
Cluster of 295 Chrome extensions caught hijacking Google and Bing search results - LinuxBender
https://www.zdnet.com/article/cluster-of-295-chrome-extensions-caught-hijacking-google-and-bing-search-results/
======
ocdtrekkie
The reporter's experience with reporting Chrome Web Store malware reflects
mine: Nobody at Google cares about malware enough to stop distributing it when
people report it. The "Report Abuse" button probably goes straight to an
unmonitored spam folder.

Hint to anyone working on security at Google: It actually doesn't matter what
obscure zero-days you discover and patch when you distribute malware directly
that relies on supported functionality. There's no need to exploit security
holes when malware is simply permitted as-is.

Shut the Chrome Web Store down until you're prepared to take it seriously.

~~~
ghostwords
From a now year-old EFF blog post [1] regarding Chrome extensions and the
Google Manifest V3 "proposal":

 _The “Report Abuse” link doesn 't seem to produce results, obfuscated code
doesn't seem to trigger red flags, and no one responds to user reviews._

[1]: [https://www.eff.org/deeplinks/2019/07/googles-plans-
chrome-e...](https://www.eff.org/deeplinks/2019/07/googles-plans-chrome-
extensions-wont-really-help-security)

~~~
kevingadd
I wouldn't be surprised if their staff have no tooling for looking at user
reviews, period. The UI for looking at user reviews of your own stuff as a
developer is really, really bad and I know that in the past other Google
properties have had this issue - YouTube annotations were invisible to their
trust and safety staff, for example.

------
edoceo
As someone who's had difficulty publishing open-source software into the
Google and Apple ecosystem I get super angry when bunch of malicious crap-ware
is found.

Why do I have to go through a dozen iterations and emails and phone calls yet
garbage seems to get through w/o issue.

Insert rant about their respective approval processes. I've read others on HN,
so use one of them. The sentiment is the same.

~~~
nix23
>Why do I have to go through a dozen iterations and emails and phone calls yet
garbage seems to get through w/o issue.

I because you probably make probably software with a real function and not
just 'Wallpapers'

~~~
ocdtrekkie
But presumably an extension for wallpapers shouldn't be accepted: If you can
get rid of an entire class of extension code by supporting wallpapers... let
people set their new tab wallpaper, block all new tab extensions that say
"wallpaper", and tada, entire vector for malware gone.

Extensions are a massive security vulnerability: They often have access to
your web browsing activity, and they sit _after_ TLS termination, _inside_
your browser's trusted environment.

Browser extensions should be rejected by default, and have to constantly
justify their existence. Pointless extensions (including "cloud to butt",
sorry guys), should never have been accepted.

------
ChuckMcM
FWIW, front running[1] Google ads, and to a lesser extent Bing ads, is big
money. At Blekko we ran into these people all the time.

What they wanted was to send the search query that the user had typed into
Google to us, and have our advertising partners provide an Ad, and they would
inject it ahead of Google's ads.

For which they would share the revenue that the Ad partner was paid 50/50 with
us. And for this service they said our cut would be $10K - $20K per week.

The funny part was they required to be notified immediately if Google changed
its page layout because, well they needed to blend in or the game was up. I
wrote a grease monkey script to change the page background after ads had
loaded on a Google search engine results page (SERP) and yup, you could see
their ad sitting there.

Of course Google would catch on, especially when people complain that Google
was showing them ads for inappropriate products or what not and Google would
investigate and track down the front doing the injecting. The half life of
these fronts seemed to be 6 months to a year depending on how greedy they got.
The people behind the front would vanish and pop up under a new name somewhere
else.

The sad thing, for me, is that when you put your infosec hat on you realize
its super easy to phish an unsuspecting someone by sending fake mail from a
friend for a cool backdrop or display toy. Once they are on the hook you can
wait until they search for something on Google and inject a very nice result
for them to click on that stops off at your drive by zero day site to pick up
your payload and its off to the races.

[1] From the article -- _"... then proceeded to quietly inject ads inside
Google and Bing search results."_

~~~
ocdtrekkie
What floors is me is that Google is so lax on fixing the Chrome Web Store,
when they're literally distributing things that hijack their primary business,
search and ads.

How is Chrome Web Store malware not a five-alarm fire that sends Sundar Pichai
down into the cubicle farm to find someone's head to stick on a pike? Like,
this should be THE issue that Google cares about.

...And malware that hijacks your search engine on Chrome has been all but
unpoliced for most of the past decade.

