Hacker News new | comments | show | ask | jobs | submit login
Malicious Chrome extension is next to impossible to manually remove (arstechnica.com)
71 points by Deinos 10 months ago | hide | past | web | favorite | 17 comments

and renaming the folder where extensions are stored—none of them worked.

Then where is it actually installed? Unless it's doing something really rootkit-y (unlikely given that AFAIK Chrome's extensions are just JS), monitoring file accesses would probably be sufficient to determine where it is and how to remove it. Unfortunately, I think this researcher just didn't really try hard enough...

Removing the extension proved so difficult that he ultimately advised users to run the free version of Malwarebytes and let it automatically remove the add-on.

...of course, what better than to sneak in an advert for their product!

As Malwarebytes explained in late 2016, the forced install trick uses JavaScript to provide a dialog box that says visitors must install the extension before they can leave the page. Clicking cancel or closing the tab produces an unending series of variations on that message.

IMHO this is a sign that JS running on a page has been given too much power (and the reason I only let JS run on a whitelist.)

The other thing I find slightly off is that there's been plenty of mention of how Chrome's extension API is nowhere near as powerful as what the old Firefox extensions could do, and it's a more walled garden, yet things like this are still reported.

Have you ever tried preventing an extension from being updated (you can't) or rolling back an update?

Go ahead and try.

I agree that 98% of the time it is fine, but that is not the point. I want to have control over the software that runs on my computer, especially if sometimes useful functionality is stripped away, or malicious code can be run.

Off the top of my head, I had Google Drive install a chrome extension which then informed me that it needed me to grant it more permissions than it had when it was installed without asking by Google Drive, and then when I didn't grant them, it removed itself after a few days, without a trace.

Or there was the time that the Chromecast extension disappeared. Of course, this was because Google integrated that functionality directly into the browser, but, it made me feel very uncomfortable that the software on my computer was so unpredictable.

And there are many other times that extensions have just "upgraded" themselves into breaking.

Out of frustration after feeling no sense of agency, I started using git to track the changes to my chrome config folder. Even if I used git to roll back the filesystem to its previous state, I then have to modify the extensions to not have the right url to check for updates, and then there are still other mechanisms to thwart that. At best, I was able to manually re-enable the extensions I want, and I had to write a script to automate it after each time I started chrome.

Outside of the Chrome extensions themselves, when you install several Google products, like Drive or Google Earth, it adds it's spyware-like "keystone agent" updating daemon to three different locations. WHY? If you remove any of it's hooks, it just re-creates them. And it will monitor your filesystem and irreversibly apply updates to Chrome, which may remove features (like the ability to side-load extensions, or save HTML5 video, or mandatory WideVine DRM).

None of this is made clear to you. It will ask you for root access just so it can install its system-wide updater in two locations, but if you deny it, it will still install it for the current user. If you start to remove it, it will never alert you that it is being tampered with or explain what is going on, it will just resist like spyware, re-creating itself.

Out of frustration, I just started making files immutable so that it couldn't re-inject itself. Obviously that is not ideal, but I had work to do and I was sick of it worming around my computer.

It doesn't have to be this way. I understand the importance of updates. But Google doesn't have to do it in such an underhanded and frankly hostile manor. But this reflects a culture of gaslighting of the user, and general hostility.

So, it makes sense that malicious actors could piggyback on Google's already user-hostile platform. Google is already doing much of the work for them.

EDIT: And before anyone responds by saying that there are technical means to take control of the Chrome browser that I missed, I am sure there are, but that is not the point. I am aware that there is an environment variable you can set that will request that Keystone Agent stop updating, but it is completely undiscoverable, and does not actually stop Keystone Agent from running. Someone should not have to have an extensive understanding of software development just to be able to say "NO", and accept the responsibility for it.

If you don't like the update, wait till you discover the telemetry. Or the field trials.

IMO, trying to keep standard-edition Chrome from updating itself (or the extensions) is a hopeless endeavor. It was basically part of the core philosophy for chrome from day one was that Google can basically push arbitrary feature and behavior changes at any time (But they promise really hard they'll be careful with that). I think the marketing was something like "The only version for Chome is 'current'".

If you want control, there are better options, e.g. using Chromium, a fork or another browser altogether.

What I find more worrying is that the practice of aggressively auto-updating everything has become almost an industry standard.

