of which use the
same login flow.

Native and mobile app development spaces have solutions for most of these
issues already via sandboxes and permissions (though there remains work to be
done), and these threats are non-existent when dealing with regular websites
and web apps. Extensions need a lot more scrutiny due to just how much of a
threat they pose.

~~~
pdkl95
> With the push towards running all your apps in the browser for "sandboxing",
> the risk this poses keeps going up.

Sandboxing cannot be relied upon a primary security feature; at best it's only
an additional roadblock that provides defense in depth. Isolating potentially
malicious code in a sandbox is useless if you also run the the rest of your
software _in that same sandbox_.

The browser sandbox was useful for isolating transient Javascript the current
page/window. Your primary apps and always-running utilities were protected
because they were outside the sandbox.

~~~
icebraining
You can configure Chrome to run each site in a different sandbox:
[https://www.chromium.org/Home/chromium-security/site-
isolati...](https://www.chromium.org/Home/chromium-security/site-isolation)

The problem here isn't the shared sandbox, though, but that an adblocker
_needs_ access to every site to block their ads.

------
ppeetteerr
It doesn't sound like the ad blockers are fake, only that they exploit their
users. Facebook does this too. It's an ad company masquerading as a social
network /jokes. Remember when Grinder was giving its advertisers the user's
HIV status? That was certainly very wrong, but it is any different from an ad
blocker that tracks their users?

------
Cthulhu_
This is what happens when you don't have a strict policy wrt what apps you
allow in an app store. I like to think Apple would disallow these copied apps,
for not being unique / being based off a template (there's app store rules
against template based apps iirc).

------
holstvoogd
We've come full circle, Chrome has become IE6 it seems.

------
indiandragon
I've already seen the bomb go off with an extension.

A top rated chrome extension was inserting porn Ads in Youtube's companion
renderer element. Google removed it after I tweeted about it though.

------
gcatalfamo
I am very upset how I was unable to publish a very simple sheets add-on (the
review process resembles the academic peer review) and all of a sudden is full
of published malware.

~~~
kevingadd
There seem to be certain things that can push you through a very aggressive
chrome web store review process. Under most circumstances there is no review
whatsoever, you're just waiting for your extension .crx file to get pushed to
their CDN (and maybe scanned automatically for trivial classes of exploits?)

If you get hit with a DMCA claim (fraudulent or otherwise) that'll put a
manual review flag on your account for a while. You can tell because pushing
an update or new extension takes over a day vs the standard ~20-60 minutes.
The manual review can and will just reject you for no reason without much
explanation, but it seems to be easy to just bypass the review.

~~~
palant
The 60 minutes delay is completely artificial, it is only there in case you
change your mind. If you use the API, extensions are published immediately.
Whatever automated scanning takes place there, it's very quick.

------
Kiro
I refuse to use any extensions due to this exact reason.

Good thing I like ads.

------
euske
If I was a bad guy, the next thing I'd try would be to diversify my repertoire
of popular apps as much as possible. You cannot be too popular to get their
attention, still you want to be reasonably popular that the net gain is
positive so that you can continue. I don't know how it can be done, but that's
the direction that people would be going for.

------
TwoBit
Why not have Google provide an option to notify users of pulled store content
and optionally remove it for users?

~~~
kevingadd
Chrome's current extension update model isn't well-suited to addressing
problems like this. First, updates don't happen very often - in my experience,
once or twice a day at most. So even if a malicious extension is caught
quickly, users will likely remain exposed for as long as 48 hours. If an
extension is pulled from the store (DMCA or otherwise), presently Chrome does
not warn you or remove it, it just quietly stops getting updates. If Google
starts doing remote disable/remove for extensions, there would be some angst
over this and the question of when it will get used (court orders from a
foreign country? etc.)

------
ocdtrekkie
The only Chrome installs allowed on my network have all extensions disabled by
policy. I strongly recommend anyone who uses Chrome look at outright disabling
the functionality, it's used for more harm than good these days.

------
Too
Google removing the extensions is good but aren't there be legal forces to be
used against this also. Find the publisher and jail them. They are clearly
doing illegal cumputet access to the user of the plugin.

~~~
palant
Good luck trying to get the publisher's name from Google. Google knows which
credit card was used to pay for the publisher's account, but they won't tell
anybody - and I doubt that they are interested in going after the publisher
themselves.

------
JoshMnem
We're reliving this:

[https://www.linux-
noob.com/forums/uploads/post-12-1098049148...](https://www.linux-
noob.com/forums/uploads/post-12-1098049148.jpg)

------
esseti
does anyone have a link on the tech sideo of how it works? I've read somewhere
(don't remember where) that they used an image to inject code that is executed
on the browers. Not that i want to develop a botnet, i'm just curious to know
how it works.

~~~
palant
Yes, the original blog post has a more technical description:
[https://blog.adguard.com/en/over-20-000-000-of-chrome-
users-...](https://blog.adguard.com/en/over-20-000-000-of-chrome-users-are-
victims-of-fake-ad-blockers/)

------
josteink
But hey! The extension-files are X509-signed and served over HTTPS with a
green location-bar from a known good domain so we all know it’s secure, right?

Oh wait. I guess forcing everyone to use HTTPS and signing everywhere means
HTTPS and signing can no longer be used to distinguish serious actors from
even plain malware-vendors.

Thanks Google.

~~~
tremon
It could never be used for that purpose. It only allowed you to easily
distinghuish between amateur malware and slightly-serious malware.

