Also, alternative as discussed on SO:
See it in action:
It's a shame; it really was a feature-packed, helpful extension.
I've looked deeply into your extension and you did a very nice, impressive job. I don't believe anyone is discounting the quality of your work here. The pattern you exhibited by enabling the ecolinks feature by default (right or wrong) simply highlighted, for many, the risks inherent in granting browser extensions such great permissions to the browser.
Furthermore, he is quoted as joking about how he could have sold the extension to someone to get your passwords and whatnot (but ensures us that he hasn't done so).
It could be criticism of the existing system. Or he could have other goals/intentions.
Although, I cannot confirm whether that is true, but that's what he is saying.
I have no idea what he is up to; but aren't extensions supposed to be reviewed if they in the extension catalogue?
- For a very few extensions, I allow it, but it is very clear that it is an open gateway for hackers,
- Most often, I deeply regret I can't even tell Chrome that I allow the extension on a subset of sites... At least not my gmail please...
- So the base rule is, never install something which requires all perms, obviously.
Users have been warned properly. They're at the mercy of untrustable people.
I've been using the extension for several months until I noticed the transparent redirection. In fact, the only reason I noticed the redirect is when it failed. I clicked on a Google search result and got stuck on a blank page like this:
How do you disable this?
Which pops up a toast notification whenever an extension gets updated so you can investigate (Chrome doesn't force changelogs on updates either so you might have to dig deeper into the code).
If you don't mind having another extension which could be doing nefarious things.
[Rant: the whole concept of auto-update-by-default is stupid. /Rant]
Or basically anything that gives you the option to avoid doing so.
How is this not entirely illegal?
And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?
Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.
Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.
This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.
There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.
Be very aware of the permissions an extension asks for.
Depending on where you live, this might very well be illegal. Unauthorized access and recording of private information of an IT-System is covered in some hacking parapgraphs, in the US and the EU (in the EU maybe as part of the cyber attack tools, as the keylogger would have recorded passwords).
Look! I deny it now, ok?! I haven't done anything like that. I just mentioned somewhere that it is technically possible to do such thing in an attempt to increase users' awareness about what would truly be a "horrible thing", unlike my attempt to support further development of my extension through advertising.
Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.
Do we have any confirmation other than from jollymonsa on the Chrome Forums that there was in fact a keylogger?
What does it take to get something like this removed?
This, from what I can tell, plays within the bounds of Chrome's policy on extensions.
(I also spent some time looking at the extension source to verify that the only annoying thing they do is inject ads according to this whitelist: http://goo.gl/3WAej6 Nothing else caught my eye. )
Of all the stuff under "Interfering with Third-party Ads and Websites", it only complies with "This behavior is clearly disclosed to the user." IMO obviously.
If the user hovered with his mouse over a link, he couldn't tell the link would lead him to http://www.ecosia.org/. But this is exactly what was happening, because the click listener was changing the URL only after the user clicked.
So now the user was redirected to http://www.ecosia.org/ along with a bunch of parameters, including the original query and the original URL, and from there http://www.ecosia.org/ redirected the user to the original URL (after logging whatever it wanted to log), without the user having a way to notice what had just happened (unless looking in the dev console).
The fact that the URL was changed only after the user clicked is quite a hint that deception was intended there.
The onclick event listener is the same thing Google does with the search results. Perform a search on Google and right-click a link, then you'll see the URL changes to the a Google proxy server that collects data about your click for analytics purposes. The reason is so the whole process is more transparent and the users can see the actual URL they end up with when clicking the link. The intention was not to hide anything, but to keep things as unobtrusive as possible. I'm sorry if it felt any other way!
I don't feel safe using their services anymore.
After hearing from other Android devs and what they were getting away with I decided to stick to Apple for a while.
I run a local user group that educates developers on Google's technologies that while proudly independent from Google, has a great working relationship with their developer relations teams.
Back in March of 2012 (that's almost two years ago) I first brought to the attention of the Chrome developer relations team an extension called Bookmark Sentry that essentially contained a trojan that hijacks links to serve up spam ads. You can read more about it here: http://stopmalvertising.com/malvertisements/beware-of-the-go...
What I found troubling was the response back. I received an official response that it was within compliance of Chrome App Store policies. Specifically I was told:
"Ad injections are not in violation of the Chrome Web Store program policies. The policy requires that ads must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with. We believe that ads are a legitimate way to monetize, but that they should be a known cost to the extension user."
I certainly hope since then they've changed their policy on this issue and are actively policing and enforcing against spyware and malware.
Chrome App extensions can access extremely sensitive data such as webforms with credit card, contact details, passwords and more and in the wrong hands can do untold damage.
I immediately emailed one of our SEO guys with a snippet of the page and said, "we need to know how to do this in Google, it must be a new feature". I stupidly assumed it was a new feature Google had rolled out. When he replied that he can't see it I started googling the problem, most of the results pertained to Malware and I was shocked, I'm a very careful browser in general.
When I started digging around it was only then I started switching off my plugins 1 by 1 and the eco link went when I switched off the browser resizer, I was honestly shocked. I knew the developer wasn't supporting the plugin any more due to funding but I didn't think it would go in that direction, I expected it to just fade away.
No, I didn't read the updates on the product. I don't have time to read updates on products, especially plugins. After reading his comments on there, there is no remorse for his actions. He is nothing more than a simple malware spreader, he should apply for a job at SourceForge.
(I zipped the '3rd-party' directory and removed references to those scripts in the manifest file. So it's there if you wanna inspect it, but ecolinks won't run. I don't have time to restructure the options page though :-)
Now I see these pages I can see you were quite transparent about the eco links update. I still didn't see it though.
It's a shame it went in this direction as I used it all the time.