At some time we seem to have gone from protecting people against phome-home trojans to turning all our products into them and playing political games with the resulting power. In fact, software is seen as a security risk if it is not a phone-home trojan because apparently all users are children who cannot be trusted to take care of their own computers.

This is very convenient for the industry, because if all software is constantly changing, why bother to keep the underlying standards constant? That's why we now have "Living standards" that constantly change and expect all implementations to follow suit.

Expecting an advertising company like google to have scruples strikes me as more than a little myopic and misguided.

Stop using the products of advertisers, their goals are antithetical to what arguably should be yours.

Is there any reason why you're not using Firefox as you obviously should?

When the same question marks that you mention started appearing in my mind, I not only went back to Firefox but started de-googlifying my life. Re-installed my OS to make sure no traces of Chrome remained.

And man, keeping track of changes in Chrome folder, talk about a losing battle.

As I said before, monopoly companies grow more arrogant over time and Google was particularly arrogant, patronizing, and dismissive of user concerns from the start. What began as a technical innovation, the auto update, quickly became a means of user control and has since spread industry-wide. You can tell when it became user control when you could no longer turn it off.

Google exists to be the world's perfect example of the dangers of conflating knowledge with wisdom.

Makes me suspect that by the time Firefox support for webextensions are properly up and running (if it ever will be), it will be just as big a mess as the old XUL extensions were, but will less attention paid to them because they are "just JS".

Then again, every time i install Palemoon i notice that the biggest single file in the bunch is libxul. So i suspect dumping XUL is more about maintenance burden than anything else. CADT is a pox on FOSS projects...

Is it not possible to right click the extension in chrome://apps or the button in the toolbar and select "Remove from Chrome..."?

I previously had Stayfocusd and I blocked myself from uninstalling the extension (as a test) by blocking chrome://extensions, but then found a loophole using the method above.

Edit: Confirmed. What this article talks about is a total non-issue. All extensions can be removed by right-clicking their toolbar button (btw they HAVE to have a button) and selecting "Remove from Chrome."

Had to help my family get rid of malware over the holidays. One was a bit tricky: chrome thought that a corp policy required the malware and a default search handler. Turns out you can set registry keys to disable removing extensions (though I presume that requires an attack vector that started outside the browser)

What if it doesn't have a toolbar button?

Google policy says that all extensions must have a button: "Starting in this latest release, you’ll begin to see all extensions to the right of the URL bar, so you can easily remove anything you don’t recognize. Just right click the extension icon and select “Remove from Chrome.”"[0]

[0]: https://blog.google/products/chrome/new-year-new-chrome/

Ah I see, they got around that by colouring the icon the same as the background so it was "invisible"[0]. Obviously the extra space is suspicious if you're looking for it but I can see how that couldd be overlooked by most users.

[0] https://blog.malwarebytes.com/wp-content/uploads/2018/01/Chr...

I am not sure if a 'pro' version of Windows is required, but I've found adding a 'Deny: Everyone' to NTFS permissions on required files comes in handy in situations like this.

Not to defend Google, but I am sure there are alot of false malicious reports for many apps.

From competitors, trolls, and just random idiots...

I wonder if they flag it for review after X reports in Y time frame.

I wouldn't expect immediate action, but 19 days is a bit much.

it does look pretty bad towards the end, that you can specify any site as the extensions website to make it look more official.

What I don't understand is if they started chrome in another mode passing the executable arguments that should have disabled said extensions, how was it still redirecting the extensions management page?

Sounds more like a sneaky paid ad for Malwarebytes to me...

Breathless reporting about impossibilities should be reconsidered.

It’s not impossible to uninstall chrome and re-install it under a different path, and create an alternate OS user account on the same laptop or desktop, and log into that to effectively reset Chrome to its default state in a non-disruptive manner.

The unfortunate fact, however is that most people simply won’t do that because it’s too inconvenient, or users of a particular machine have been subjugated by system administrator overlords, as part of an organizational policy, and lack admin privileges to migrate to a fresh user account in part or in whole.

People also often tend to use the admin account unhygienically. Which is not actually much of a sin, as long as you enter into those activities with the mindset of anticipating a full reinstall at the operating system level.

...which of course won’t even kill the firmware implants that advanced persistent threats have dropped into your peripherals, via intel extensions commissioned by the NSA.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact