Hacker News new | comments | ask | show | jobs | submit login
We busted a fake Chrome extension that was trying to steal data (extrahop.com)
108 points by cws 40 days ago | hide | past | web | favorite | 32 comments

"It's also not clear how any other tool would have detected the long-lived, persistent outbound connection with relatively low bandwidth"

Perhaps, but this extension could have been stealthier. It was using a plaintext web socket on port 6332. If the extension author had instead gotten a Google analytics account, and exfiltrated data via encrypted https GETS to Google servers, it might have never been spotted. That kind of traffic likely happens 24/7 in a typical corporate environment.

Totally. This extension was trying to be stealthy about exfiltrating data...but it wasn’t trying that hard. As noted in the article, the same developer had at least one other extension using the same code to obfuscate and exfiltrate data. Seems like sort of a spray and pray approach

The blog post was moderately informative/useful and interesting, marketing brochure website behind it next to useless and can't find anything meaningful about what they actually sell or do. Frustrating follow-up experience for me that reminds me of most enterprise ISVs.

It is a network traffic analysis product. You send it traffic via port mirror and it analyzes for shady behavior. Here’s the main overview of what it is https://www.extrahop.com/products/security/

And here's a technical overview of the product: https://www.extrahop.com/products/security/how-it-works/

If you want more than the marketing pages, there is a good set of "concept" courses available for free on ExtraHop's training site https://customer.training.extrahop.com/

This is a serious issue with Chrome Store. Google doesn't properly warn users that the store is not premoderated and can contain malware. Instead, they have made a colourful positively looking site without necessary warnings.

Neither does download.com. Maybe what we need is a good A/V designed around chrome and firefox et al.

It should be noted, that at one time, Postman was a chrome extension. They recently depreciated that extension.


Yep that’s a great point. That deprecation probably contributed to the gap that the malware uploader exploited. People expect an extension called postman, and they find it. Their guard is down and they download the fake one. I don’t know the solution but there has to be a better way for App/extension stores to handle this relatively common scenario.

Because the visibility of the Arc Welder extension (the one that lets you use Android apps on desktop chrome) is set to hidden, which hides it from both Web Store and Google Searches, there are malicious extensions that take advantage of this and will become the top search result for Arc Welder. And if you don't know where to look, it can be very hard to find the real link for Arc Welder. So as a result, these malicious Arc Welders often get many thousands of installs before being taken down. Very frustrating because even if you report them immediately after they are added, it takes a few days to take them down.

Yeah, that is incredibly frustrating. It seems to me that many of these types of scams target general consumers, piggybacking on legitimate app's names to get a few thousand people to pay a buck or give you some personal info, etc. These instances that target developer tools have the potential to do a different kind of damage to peoples' livelihoods.

As of this writing, the malicious "Postman" extension is still available in the Google Chrome extension store and has been downloaded over 27,000 times.

This is pretty much par for the course, unfortunately.

Yep. Pretty hard to police. Unlikely to be removed until it gets quite a lot of attention.

Firefox does it really well though, before.

I just searched for the fake Postman extension again and it appears to have been removed. Hurray!

It seems like trending a story on HN is the only way to get Google to remove malware, unfortunately.

Here’s a ZDNet article about the same extension https://www.zdnet.com/article/industrial-espionage-fears-ari...

Black theme of tool makes me chuckle. Wondering how it became defacto color theme of hacking tools! Only thing missing is neon green.

Because it’s easier on the eyes. For people spending unhealthy amounts of time being bombarded by monitors right in the retinas, it’s a necessity.

Black text on a white background actually causes less eye strain esp. for people with astigmatism because the text is easier to read.


It's not a "necessity," it's a personal preference.

I started out programming on a dark theme (the emacs default) but I've used a light theme professionally for about 15 years (and no other dark applications). I prefer the light theme and I don't find it hard on my eyes one bit and I have astigmatism.

The Emacs default is bright (black text on white background), not dark.

The exception is if you're using it in a terminal, in which case it re-uses the terminal's colors.

Well, the emacs theme installed on our school computers was a dark theme. This was way back in the day.

Probably because all true hackers sit all day long in a dark underground room, lit only by the dim glow of their monitor refracting through puffs of cigarette smoke.

Or blue. It's cool. It's what the cool hackers like,accept it! :P

.. and this is what SimilarWeb browser extensions have been doing for 5+ years. Yet Google doesn't seem to care.

Well, that was a fun way to find out you have a malicious app installed in your browser.

It would be nice to have an overview of what exactly was exported to know the impact of this breach (without having to use reveal(x) myself).

It was sending off URLs visited by the host machine. Browsing history, essentially, which could be benign except that when your machine is inside a corp network you might be visiting all kinds of internal resources with URLs that shouldn’t be public/with sensitive info included in the resource locator, GET/POST contents, etc

Generally speaking anyone can create malicious software disguised in various way, so FOSS project included.

However instead of creating a "antivirus" vs "virus" classic scenario, that we all know it doesn't work my lines is: all must be open (hw, sw) and developed in a FOSS way from the start.

For instance if you are an hw OEM who want to produce a new GNU/Linux phone? Ok, start work on it in a public repo. If your project interest others, many with valuable skills came to help. Perhaps including some bad one. But the community will protect you, because you publish from the start the rate of benevolent and interested individuals that follow your project from the start will likely detect any bad guys, far better than any software, heuristic and even "AI" in general terms. After you know that community give credit so if the project will be successful people will buy your product, paying you back for your part of work and physical production. Other, of course, may use your schematics and software for free but if they add competitive features you get them back for free because of FOSS licensing, if they do not respect licenses you'll get backed by FSF&c that have a firepower and advertising capability normally superior to any new company/startup. Otherwise if there is only a price competition many will go for the cheap, many, not all. And if you and the community keep innovate the project you keep gaining money, no different than pharmaceutical industry that do research vs pharmaceutical "generic" industry.

Long story short: I can't trust closed sources extensions nor more nor less than closed source security software, I can't trust a company no more than another (only reputation can lead to small percentage variations). So I do my best to avoid inoculate in my systems software that I can't trust... Good assessments are still needed but they are IMO not really much valuable without the openness at the base: the need of trust is a weakness, so we need to being able to trust each other with the power of verify trust at the core, not only at the skin.

Nice ad.

As of this writing, the fake Postman extension appears to have been removed from the Chrome extension store. Huzzah!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact