Talk about training users to fall for phishing schemes. Plus users have been so desensitized to entering 2FA codes they’ll type them in anywhere. I feel like web security is worse than it was 10 years ago.
First arcane password rules so it takes 5 minutes and half a dozen attempts to come up with a password that is accepted. Then force the user to change it often. Then add email verification. Then SMS/phone verification. Still not good enough, now we all need to have a hardware token to buy the counterfeit garbage for sale on Amazon. Fuck that. It's just not worth the trouble. Honestly the world was a lot easier (if a bit slower) when you dealt with businesses in person or via mail. Fraud and identity theft just doesn't scale in meatspace, so it was never a big problem.
I maintain that most of what we get from the Web and computers, as individuals, is barely better than what we had before, and not enough so to justify its costs. Shopping very much included.
For some context, I grew up very much "OMG wire my brain in, let's get this future shit going!" Years of watching that future develop, and some reflection, have almost entirely reversed that sentiment, for me.
For example: are streaming services convenient? Yeah, of course. Am I actually happier with them than I was with the library, rentals, and the occasional purchased movie? Marginally, if at all. (but I have Internet service for the handful of things it actually is highly beneficial for, so, may as well use streaming, too)
Is shopping online convenient? Yes. Am I happier than when I just had way less idea what was available to buy, and there was more friction to indulging every little purchase-whim? I really wonder. This one may not just be marginally better, but net-harmful.
I can consume an order of magnitude more diverse and interesting media than I could without the internet. I can order exactly the right thing from the internet instead of making do with a kind-of solution from the store.
I think you're remembering what it was like pre-internet with rose-colored glasses.
We definitely have more of everything data-related and have a much better idea of all the stuff we can buy. I'm skeptical how far that's actually moved the happiness and life-satisfaction needles, in general.
[EDIT] specifically, I think some of our "satisfaction" from this sort of consumption is itch-scratching generated by the possibility of doing it, in the same way that pre-Internet one rarely felt bothered by not knowing some piece of trivia, if no-one around happened to know either. Now it itches until someone looks it up, because you know you can find out quickly. Now if I'm not watching the best possible thing, for example, it itches, but I don't think it would have before. I think to some extent the level of choice available, aside from famously causing analysis-paralysis ("browsing Netflix" is famously an activity all its own, that may or may not end up in ever actually watching anything) also generates the very desire that it's satiating. I'm not sure I was actually less happy watching the best thing I could find at the video store, versus the best thing I can find on streaming services.
I don't know about you, but for me having access to youtube means that I can do things like fix my car, learn about medieval hats, see what kinds of weird animals exist, etc.
These sorts of things improve my life immeasurably and definitely give me a sense of 'satisfaction' that I would not otherwise have been able to achieve paying someone to fix my car, watching a reality show on TLC, or going to the library and reading a book about ducks for the 50th time.
If you were wearing a size 13 (EU 48) shoes, walking into a store and asking for what they have in your size was exclusively met with "but which do you like". It turns out none of the top 10 choices I asked about would be available, and we'd eventually retreat to "which do you have that I dislike the least?"
With online shopping, I think the biggest wins are for anyone not being in the "common" category (be it the 5-95% size, fashion, usefulness etc): if what you generally need is suitably common, you might miss the physical shopping (try-ons/try-outs for wearables/tools are very useful).
This also means that there is more incentive for non-common products to be produced because the market is larger.
Your problem isn't the Internet, it's the lack of trust busting in the tech space that prevents e.g. Disney from being able to launch its own streaming service or Amazon from promoting its own Basics products. The reason why everything sucks is because big players have zero incentive to change when they aren't punished for favoring themselves. Instagram doesn't even allow you to copy and paste photos anymore.
I have a Google account on an email completely unattached to any other Google services (I think it was an originally migrated pre-Google Youtube account), so I am sure you can have a Google account with any external email address.
It might be legit. The Microsoft rewards app uses msandapp.bgcextn@gmail.com. I’m guessing 1 million installs makes that legit.
There’s no way even for technical people to make a proper assessment of the trustworthiness of the publisher.
Google has ruined the internet because they want Google Search to be the only “trustworthy” source online. Too bad they suck at it and Google search is a steaming pile of shit now.
Reminds me of Paypal where I'm simply unable to tell whether some mails from them were phishing or not (regardless of time spent investigating these mails), and I believe that virtually no one would be able to tell.
It still frustrates me that legitimate Paypal e-mails include really big "click here to login" buttons that link you to their website.
Such links are considered a hallmark of phishing, and there are many attempts to prevent people from clicking on such links. Many services I use include text like 'we will never send you such a link you know how to get to our website'.
The fact that paypal does not do this normalizes clicking on links in e-mails.
"use email for notifications, but don't trust email content" is not a solution for most users. If you can't trust email, why even have it? Install a secure app and leave email behind, or make email secure by having clients clearly display cryptographically secured provenance info, and flag unknown/untrusted senders.
There is no alternative to e-mail. Except perhaps for SMS.
There is no other method for contacting people that is anywhere near as pervasive. It also has the advantage of being federated, not controlled by any specific entity.
Besides that, compared to WhatsApp and signal, email is generally for longer and less urgent messages. Those fit notifications much better.
In that context an email saying "hey this is whats up, login as you normally do if you want to verify or act accordingly".
It's far from ideal. We will probably come to some form of solution at some point. But at this moment it is a clear no-brainer.
They were even cognizant of the issue to the point where they set up a robo inbox you could forward any suspected phishing emails to and it would reply telling you if it was legit or not. It was something like phishing@paypal.com
Microsoft might, I suppose, have a policy against microsoft.com accounts on other firms infrastructure, and therefore if it needs a Google account uses gmail or other non-microsoft.com domains.
They have already failed this test: they are already publishing extensions using msftliveapps@gmail.com and msandapp.bgcextn@gmail.com, doubtless many others!
Not sure what would make using a Gmail account anticompetitive, but it's also not true. You need a chrome web store account (which they amusingly encourage you not to use your personal email for) which can use any email address.
Considering APPLE goes so far to make you confirm DUNS numbers for a company acct. It seems like this would have been a good mitigating practice and already has precedence. While it’s a PITA it makes sense.
The core issue is that Apple uses humans to evaluate these requests and provide a point of contact with businesses. Google believes any process requiring a human is broken.
This, unlike the "chmod 444," solution will let extensions update.
You can also allow safe extensions that aren't currently installed (but may be later) and the user can remove extensions in the Allow list if so desired (although there is a ExtensionInstallForcelist to stop that too).
Even better way to discover which browsers don't handle pretty normal situations (read-only) in a normal way. If Google Chrome is forcing people to allow installation of extensions, it's much better to move to a different browser, than to either live with crashes or live with poor security (in this, parental case).
Yep. I was tired of coming home and seeing a million malware search engines and fake VPNs extensions installed. I'm always puzzled as how they manage to get in there. I'd rather crash the browser than allow this garbage which usually takes a full reinstall to get rid of.
Back in 2008 Chrome was the breath of fresh air, with absolutely spartan look, total lack of extensions and amazing speed, while IE was the opposite. There was good reason for its initial popularity.
And now, looks like Chrome lived long enough to see itself become a villain...
I'm curious which is the new Chrome these days? Personally for me, qutebrowser has taken that spot, but it's a tool geared towards professionals, not exactly for casual users.
I think Firefox. It’s continuously getting faster and uses way fewer resources in my experience. You can make it pretty minimalist like the good old days of Chrome.
Arguably that's better than the alternative, where they get scammed or hacked. I usually edit their desktop shortcut to disable extensions, personally, but I like the parent's solution better.
Here is a crazy conspiracy theory: maybe they are both legit and MS used shady-looking e-mail addresses on purpose. Security-minded people will look at them and call them out, thus bringing to light how shitty the Chrome Extension store vetting process is, undermining Google Chrome's credibility in the process, so that users stay on MS Edge.
That top link screams scam. Replies from the "Product team at Microsoft Autofill" on a personal account, reviews about it taking up to 30% CPU all the time (possible crypto miner), and not using assets from the Microsoft brand.
They could, but what sort of service doesn't allow you to sign up with a random domain? It also wouldn't be better if they had: chrome@msftext.com, or are you suggesting just moving all microsoft.com emails to Google Workspace?
Perhaps it's like YouTube? You cannot buy or use a Youtube Premium subscription with a Google Workspace account. I tried inviting a family member to my Youtube Premium subscription, using her Google Workspace email. It doesn't work, because Youtube doesn't see it as a Gmail account.
@gapps.microsoft.com would be at least better than a random unverifiable @gmail.com address. Google Workspace (is that what we're calling it this week?) lets you use subdomains right?
Let's be real: getting legal and infosec to sign off on that is never going to happen. "We just need to borrow a subdomain of Microsoft.com, give control to our biggest competitor, and sign a contract with them... to get a vanity email address in their store."
