Adware Vendors Buying Chrome Extensions, Injecting Ads 194
An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"
Disconnect the Updates (Score:5, Insightful)
Google need to disconnect their Chrome core update mechanism from the extension updates (unless ones of their own authorship). Of course, they cannot do anything about users accepting updates directly from independent extension writers.
Otherwise, Chrome is dead in the water.
Re:Autoupdate (Score:5, Insightful)
Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.
For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.
Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.
We're all really screwed if... (Score:4, Insightful)
...these malware companies buy out AdBlock. :-/
Re:Autoupdate (Score:3, Insightful)
Automatic updates, by themselves, are an awful security practice. They mean that whoever writes the updates can install (intentionally or unintentionally) damaging code on all users' machines without the knowledge or choice of the user.
Automatic updates are a good security practice only if the user is willing to give their unconditional trust to the author for the entire time that the updater is running. This is not always the case. The possibility of an ownership transfer is one reason why it is not. Another is that I may not trust some companies to fully test their software before pushing it, so I don't want their updates until it is confirmed that the update doesn't brick my machine or break essential functionality.
Re:And That, Ladies and Gentlemen ... (Score:5, Insightful)
Doesn't Google share at least part of the blame here for not allowing users to opt-out of automatic updates once an extension is installed? As the article points out, it's precisely this ability to automatically "push update" thousands or tens of thousands of users without recourse, combined with lax enforcement by Google of update rules, that makes this situation attractive to the advertisers. Why not instead allow users to decide what the update policy will be on their device, as in Firefox?
Re:Now the "alternative" is becoming the culprit (Score:4, Insightful)
I think you typed in jest, but I think you are still spot-on.
The biggest problem I see is all these scripting thingies where webmasters can insist you run arbitrary code in order to view their page. The magic of our legal system allows them to do all this ""hold harmless" stuff regarding anything you ingest at their site. See if this "hold harmless" talk also applies to restaurants. It won't. You eat some restaurant's food and get sick, the restaurant owner has a lot of explaining to do. If common law held anyone who insisted arbitrary code be run in order to view content - hold them liable for malcontent - this would soon stop.
Business went to our Congress over the DMCA and had really stiff penalties legally levied on anyone who violated their business model. Any chance our Congress take our computer infrastructure integrity as seriously as they take the illegal downloading of a song?
If some business made it mandatory you eat one of their candies in order to enter the business, should they be held liable if the candies they insisted on caused a diabetic to go into a coma? Or should their relationship with the U.S. Congress insulate them from liability?
The difference I see is that business will organize and put their concerns before Congress and hound them until they pass whatever legislation they want, whereas voters seem to vote for whoever has the best sound bites, and do not hold their congressmen to their campaign promises. So we end up with software we can't trust.
I rant and rave all the time here bagging on Microsoft for caving in to special interests for things like backdoors and DRM, both of which are hijackable and used to annoy the hell out of those who lack the hacking skills to pirate the damm stuff in the first place. But then, very little of this is Microsoft's doing... its just that they provide the means for others to do this.
I posted a few days ago about Micrium's stuff. ( uC/OS II). I guess the only OS I consider truly secure. Rom-able. Why this is not the standard for standalone industrial controllers is beyond me.
I get so fed up with the way we do things in these Von-Neuman ( Princeton ) architecture machines where we mix code and data. I do not think anyone can really code a secure OS where there is no hardware line of demarcation over what is OS and what is user code. Personally, I would love to see someone come up with something like the Android - running ROM - on a Harvard machine, requiring a physical jumper to re-flash its ROM. Something completely open-source so nobody is trying to hide anything about the inner workings of the OS. The OS would be like a toolbox - handling all the devices on the system. And that's all it would do. Manage the TCP/IP stack, display, keyboard, USB port, HDD files, RAM, and sound. Virus? It will have to infect an app, which now will no longer have a proper signature when its files are verified by the OS's file hasher. Bad app? Delete it. Phoning home app? It HAS to go through the OS to get to the TCP/IP stack, and the OS will rat it out.
Running arbitrary code? Go ahead with Java. In RAM. In the data space. Interpreted. It can't really do anything the OS won't let it do... and its completely helpless to overwrite the OS so it can get its way, as it cannot install the necessary jumper plug that enables the write current.
We take something so simple, and make a helluva mess out of it, just so some special interests can manipulate it at everyone else's expense. Tragedy of the Commons.
Re:Happy Saturday from The Golden Girls! (Score:0, Insightful)
Betty White's birthday was yesterday, comrade.
No, it was January 17, 1922.
She might have celebrated it yesterday and that's a good thing for two reasons. First, many people of that generation are no longer around and second because no one really celebrates their actual birthday... one instant you are warm and cozy in the only environment you have ever know and the next you are in a cold, noisy place with bright lights and someone may even smack you on the ass! And, while some may grow to enjoy that last little bit, the first time is not fun.
Re:Autoupdate (Score:5, Insightful)
So you sit down and check on the health of your machine, you go through logs reading on what is vulnerable, and then you manually apply security patches.
How is this relevant in a discussion about what is best for a normal user again?
The normal user can barely be trusted to check in their car for a scheduled service let alone go through security updates one at a time. Like it or not the number of security threats caused by malicious updates is infinitesimal compared to the number of security threats caused by bugs which haven't been patched.
Re: And That, Ladies and Gentlemen ... (Score:5, Insightful)
Your theory flies in the face of history. Spam now represents the majority of email sent and they only need a fraction of a percent in return in order to reap a significant reward to justify their efforts. This particular clever exploit has been around how long undetected? And all they have to do is take the same code and inject it into the next extension they buy, or roll out. This is even better than spam.
Google's main reason for getting involved in this one is that it's leeching off of their core business. I guarantee that's not something they'll let slide.
Re:Disconnect the Updates (Score:5, Insightful)
No. what it should do is act like android plugins and pop a security warning if any permission level changes between updates, or if it modifies settings.
Disabling auto update may add more problems if the app has bugs that can be exploited. I'd rather have Chrome disable the plugin if permissions change instead of removing auto update altogether.
On another note. why is this all of a sudden news now? I've been seeing all of these Virus ads and plugins posts on slashdot this week and I've been seeing this stuff going in chrome for Months now. Hell 60-70% of my service calls are from this stuff.
Hell, I had two Chromebooks come in infected and you can't just remove the extension on a chromebook. You basicially have to log into google using Chrome on a windows PC, Infect that chrome, disinfect it using ADWCleaner or JRT to remove the extension enough in chrome so it deletes the plugin in your cloud settings, and reset the Chromebook to factory (otherwise it comes back). So much for "Chromebooks don't get viruses", although Google now has a browser reset button (The two chromebooks were infected before this feature was added in the WIndows builds) so that might make it easier to remove. I sure hope so for Chromebook's sake.
Google. You Seriously need to start monitoring and cracking down on this stuff ASAP. And start paying attention to your damn Google ads! I'm sick of people installing buldleware virii everytime they search for any of the following:
Firefox
Google Chrome (Thats right! They're hijacking your OWN BROWSER'S ADS ON YOUR OWN SEARCH ENGINE!)
Internet Explorer
Windows Media Player
Openoffice/Libreoffice ETC
VLC Media Player
7ZIP
Quicktime/Itunes ETC
ETC. (I can literally go on forever with this list. Just as a rule of thumb, if it's a popular software download, it's most likely been install hijacked by a Virus Inc.)
Anytime anyone uses adwords to get listed on a legitimate app, and it doesn't go to the Legitimate program's website, I want a big red light to start blinking with 150DB Sirens going off and a Evil Sounding voice that says WARNING!! ADWORDS HIJACK DETECTED!! going down somewhere in your security dept so your security team scours their ad submission in fear of the big red light of screaming Terror going off. And they better damn well ban that entire domain and any subdomains from ALL ADS FOR LIFE! Either Get Tough and declare war on spam and virus pushers or get steamrolled!
The same goes for you too MS. Fix Bing! See what Google is doing? You're doing the exact same thing and need the exact same remidies! Hell! Slahdot? Want a Bash MS Story for your front page? There's malicious apps in the Windows 8 Store! Just open up the store, search for "getdesktopapp" and see the Virus and Adware crap MS's Own Store is infecting people with! Now get on bashing M$ like you love to do. Chop Chop!
And as for Antivirus firms. (And frankly, I don't care who you are. You ALL suck when it comes to this) Wake The F Up! You detect Gator, A 10 year old adware/spyware mess as a virus, but Conduit SearchProtect is totally legitimate and in no way is a threat to computer users even though it does thins that are 10 times worse than anything Claria did? BS! Wake Up, Grow a Pair and start doing your damn job! It's a shame that the only people that detect these things is the people behind ADWCleaner and the Junkware Removal Tool (thanks BTW for making these two tools since noone else detects adware anymore). Adware is a VIrus now. Bundleware is a Virus. Start detecting and removing this crap as malware like you should! It's real easy to find out what to detect. If you install a wanted program (like Adobe reader), and it installs Something the person didn't want (like Ask Toolbar, or whatever garbageware of the day adobe gets paid to infect PC's with) It's malicious and should be flagged as such. I don't care if it's got a Checkmark to not install or who the hell is pushing the junkware or who the junkware creator is. the practice is bad and needs to die.
Re:Disconnect the Updates (Score:4, Insightful)
Otherwise, Chrome is dead in the water.
I wonder how you come to this conclusion. We live in a world where users don't want to be interrupted with mindless things like updating software. Combined with Microsoft's militant approach to harassing users if their computers aren't configured to auto update, and the general consensus that many user facing apps now auto update and the trend is moving towards doing it silently I don't see this affecting Chrome's user base one bit.
If this isn't rapidly nipped in the bud Chrome will soon be known as a hotbed of Malware, credit card fraud, bank fraud and porn ads to general users. Once it has this reputation it will be very difficult to get users to continue using it.
Re:And That, Ladies and Gentlemen ... (Score:5, Insightful)
This would not have prevented what happened, unless the OP likes to never update his software. At most, it would have (possibly) saved the OP some time if he would have made the connection (which is not at all a for-sure thing).