Another cluster of potentially malicious Chrome extensions(palant.info)
palant.info
Another cluster of potentially malicious Chrome extensions
https://palant.info/2023/06/08/another-cluster-of-potentially-malicious-chrome-extensions/
46 comments
It's shockingly easy to baffle automated security with a bit of obfuscation. I saw a phishing page a few weeks ago which evaded detection by base64encode(htmlencode(maliciouscontent)) and having the browser decode it on load with JavaScript. The security software identified it immediately out of my Notepad++ draft decoding it...
Unfortunately Google believes their scale means having a human involved in anything is unacceptable, which is why the Chrome Web Store will eternally be the leading source of malware for computers.
Unfortunately Google believes their scale means having a human involved in anything is unacceptable, which is why the Chrome Web Store will eternally be the leading source of malware for computers.
> Unfortunately Google believes their scale means having a human involved in anything is unacceptable
Yeah, I mean they've had a solid 14 years to give it a fair shot, and have evidently failed. Browser authors are unhappy, moderately technical users are suspicious, and unaware users can get taken advantage of.
Even a moderate pay-per-review fee would be a cut above the current situatioin.
Yeah, I mean they've had a solid 14 years to give it a fair shot, and have evidently failed. Browser authors are unhappy, moderately technical users are suspicious, and unaware users can get taken advantage of.
Even a moderate pay-per-review fee would be a cut above the current situatioin.
Which would kill small indie extensions that are harmless but keeps the profitable affiliate malware ones.
The boring truth is that automation or not, it's difficult. Manifest v3 in some aspects improves the situation (but it's not that great).
It would certainly be more trustworthy if they'd add identity verification. eIDAS makes it low-cost to implement in the EU. At least it'd require a new malicious company or person willing to taint their name to continue operations.
The boring truth is that automation or not, it's difficult. Manifest v3 in some aspects improves the situation (but it's not that great).
It would certainly be more trustworthy if they'd add identity verification. eIDAS makes it low-cost to implement in the EU. At least it'd require a new malicious company or person willing to taint their name to continue operations.
> Which would kill small indie extensions that are harmless but keeps the profitable affiliate malware ones.
Any indie extension that has an audience could get a donor base, but yeah - smaller first-time extensions that only underwent automated review could either fly unlisted / or with a non-"blue-star", or even with an "unverified" banner. The small fee could make looping humans into the loop relatively revenue neutral, and increase the chance of detection of stuff like this. The more misses by the automated system, the more the platform suffers, and the less chance any of us have of getting users.
Any indie extension that has an audience could get a donor base, but yeah - smaller first-time extensions that only underwent automated review could either fly unlisted / or with a non-"blue-star", or even with an "unverified" banner. The small fee could make looping humans into the loop relatively revenue neutral, and increase the chance of detection of stuff like this. The more misses by the automated system, the more the platform suffers, and the less chance any of us have of getting users.
The 'phishing page' you mentioned is not a chrome extension I guess? It probably didn't go through the same detection of the Chromestore? Maybe the Chromestore is better than that?
I'm curious if any security software could detect malicious chrome extensions on the Chromestore. That'd be helpful.
I'm curious if any security software could detect malicious chrome extensions on the Chromestore. That'd be helpful.
Mozilla does (a). I just published my first Firefox extension and they require a zip of un-obfuscated source code if you minify or bundle in any way.
How does this work? Do they publish your minified/bundled code and trust it’s a direct derivation of the un-obfuscated zip provided for review?
Note: I am the author of this article.
Yes, Mozilla doesn’t publish the source code. Back when I was reviewing add-ons there (a long time ago), I did compile the supplied source and compared it with the submitted one. It was sometimes awkward when the tool in question didn’t produce reproducible builds but mostly ok.
Yes, Mozilla doesn’t publish the source code. Back when I was reviewing add-ons there (a long time ago), I did compile the supplied source and compared it with the submitted one. It was sometimes awkward when the tool in question didn’t produce reproducible builds but mostly ok.