It's really not that big of a deal. You can still control the DNS and decide what you set up. And if Google screws you over, they'd be shooting themselves in the face.
All you'd need to actually work would be email, so some MX records on a subdomain. Is it ideal? No. Is it better than all of your users having no way to verify that a Chrome extension is actually you? Infinitely better.
Except it doesn't more or less achieve the same result. Also, if it legitimately takes months of meetings to get through something like that, there's a serious issue with your company/process.
While I appreciate the approach of making "the world" a bit better once you see a chance to do so, I also don't think a company like Google should (be able to) leave it to random internet users to clean up their mess.
I tried the report abuse button and got a 404 when submitting the form. Lol, classic Google.
EDIT: My guess is they delisted the extension right about as I was submitting, since the extension page loaded, but the report submission failed, and now the extension is also gone. Maybe a cache purge was in there somewhere.
I reported abuse few minutes back. Google pulled it out shortly after that.
Also I am pretty sure Google has a "karma" number for users (just like reddit) in the backend where they automatically take down if report is from a user with high karma.
> Google My Business is the worst, full of bugs and piss poor 3rd world country support staff.
This I simply don't understand. Google Maps would be nothing against their competition if it wasn't for almost every single business being on there. But then the support and UX for actually being a business on Google Maps is absolutely horrific, and I think they simply stopped caring about it. As you say, it's full of bugs and every upgrade to the UX seems to make it worse for us as well. Not sure what's going on in Google's brain, but I'm afraid they have run out of lamp oil.
As a business, you just have to use it. Whether it sucks is irrelevant as that does not affect the reason why you're there. I've given up on thinking GMaps is in any way accurate anyway, since even if the business owner somewhat cares, they won't remember to update it immediately.
Outside of some core products, Google software simply accumulates cruft and bugs and, I think, is rarely updated at all. They'd rather release a new product than make an existing one better.
By core products, you mean Search, Gmail and YouTube?
Let's see.. Search these days seems to have given up on SEO blocking, Gmail has given up on any kind of UX improvements, and YouTube has given up on being a decent platform for either creators or viewers.
I think the CRU's of the issue is Search is so big, and despite getting progressively worse, brings in so much money, that eventually people at Google realised it doesn't matter whether their products improve or not. After that, its just path of least resistance.
> Whether it sucks is irrelevant as that does not affect the reason why you're there.
No, it is not at all irrelevant. I'm much less likely to use it well and maintain up-to-date information if the UI and UX is so terrible that it makes it easy to make mistakes and hard to find the thing I'm looking for. Not sure why it sucking would be irrelevant, I'm a user of it, of course I don't want it to suck...
> They'd rather release a new product than make an existing one better.
I don't think this is true either. Google updates old products all the time. The updates they do frequently makes the software worse though. The willingness to make things better is there, it's just that their execution of these updates is poor as fuck
Just a couple of days ago, the #1 app in the Top Grossing chart on Play Store was "Funny Voice Changer", which is a sketchy app aimed at children that gets you to sign up for a 3 day free trial then charges $280. It has a 4.1 stars rating with mostly obviously fake reviews. I see now it's down to #29 on the chart, but it's still there.
I understand vetting everything manually would take unreasonable amounts of manpower but maybe you should check that literally the #1 grossing app in you store is not a scam?
Because of the prospect of losing that income stream. Their ad services are very well managed. AFAIK they're not making much/any money from the stores now so it makes sense they're not fixing it, or am I wrong?
Chicken and egg. They would probably make more money if the store was more curated. At the moment it's hard to discover apps in the sea of spam and fake apps. As an example, there are literally hundreds of QR code readers, most of which are probably based on the same library but with very different levels of security. In fact, one of the top QR readers asks for very invasive permissions without any justification
Slightly offtopic but I think the problem of rogue addons applies to firefox as well. I wish it were possible in firefox to limit which addons can be loaded on a per-container basis. The extensions I want loaded on banking websites, social media and youtube are completely different. And limiting them per-container makes it a relatively simple mental model to reason about.
I was able to learn how to use containers quite quickly and some container addons make it very easy to use them. Not so much for profiles, setting up multiple profiles seems very tiresome and honestly whenever I look up how to create multiple profiles I lose interest. Would really love a solution that is as easy to manage and use as containers and allows to control which addons are allowed to load/run.
Edit: Also IIRC multiple profiles cannot be synced across devices through the same firefox account while it is possible with containers
Hm, not really, they have different use cases, and Containers was never meant to 100% replace Profiles.
Containers are for being able to keep separate identities in the same browser window, but on a per-tab basis.
