Chrome Exrensions = Potential Malware?

[Derek891]

I came across this article yesterday describing yet another internet exploit to be aware of. It seems the people with the black hats have found a way to load adware and malware onto a user's machine by using the automatic updates to Chrome browser extensions: http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/

 

"A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base."

[Alan_B]

I specifically anticipated that Firefox would be vulnerable to such hijacks when Mozilla introduced their capability to auto-update Firefox.

 

The only thing I cannot remember is whether I ran like a scalded cat for a different browser when I realised,

or whether I just felt pleased with myself because I had already totally UN-installed Firefox because I had the aggravation of needing to frequently update.

[Winapp2.ini]

I don't think you can transfer ownership of addons in the Mozilla ecosystem.

[Winapp2.ini]

http://www.theverge.com/2014/1/20/5326582/google-bans-chrome-extensions-purchased-to-deliver-adware

 

Relevant article

[Alan_B]

Actually my concern was NOT rogue extensions to Firefox,

but that Mozilla was incorporating into Firefox the ability to automatically accept updates that APPEARED to have originated from Mozilla,

and I had concerns that the bad guys might have the ability to

"authenticate browser updates as coming from Mozilla"

(Whatever that might mean - I just know that in the face of the unknown I prefer to avoid. )

[Winapp2.ini]

Updates for firefox are prepared by Mozilla's AUS (Automatic Update System) which was/is in the process of being upgraded as of a few months ago. From what I understand, it calls back to the update server to ask if there's anything new going on, and I'm fairly sure that much is hardcoded since it required a bug and patch to change, so I don't see it as being compromisable

[hazelnut]

Sorry Derek that your topic seem to have gotten derailed after your first post.

 

Hopefully Chrome will watch this situation like a hawk in future...they need to.

 

And just to muddy the waters slightly

 

http://www.ghacks.net/2014/01/18/monitor-extension-updates-chrome-firefox/

[Derek891]

http://www.theverge.com/2014/1/20/5326582/google-bans-chrome-extensions-purchased-to-deliver-adware

 

Relevant article

 

Thanks for the link Winapp2, I'm glad to see that Google has responded quickly and decisively to this problem.

 

 

Sorry Derek that your topic seem to have gotten derailed after your first post.

 

 

I don't mind at all. I think it's more important that people understand the potential vulnerablities in both Chrome and Firefox. I try to never allow any application to automatically update itself without my knowledge or consent. I've been burned in the past and would prefer to have software that's one or two versions out of date and still working rather than something that is problematic, or worse, riddled with malware.