~~~
ChuckMcM
It is difficult to understand. I know that when I worked there the way
advancement worked (the only way to get a raise) was that you shipped a "new"
thing. People who just fixed bugs never got recognition company wide, but
people who shipped a new thing FULL of bugs? They got to go up on stage with
Larry and be held up as some who gets things done. (and get promoted)

That had started changing by 2010. They at least had an official way to
recognize one person a quarter, if they were nominated, for doing solid
infrastructure work.

------
andrenotgiant
Chrome team has tried to make some changes to improve the situation, but
browser extensions are still a perfect target for malware and abuse because of
a structural problem:

Users install these (free) extensions on a whim, installation takes 2 clicks
and seconds. They make a point-in-time decision: "I find this useful today,
and I trust the extension is not malware today"

But what they are really saying is: "I trust the (changeable) owner of this
extension with whatever data this extension has access to forever and ever"
(Nobody uninstalls these extensions, and now Chrome will even sync your
extensions when you buy a new device.)

It's the imbalance of that decision that is the problem, no amount of
filtering and UI changes and API updates will fix that imbalance.

~~~
lapcatsoftware
The Chrome Web Store is grossly understaffed. Google as a whole relies too
much on automated processes rather than humans, but this is particularly a
problem in the Chrome Web Store, because Google requires every extension to be
distributed via the Store, but they just don't have the staff to review every
extension properly. There's no way Google can "curate" the volume they handle,
especially with their limited staffing.

~~~
zentiggr
Then it's time to mark all but the most used and obviously trustable
extensions as untrusted.

Then they can take whatever staff they have, and review them properly.

And accept the fallout of their staffing choice if it means drop in Chrome
usage or whatever else.

They want to leave a gaping malware hole, it's time to hold them accountable
dammit.

~~~
lapcatsoftware
> Then it's time to mark all but the most used and obviously trustable
> extensions as untrusted.

That's basically what Firefox has done.

~~~
pritambaral
More, actually. Some excerpts from [https://blog.mozilla.org/firefox/firefox-
recommended-extensi...](https://blog.mozilla.org/firefox/firefox-recommended-
extensions/) : "Our team evaluates all content under consideration for the
Recommended Extensions program.", "... subject to ongoing re-evaluations to
ensure they continue ...", "... not only perform as they promise, but do so at
an exceptional level. For instance, there may be many ad blockers out there,
but not all ad blockers are equally effective.", (and last but not the least)
"... undergo full code review by staff security experts ..."

------
metaphor
Filtering the noise:

    
    
      ^.*(Tab|Theme|Wallpaper|Background).*$
    

Residual signal:

    
    
      flbcjbhgomclbhlchggbmnpekhfeacim, "ScreenShot & Screen Capture Elite"
      adfjcmhegakkhojnallobfjbhenbkopj, "Weather forecast for Chrome™"
      bfeecodfffgkdedfhmgbfindokikafid, "GTA 5 Grand Theft Auto"
      bpnmalopmgpilaoikaeafokedkkonhea, "Sports Cars"
      cgdmknakejoaompdmdeddpgmjffnniab, "Suga"
      dapecdhpbakbfcoijjpdfoffnajhifej, "Avengers Endgame"
      eeeiekjkpbneogggaajnjldadjmclhlo, "Bts Suga"
      egicjjdcjhfdnejimnhngogjmoajffpm, "Video Downloader and MP3 converter Pro"
      ejighbgeedkpcambhfkohdalcgckdein, "Adblocker for YouTube - Youtube Adblocker"
      enlaekiichndcbohopenblignipkjaoa, "Auto Replay for YouTube"
      nfhbpopnbgigkljgmelpfncnghjpdopf, "Ad-block for YouTube - Youtube Ad-blocker Pro"
      ojhlagjgjbjfgllocdhlpnkbdlcipnmo, "Cars"
      pcgcmplcfdfkkkmaggghdghnlddkpbbo, "DBS and Dragon Ball Super"

~~~
LetThereBeNick
Filtering the noise:

    
    
        "ScreenShot & Screen Capture Elite", 
        “Weather forecast for Chrome™", 
        "GTA 5 Grand Theft Auto", 
        "Sports Cars",
        "Suga", 
        "Avengers Endgame", 
        "Bts Suga", 
        “Video Downloader and MP3 converter Pro", 
        "Adblocker for YouTube - YouTube AdBlocker”, 
        "Auto Replay for YouTube", 
        "Ad-block for YouTube - Youtube Ad-blocker Pro", 
        "Cars”, 
        “DBS and Dragon Ball Super"

------
benjaminjackman
> However, the vast majority of the malicious extensions (245 out of the 295
> extensions) were simplistic utilities that had no other function than to
> apply a custom background for Chrome's "new tab" page.

So I have to make my own browser extensions just for one purpose, to set my
own custom url for the newtab page. This is also a problem in firefox. It's
quite unfortunate that browsers have moved so far from being user-agents, or
at least somewhat attentive to the needs of more sophisticated users that
instead of getting more robust tooling for user style sheets, custom
javascript, apis to block or modify requests we are either forced into sketchy
extensions that replicate the basic functionality or can't even do that
because it's outright blocked.

Heck firefox has what seem to be perpetually unfixable bugs with bookmarklets
not working on CSP[1] sites (for example github) which contradicts the spec
and which never seem to be prioritized for being fixed.

1: [https://stackoverflow.com/questions/19822716/javascript-
book...](https://stackoverflow.com/questions/19822716/javascript-bookmarklet-
on-site-with-csp-in-firefox)