Diffoscope should help with that nowadays.
Hopefully they try to automatically reproduce the build and reject when it fails:
https://reproducible-builds.org/
https://reproducible-builds.org/
Another Mozilla requirement is reproducible builds. This enables the to verify that a build from the supplied sources matches the release bit-by-bit.
how do they verify it's the same as the bundled version? does it affect updates as well?
They require to provide all the details of how the code was minified/bundled so that they probably try to reproduce the resulting code on their side, and if there is a mismatch you will not pass review.
Paying qualified people to audit code would not exactly be cheap. Needs to be done every time the extension is updated too.
Isn't that why publishing verified code re: Apple costs $99/$299? (I actually have no clue, I just presumed that's part of why you pay Apple, to verify your code?)
Well we're talking about source code here. Apple has no expectation that applications for their platforms are open-source and so they don't get to see the source code either.
Scanning of the binaries, "Notarization", Developer ID signing and all that stuff is something different.
Scanning of the binaries, "Notarization", Developer ID signing and all that stuff is something different.
Apple uses some combination of static analysis and manual reviews for applications, unfortunately I don't have a reputable source to link right now.
Chrome requires a $5 fee to submit chrome extensions. 1 time fee that's non-recurring.
That doesn't explain the failure to incorporate free information nor build the tools to convey that info to the users
I made a chrome extension that has about 3000 users and adding about 100 users weekly. One Day someone reached out to me offering to pay 0.20$/user for it. The extension required manual data input from time to time so I was happy to get my hands off it.
I was confused as after buying the guy seemingly did nothing with the extension. Now I'm realizing that it has become a part of the malware community. I was also using ESCompiler to bundle files which was naturally obfuscating it a lot.
The point is that these people acquire extensions when they have a growth trajectory, then sit back and let the cash roll in. Kinda like VCs. That's why they have such a huge collection of popular extensions.
Also, To get "Featured" on chrome, you just have to fill a paltry form about accessibility etc and wait for a few weeks. "Featured" does not mean the application is safe in any way. I'd say it's the contrary since the scammers know exactly how to get the tag to look more trustworthy.
I was confused as after buying the guy seemingly did nothing with the extension. Now I'm realizing that it has become a part of the malware community. I was also using ESCompiler to bundle files which was naturally obfuscating it a lot.
The point is that these people acquire extensions when they have a growth trajectory, then sit back and let the cash roll in. Kinda like VCs. That's why they have such a huge collection of popular extensions.
Also, To get "Featured" on chrome, you just have to fill a paltry form about accessibility etc and wait for a few weeks. "Featured" does not mean the application is safe in any way. I'd say it's the contrary since the scammers know exactly how to get the tag to look more trustworthy.
> One Day someone reached out to me offering to pay 0.20$/user for it.
> I was confused as after buying the guy seemingly did nothing with the extension.
This is a surprised_pikachu.png moment. Did you honestly expect someone paying $600 to maintain an extension?
> I was confused as after buying the guy seemingly did nothing with the extension.
This is a surprised_pikachu.png moment. Did you honestly expect someone paying $600 to maintain an extension?
Frankly it serves Google's interests to degrade users' perceptions of extensions as a whole. In the future there will be less of a fight when they disable extensions entirely to protect their ad business.
It's now clear that I need some sort of semi-automated system to periodically review the list of installed extensions against a database of known-malicious IDs. I'm not going to manually go through a list of more than 100 extensions. We need something like HaveIBeenPwned, is there anything like that already?
Or you could just not use the extensions.
Ironically, Google eliminated Chrome Web Store payments, so extension developers can no longer directly monetize extensions from the Chrome Web Store.
As always, if you're not the customer, you're the product.
As always, if you're not the customer, you're the product.
I only trust three extensions, and maybe that's too many:
1) My password manager extension, 2) EFF's Privacy Badger, 3) Vimium
Everything else I run only temporarily or with the option where I have to click to enable it for certain sites.
