Extensions make it even easier to install them, though, just need to redirect a user.
I've also come upon some spam sites that try to get you to install extensions with annoying alerts that prevent you from closing the page, playing a recorded message "To close the page, just install the XX extension".
The only remedy is good screening in the app stores. Actually, for apps/extensions installed from the official repository, I would be OK with remote removal. This would probably spark an outcry from certain parties, but as long as it does not extend to manually installed extensions it's acceptable to me.
Couldn't the alert instead be rendered as an overlay to the page itself, be modal to just that tab, and not disable the browser Chrome? This would make it much harder for pages to "trap" users with alert spam. The existing policies (don't allow this page to create more dialogs -> page instantly redirects to itself to reset the flag) aren't doing a good enough job.
https://docs.google.com/document/d/1wtV5rmLhbf1OZkbg7crtCt6h...
Firefox and Safari do exactly that.
> The existing policies (don't allow this page to create more dialogs -> page instantly redirects to itself to reset the flag) aren't doing a good enough job.
Does that work? I've never seen any pages that circumvent alert blocking like that, and I'd have imagined that any sensible implementation would disable alerts for the entire session (or at least a few minutes).
In theory some very recent barely used newer Android version fixes this by asking for permissions at first use of them (eg first time using camera or first time accessing contacts). In practise this doesn't matter for several years.
I've reported malicious extensions and a year later they're still there racking up installs.
That may be true for "always-running" extensions like ad blockers, but there's another useful class of "on-demand" extensions that don't need full access -- think Evernote or Pinboard clippers. They only need access to the one site you're looking at, and only when you invoke them.
Chrome added a tightly-scoped "activeTab" permission a few years back, for exactly this case. Before that, on-demand extensions did need all-sites access, and unfortunately a lot of extensions (and tutorials and example code) haven't been updated.
One of these extensions I came across automatically closed about:extensions every time I opened it to prevent uninstallation. Eventually went through the chrome task manager, killing extensions one by one until I found the right one by trial and error. Very frustrating to debug.
Additionally, JS is a dynamic language so it's difficult to provide adequate automated scanning for malicious intent. Even so, extension authors can be quite clever in how they hide malicious behavior, especially if there's financial reward involved.
WebExtensions (https://wiki.mozilla.org/WebExtensions) add a permission system, have a much smaller attack surface, and should help to alleviate this problem. This combined with automated scanning + human review and
For Chrome, I think Google prefers a combination of automated scanning and quick response, without upfront human review (based on https://static.googleusercontent.com/media/research.google.c...)
You could imagine that a malicious company would put through a "clean" version for testing and then once approved swap the script for the one loading malware.
chrome://flags/#extension-active-script-permission
It adds an extra level of permission where each extension that doesn't ask for a specific website is, by default, locked out of every website, and you have to enable it manually by either clicking on it, whitelisting the websites where it can run or globally (example pic, sorry for not being in english: http://puu.sh/q5QFR/d6004da3bb.png)
More serious problem is legitimate extensions that are trusted by lots of users then being sold to some rogue company, then lots of users receive malware with update.
They were opaque with us about what the code did (they didn't share the actual code without NDA, and we never got that far). But I did get to see the snippet they wanted us to add to our privacy policy, which was devilishly opaque. It arguably disclosed everything that would be done, but it did so in a way that sounded very benign.
I googled some phrases from the privacy policy insert and found that they had in fact gotten several extensions to include the code. Scary.
Could you share those phrases, so that we can do the same Googling?
Leave off "site:chrome.google.com" and see a few more results. Looks like they don't have many takers these days (or have updated their privacy insert to make it harder to find them all).
> The script that it fetches from the above server is a malware payload. The extension needs to download it after having been installed because it cannot ship with the payload if it wants to pass through the Chrome Webstore’s security checks.
There probably are legitimate reasons to pull in remote content, but I can't think of any that can't be worked around. You'd think that Google's own malware tracking would pick up http://104.131.35.136:9999/ as a bad site, but the malware author takes care to hide that delivery mechanism behind a header check.
So, to me, ANY request or evals by extensions should (at the very least) be detected and constitute a separate permissions category, or, better yet, BLOCKED as a violation of same origin policy.
<all_urls> have nothing to do with the browser's normal Same Origin Policy for individual web pages. All URL's indicates that the extension is allowed to operate on all pages loaded in the browser window.
It has nothing to do with the resources loaded by the extension. In other words, I'm talking about (for a start), this "Regular web pages.. limited to Same Origin Policy. Extensions can talk to remote servers outside of its origin."
https://developer.chrome.com/extensions/xhr
In other words, extension should be treated as operating within the context of that tab; in other words, a locked-down sandbox for that tab.
Cross-origin permissions as noted above should be flagged to the user and should apply across the board to any injectable resource (including CSS, HTML, Javascript, SVG, etc.)
Otherwise, outside resources should fall into the Same Origin Policy (i.e., if your tab is at https://google.com/, only resources should be loaded from google.com.)
<all_urls> specifically refers to whether the extension is triggered on all URL's that are visited in the browser or not. That permission is usually needed.
Different origin attempts to communicate (read and/or write) any data on its own to any third party server should fall under different permissions.
For more information on what should have happened here, please see "Only local script and and object resources are loaded":
https://developer.chrome.com/extensions/contentSecurityPolic...
> It also explicitly turned on unsafe-eval.
That's a good point, and I agree; in fact, unsafe eval should be only be allowable within the Same Origin Policy.
Also, this brings up another good point: some permissions are more risky than others (for example, the legitimate use cases for unsafe eval are few). A visual indicator of the relative severity of the requested CSP's when installing the extension would probably help less technical people separate when an extension is very risky. (Multiple red danger symbols would probably be a good clue..)
The danger is that many people do not pay much attention to the requested permissions.
To fight the issue, I think there should be a culture of open sourcing Chrome extensions. I open sourced mine, and if I build one again, I would.
Basically, at their scale it's a hard problem, especially if you need to redo your analysis after every update to an extension and you can't afford a high false positive rate.
I'm guessing Google would have more extensions to review than Mozilla and could not rely as much on volunteers as Mozilla can, but Google also has something like an order of magnitude more money, so I'm sure they could work something out, if they really wanted to.
I had trouble with Google suddenly asking me to prove I'm not a bot - for months. I ended up buying a new router because my old one hadn't seen any updates in ages, just in case that got hacked.
Long story short, after some experimenting the only thing that seemed to shut Google up was to disable this extension.
This extension does load code from a remote site, they write it is because having new releases approved takes too long so this is how they work around it. I had BTTV report a newer version number than there was in the Chrome Web Store for that reason.
I don't understand they are allowed to do that, quite openly even? It defeats the purpose of the Chrome Web Store and any guarantees by Google are worthless if extensions can just load some of their code from somewhere else.
Now, this extension actually is open source (https://github.com/night/BetterTTV) and I have not read about any suspicions like mine from anyone else. Still, as I said above, Google only stopped asking me to verify I'm no robot after disabling this extension, and I tried several times (on/off).
And the code loading happens quite officially, I first read it on the extensions developer website itself. From their github README:
> Files not included in the repo are pulled from the actual server,
> so everything works.A few months ago Google fixed a vulnerability on the inline installation. It was possible to start a install on the attacker's website and then redirect the page to an arbitrary one. This would confuse the user, making him believe that the install came from the arbitrary page.
Here is the PoC if anyone is interested (CVE-2016-1640): https://www.youtube.com/watch?v=f_9ObDqBoo8
I work in a lax multi-national corporate environment, to be vague. These extensions, especially with religiously conservative adults, is of limited concern.
I am far more concerned about the semi-professional extensions.
I doubt this is malicious, but someone installed this in my environment and inquried why the quality of output went down (in terms of pixelation).
https://chrome.google.com/webstore/search/screenshot?hl=en-U...
The problem here is it raises fewer eyebrows. It does a purpose-filled operation professionals would need, and they are far less discerning than me.
This person had Adobe Acrobat Pro, and forgot. Such extensions have real potential to IOC (indicators of compromise), but only very expensive next-generation malware detection knows that when it sees traffic out.
But what if there is no traffic out? Or it does a more professional job with exfil?
Most modern software inventory has no intelligence into plugins. That is terrifying. Per-user javascript directories? Enumerating just the obvious ones can be a full-time job?
What about dupes? I am the only one I know in my department who uses uBlock ... Origin. And I know there is a fork. Others are intended to have a similar logo and fool busy professionals.
I love FF, but also use Chromium. I am worried that the freedom afforded to me by the beauty of things like Keysnail, like the generally abstracted trend of vendor lockdown, forces me to voluntarily suck it up and deal with crap software defaults and workflows, and doubly recommend the same to people in my environment. I will increasingly have to part with each of the limited extensions I like, all while people here push Electron apps. I like them (who am I to be arrogant and judge the work of these people half my age; at least they put out code while I bitch all day), but the browser base is not discernibly updated or managed unless some developers coordinate. I am sure that came or is coming down the line, but currently populars apps will play catch up while people like me are forced to preemptively yet again restrict use of likeable tech because security was an afterthought.
Qubes increasingly looks like the future. It is sad, but I must every few years consume more resources of my computer for useful, but wasteful, separation of software from its self, because, well, queue the recently retracted Theo de Raadt "x86 virtualization being secure is a waste of time" trope rescinded because even his OpenBSD crew will bite the bullet and work on OpenBSD virt technology.
I just depressed myself.
Sincerely, Guy running multiple browsers in Firejail in a VM
EDIT: I do not the difference between have and half apparently; probably a sign of my age, haha!
Doesn't anyone else see that as incredibly overreaching?
Getting "hacked" by a sleazy browser extension is about as surprising as getting a virus after installing something from a warez site.