~~~
kevingadd
Specs are wrong sometimes, and I think there's an argument to be made that the
spec is wrong here. Firefox's policy re: bookmarklets on CSP sites is probably
the best choice for protecting ordinary computer users, bookmarklets and
javascript: urls are a common attack vector for targeting high-value websites
like discord, slack and gmail (with the caveat that browsers have slowly
locked down those attacks). Just open the developer console on discord
sometime, they show an enormous message telling you not to paste stuff in
there.

I do think it would be worthwhile to have some sort of power user mode to
override that for bookmarklets, but I can understand not wanting to invest
resources in building it.

------
tedivm
The irony of google spending so much money on Project Zero to call out other
company's security issues while they internally ignore their own.

~~~
ocdtrekkie
Project Zero is about making their competitors look bad, not helping the
public. There's a reason they went after Fortnite immediately upon announcing
they wouldn't distribute through the Google Play Store: Project Zero's job
there was protecting Google's 30% revenue cut.

There's nothing ironic when you understand the actual purpose, as opposed to
what they claim it's about.

~~~
renewiltord
That makes no sense. The users who care about this are so much on the fringe
that a single day's churn will probably wash them out.

No one in the real world cares about some random CVE. "REMOTE CODE EXPLOIT!",
security experts yell, while the vast majority of people just continue
installing Bonzi Buddy 4.0 : The Return of the Bonz.

------
blakesterz
"In a technical analysis shared with ZDNet, AdGuard said all extensions loaded
malicious code from the fly-analytics.com domain, and then proceeded to
quietly inject ads inside Google and Bing search results."

The original post has some details and recommendations:

[https://adguard.com/en/blog/fake-ad-blockers-
part-3.html](https://adguard.com/en/blog/fake-ad-blockers-part-3.html)

What I don't quite understand is how do people make money from these things
without getting caught? Is it not obvious where the money goes as people are
getting paid from the fraud? Or is it more like no one cares?

~~~
dheera
Add

    
    
        0.0.0.0 fly-analytics.com
    

to /etc/hosts

~~~
ffpip
My router has a built in word filterer. So I just added-

analytic, adservice, pixel,doubleclick, googlead,facebook, applauncher,
Xiaomi,track, taboola and outbrain.

This only applies to subdomains and domains(due to Https).

So adservice.google.com is blocked but google.com/adservice is allowed.

~~~
XCSme
So you have TrackMania, trackpad, race track blocked?

~~~
ffpip
If those are websites, then no. All websites are opened within my browser. The
keyword thing applies only to apps.

My browser (firefox) has DNS over HTTPS built in. So every request goes to
cloudflare-dns.com.

My router only sees these requests when I use Firefox - mozilla.cloudflare-
dns.com

I use uBlock Origin in Firefox. So I can control whatever I want within the
browser.

This a very good approach to adblock on a whole network.

------
Aaronstotle
Google doesn't care about the rampant spam extensions on the Android
store/Chrome extension store.

One of my co-workers reached out to me asking about a pop-up saying she needed
to install a chrome extension. I looked it up and it's some adware extension.
Has 30 "reviews" with 5 stars and it's obvious that they're all paid/bot
reviews.

------
jneplokh
If you just search for any legitimate extension, you find so much _junk_. One
well-known example: Search for uBlock Origin and you will find a sketchy one
name "uBlock."

This seems something super easy to fix, but Google already has problems with
apps on the Play Store, so not sure if I expect much better on the Web Store.

~~~
jefftk
It's complicated: uBlock is the original extension, and uBlock Origin is a
fork by the original lead developer.

At this point, uBlock is sketchy while uBlock Origin is well respected, but it
seems hard to come up with a rule that would justify banning uBlock?

~~~
Dylan16807
Google doesn't have to allow all transfers of extensions between different
groups. The behavior of the new owner could have justified transferring it
back.

~~~
jefftk
Transferring it back from AdBlock to Chris Aljoudi? Or from Chris Aljoudi to
Raymond Hill?