1) My password manager extension, 2) EFF's Privacy Badger, 3) Vimium
Everything else I run only temporarily or with the option where I have to click to enable it for certain sites.
Same approach here: Password manager and uBlock Origin.
Why not use the password sync feature for the browser so you are testing one less person?
Why do you trust password managers?
For people down voting this comment, LastPass was hacked bigly late last year:
https://www.wired.com/story/lastpass-engineer-breach-securit...
https://www.wired.com/story/lastpass-engineer-breach-securit...
We are talking about malicious code, not unintentionally vulnerable code.
Last pass wasn’t malicious, just incompetent. There is nothing to suggest that their extension is going to be secret malware.
Last pass wasn’t malicious, just incompetent. There is nothing to suggest that their extension is going to be secret malware.
Sigh, these articles are good, but at the same time someone will look at it and do stupid we gonna solve this right now kinda optimizations. Extensions are already behind a group icon, just do not tighten them up even more in stupid ways. It's already problematic, because average users doesn't even know how many extensions and what kind are installed. If you have an army of icons next to your url bar at least you know that something is there.
At the same time if you have an extension that shows some status via the pinned icon you have to guide them step by step.
If an extension doesn't steal your data, then leave them be. If you don't do your homework, well, then live with the "bloodsucker mosquito". We don't have to protect everyone from the real world at the expense of the many.
At the same time if you have an extension that shows some status via the pinned icon you have to guide them step by step.
If an extension doesn't steal your data, then leave them be. If you don't do your homework, well, then live with the "bloodsucker mosquito". We don't have to protect everyone from the real world at the expense of the many.
After so many incidents when legit extension is sold to another entity that implements malware, why there are no mechanism to additionally approve extension usage when developer changes? Sure, most users probably will click agree, but that would be a good start.
The new owner would just wait for approval before adding malware.
My question is how are these extensions with malware being "featured" on the web store? Are humans at Google running these applications and featuring them or is it AI/an algorithm?
Note: I am the author of this article.
I have no idea what it takes to get “featured” but having seen how pretty much any extension gets this tag, including plenty of malicious ones – it’s pretty meaningless.
I have no idea what it takes to get “featured” but having seen how pretty much any extension gets this tag, including plenty of malicious ones – it’s pretty meaningless.
If only there were some tech to grep store extension comments for malware complaints...
Google? Searching through text? That's not their business.
Note: I’m the author of this article.
I’m fairly certain that these users didn’t leave it at reviews. There is a “Report abuse” form which one can use and which was certainly used here. If only someone were actually looking at these submissions…
I’m fairly certain that these users didn’t leave it at reviews. There is a “Report abuse” form which one can use and which was certainly used here. If only someone were actually looking at these submissions…
Question for the author since they’re semi active here: How do you choose to investigate these malicious extensions in the first place?
It wasn’t really intended. I originally looked at ad blockers since I know that most of them are shady, that’s how I immediately found the PCVARK ad blockers. I stumbled upon these extensions because I was trying to find more PCVARK software – one of my queries turned up that translator extension. I realized that it wasn’t PCVARK but still malicious.
a) I was surprised that they don't require access to the source code in order to review. I wrote everything using typescript and uploaded the packed/obfuscated output, which wasn't a problem at all. I'm sure they have software that unpacks and attempts to detect hazardous patterns, but clearly humans are not actually trying to understand the code's structure. It would be a low bar to require well commented source code (and even to require certain coding conventions) to make extension code more reviewable. Want to be on our platform? Write it this way. Show us the source.
b) On the flip side, trying to do anything interesting requires adding permission after permission to the manifest, which of course results in the scary messaging at install time. While you're asked to justify each permission when you upload, as far as I'm aware extension authors have to provide their own copy to end users attempting to explain permissions - I've certainly never seen it as an end user when installing an extension. Including these explanations either in the initial install dialog, or on first usage of each permission, would be beneficial. Of course this would require that extension reviewers verify the usage of each of the permissions, but since they're universally accessed through the chrome api, they should be easy to spot in the source (and #a would help this significantly).