This isn't to say what the developer did is in any way ok ( I don't think it is), nor is it my intent to insult you. Rather - it's to highlight a deeper problem with this kind of click-through security model that chrome web store, play store, et al are fostering.
If somebody who has a reasonable understanding of computers and works with them for a living still clicks though this kind of agreement, what hope has the other 99% of the connected-device-using population?
With Chrome having such a good level of sandbox and Google being proud of that I didn't think it would be so easy for someone to release an extension that basically acted as malware.
I do in general have really good browsing habits, I just need to re-evaluate who I trust.
Valuable lesson learned. I never thought a chrome developer would be quite so stupid to pull something like this. Now I'll keep my eye on every extension.
And yes, you should never install Window Resizer, or anything else Ionut Botizan (the developer) releases again.
I love that the developer's defense is that he could have sold our passwords to someone but (supposedly) didn't. That really instills confidence in his morals, doesn't it?
Would avoid this developer 100% from now on, Chrome or otherwise.
Read more carefully next time, ok?!
So i tried it, and sure - i was even able to replace password logins in the DOM with fake ones.
Firefox extensions does the same thing really, so now i only use a few "safe" extensions.
I'm surprised that this hasen't gotten more attention.
Although the author seems like a bit of a di- ...fficult person, maybe we should coin the term "dickware" to cover this sort of software.
EDIT: I missed the keylogging bit, thanks to everybody that pointed it out. Adware + Spyware = Malware.
It is just proxying clicks on real results through Ecosia's servers instead of Google's.
* Which my mother confirmed JUST THIS WEEKEND by searching Google for Firefox and Spider Solitaire clicking one of the Google ads up top for each to get the download and... 2 hours of cleaning later and removing 18 different malware apps. Then just deciding it was faster to restore it to a factory image.
* * Which I'm trying to block one by one using the pitiful tools that Google makes available to block individual adsense advertisers.
Then they partnered with someone and started sending certain form data (!!) to a third party -- claiming they wanted to collect anonymous demographic information. It didn't help that the script injection on all pages (which I discovered when debugging with the web tools) used some shady domains with no web presence.
They claim they did not send e.g. any password data -- but they perfectly could have. I tried reporting the extension on the store as did many others, but that had no effect. The developer seems to have reverted that bit of the code -- for now.
A proof of concept to demonstrate how you can take advantage of this access for nefarious reasons, even after getting approval into the Chrome Web Store, would be quite simple.
Long/short of it is: make sure you trust the author of any extension you install!
"There is no such thing as bad publicity" by Ionut Botizan
NO! It wasn't logging anything! The only thing it was doing was proxying clicks on search results through Ecosia's analytics servers instead of Google's.
Anyone who still has the extension installed can view the source code by looking in their /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh
The extension is also available at http://ionut-botizan.net/window-resizer/ both as a .zip and .crx file.
"No, that's bundled adware. If I wanted to give you malware, I would have added a keylogger which you wouldn't have ever discovered (ask around; it's technically possible).
So stop whining already, uninstall the extension and move on with your life!"
(Also, he's now posting on the linked thread. 7 minutes ago last reply.)
seems to imply that he was not logging keystrokes, which conflicts directly with the first post in that thread:
> they are tracking all data and keystrokes. checked with wireshark.
It'd be nice to have a copy so that we can find out for ourselves.
Uncheck “Enable EcoLinks”.
The extension is now uninstalled.
Was it logging all keystrokes in Chrome ever?
Does anyone know if the Chrome Remote Desktop extension would have been impacted by the keylogging?
The original post on productforums.google.com is complete BS and the extension was NOT suspended because of that, but because it failed to make it clear, in the context of the ads, which extension enabled the EcoLinks. This is not the first, nor last, piece of software that uses ads in order to support its development.
Also, the extension never logged anything from the users. All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it.
It didn't alter the search results either. Those were exactly what Google returned for your search, nothing more, nothing less.
There was no malicious intent whatsoever. The whole purpose was to support further development of the extension through some form of advertising which you could disable at any point. The disable option was not even hidden among the other options; it had a dedicated page with a link in the main menu that only consisted of a checkbox - it was that simple and obvious.
Another false rumor is that the setting would enable itself automatically. No, it didn't! The only way that it would re-enable itself was to remove the extension and then install it right back. On uninstall all settings are lost and it fallbacks to the defaults.
Another false accusation is that I bragged about how "I could sell your personal data and it wouldn't matter to me".
What I actually said is that "I could sell MY EXTENSION (as in transfer all rights and ownership to someone else) and it shouldn't matter to me (from a legal standpoint) what the buyer would do with it, be it collecting your private data or whatever". That claim was made just to point out that in fact I do care about the users' privacy and I chose not to sell the extension, even though I received plenty of offers. Some people asked "how could I even think of that"? Well, the extension is my property and receiving all those offers put me in the position where I had to think about it, whether I liked it or not.
In conclusion, yes, I admit the opt-out pattern is not the friendliest one and the whole thing could have been handled in some other way, but the reality is far from all these claims that I sneakily added malware to the extension, logged your keys and private data and sell all that to third parties or whatever.
The reality is I took your Google search results and converted them to sponsored links, plain and simple. All data that was transmitted when you clicked a search result was about the same that is sent whenever you click on any other ad or banner, which can not, in any circumstances, be used to identify you personally.
I am the developer and this is my answer; no excuses, just stating the facts. Learn what you want from it.
I went ahead and looked at the code after downloading the zipped extension you linked too, and I effectively cannot see anything re. key logger. Where was that first reported? I would like to ask the original reporter on what piece of code he based his conclusion that there was a key logger in there.
Edit: Never mind, I see this apparently comes from original poster on google groups, so I asked him exactly how he came to this conclusion.
So, this is what caused all this shit storm...