~~~
Dylan16807
Did AdBlock immediately do anything that wasn't intended to be authorized by
Chris? I meant the latter.

~~~
jefftk
As far as I can tell, Chris didn't immediately do anything that would have
justified transferring it back either. Raymond was sick of dealing with low
quality support requests, and so transferred the project to Chris. Over time,
Raymond didn't like the direction Chris was taking the project, however, and
started recommending his uBlock Origin fork for general consumption.

More context on how things were around the time of the initial transfer:
[https://github.com/gorhill/uBlock/issues/38#issuecomment-918...](https://github.com/gorhill/uBlock/issues/38#issuecomment-91871802)

------
wnevets
295 spam extensions from probably the same developer is hardly newsworthy.
Just look at the list rather than just reading the headline.

With that said after a fairly simple extension I had installed for many months
upgraded itself automatically to replace links with "eco links" that
supposedly helped the environment I stopped installing extensions that weren't
ublock or from google themselves. I'm much more willing to install a random
app on my windows machine than I am a random chrome extension, thats just how
untrustworthy I find the chrome store to be.

------
ezekiel68
I don't mean to sound like a curmudgeon but, except for officially supported
developer plugins, I just don't get the need or desire for all this browser
extension bling. (though I guess I might have downloaded an SSH extension for
the browser in my chromebook at some point) I suspect it's an extension of my
embrace of the Unix philosophy (simple tools) to GUI programs. Anyway, I'm
certainly happy these bad actors were exposed.

~~~
nine_k
But extensions _do_ follow the Unix philosophy, if you look at them at a
certain angle!

\- The browser does one thing it does well, which is showing (running?) web
pages.

\- A typical extension does one thing (like annotating screenshots, or
filtering trackers, or applying custom CSS), and does it hopefully well.

\- You collect the extensions you want, and safely ignore the others; they
compose without a hitch.

I run Firefox, and I run the following extensions, _each_ doing its own narrow
and separate thing:

\- A password manager extension to fill in credentials.

\- uMatrix for filtering out unneeded parts of Web pages (more for speed than
for privacy).

\- Stylus for custom CSS on certain sites.

\- Foxy Gestures for mouse gestures.

\- Markdown Here to render Markdown pieces of input controls to HTML (works
great with Gmail or Jira).

 _Thank goodness_ I don't need to depend on whatever features the browser
maker had time to provide to address similar needs, if any.

I wish the browser was _even more_ like Emacs, where you have a barebones
editor (or browser) and most of the UX around is provided by extensions. I see
how it's a much more complex task in the browser environment due to security
considerations, though.

~~~
mjevans
I also use

\- Decentraleyes -- Local cache and forced used of common CDN scripts.

------
jve
This requires "change all data on the websites you visit", right?

When I get asked for this permission for utility function, I just refuse to
install it. Only if I really trust the extension and know it needs that
permission, is when I give it.

As for other extensions that asks for this permission, I keep wondering why
don't they define domain whitelist where this extension applies...

~~~
kevingadd
There is a domain whitelist function, it's rarely used because the ergonomics
of it are terrible. Adjusting the whitelist disables your extension silently
instead of showing a new permission prompt.

I used the whitelist like a sensible developer and then when a website changed
its URL my extension silently broke for 100k people. Not great.

------
timidger
Funny... filtering out these type of extensions was my intern project 2 years
ago at Google.

------
badrabbit
Chrome has the windows popularity problem. I run into these extensions all the
time but never with Firefox or classic edge. A lot of times they're
sideloaded. They really should allow only extensions with a valid certificate
so they can revoke them. They should also treat sideloaded extensions the same
way they do sideloaded apps on android (explicit opt-in with warning).

------
dehrmann
Sounds like every browser toolbar from back in the day.

------
whalesalad
Another reason why I really love Safari. It's so incredibly lightweight. The
ability exists to install extensions, but no one makes them. Head in the sand
security. I guess you could say my experience is handicapped without
extensions and add-ons, but the performance and no-bullshit-factor is
impossible to match.

~~~
viraptor
> but the performance and no-bullshit-factor is impossible to match.

I'd say having ublock and some privacy blocker enabled boosts the standard
browsing performance quite a bit. It's not really available in stock browsers.

~~~
whalesalad
I have a gigabit internet connection and pihole setup for the whole LAN, so
I’m feeling the boost over here too.

~~~
viraptor
Gigabit internet doesn't prevent a slow ad-injection script from reflowing
everything on the page a second after you think it's done. + pihole can't
block first-party content.