Profiles are for being able to separate different browser instances, with all their settings, extensions and so on.
While Profiles was used before to do the same thing that Containers now allow you to do, there are things you cannot do with Containers that you'll need to use Profiles for. Having separate extensions for different sessions is one of those things.
sure, it's easy to make demands like this in an internet comment, but this would cost google easily thousands of dollars a year, it would surely drive them out of business
It would be more complicated than that in the vast majority of cases. Sure, you would catch people trying to impersonate major corporations that everyone is familiar with. With well trained staff and clear polices you could also catch some more obscure cases, such as companies that serve businesses yet is relatively unknown outside corporate environments. It becomes much more difficult to verify authenticity otherwise since it would involve research, not just reading names. That research would also have to be conducted with care, since all but the most trivial of scams would factor that into their methodology.
Can we also take a moment to assign partial blame to Microsoft for this situation? Their authentication is a shambles, they try to force you to use their app rather than other 2FA providers and heavily steer you towards having to install Microsoft apps.
And that's if you're lucky and they arbitrarily don't mandate a phone number and an email address for a corporate account. Oh and the email address can't be the primary corporate domain that owns the account because of course what we need is personal emails to authenticate business accounts.
Lord help you if you were ever an early adopter of an onmicrosoft.com domain. You will remain in purgatory until you wipe your accounts and start again.
Not entirely related, but is there a simple way to run an application like a web browser in a sandbox on Windows? Sometimes I find myself wanting to install a dodgy extension or software, but I don't know how to test it safely without using something like virtual box as a sandboxed enviroment. I kinda want something where I can just right-click an .exe and run it in a sandbox.
I really liked Windows Sandbox when I used it. My only complaint was I could no longer use VirtualBox (I guess because Windows was acting as a hypervisor).
Do you know if this limitation has since been removed? I know there was work on it, but I don't know how that turned out.
This has been my main limitation on using... about half a dozen neat Windows virtualization features. I wasn't willing to give up... every... other virtualization tech to have the Hyper-V feature installed.
Hoping the other child comment is right and that there's been some improvement in this space.
There is actually an app that I used to setup for people years and years ago that did this. Recently they went fully open source. Pretty neat little piece of software.
Run it in a sandbox all you want manually, you'll still have no idea what it's really doing. It could be the safest looking thing ever, that's not really going to tell you much.
The one thing I hate about the Apple store is also its best feature when dealing with crap like this.
As a consumer, business entity verification & savagely-enforced PKI/codesigning does make for a much safer app ecosystem. As a developer and small business owner, Apple is a fucking nightmare to build apps for. I much rather build Android/Windows/Web platform because its so much easier to iterate in our shop.
All of that said, could we at least consider requiring some basic domain verification process around these things so that it is possible in theory to determine who endorsed a specific app or extension? If a gmail account & some "reputation" is all it takes to trickle to the top of the store, I think we are missing several important security controls.
Really surprising that something so blatant would get past the playstore checks..If i remember correctly, there was a vetting process on the first updload of an app anyway, not sure about extensions.
Brand/Company names could easily be flagged as a 'needs review' for example.
This is just an extension and whoever is supposed to be vetting things at Google is completely asleep at the wheel.
Think about the fact that this extension has been up for over 2 weeks but if I upload a YouTube video where somebody says the wrong thing it's down in minutes.
They have armies of highly paid employees and none of them can take care of this?
It's clearly a mr. Harper Rodriguez, age 31. How many could there possibly be with than name and age? We have his email address, so maybe write to him and ask that he stop pretending to be Microsoft.
Pretty low effort too. It's just a popup with a button that links to hxxp://przekierowanie2-chrome.augustow.pl/?123-Microsoft525896 , which then redirects to hxxps://extensions-install.com/?123-Microsoft525896
The form itself doesn't look particularly MS-like, and the grammar is pretty bad.
One of the things that stuns me, is that for as effective as phishing and scam ads are today, they could be hundreds of times more effective if someone put the effort in to run them through a spell check in the target language.
It sometimes seems like the saving grace to society is that criminals aren't actually all that smart.
It can be, particularly for scams which require human interaction. But for an extension that collects phishing data, there's no point in it: If people enter data into it, they are a good target.
Email scammers have been A/B testing their pitches for a long time now. The evidence is clear: dumbing down the pitch is far more effective than attempting to capture more sophisticated users.
Naive question. How does one know this is malicious before installing it?
I think this would fool me if it wasn't for this thread. The only thing that seems off to me is the lack of information, and hovering over the contact developer shows a gmail address.
I wouldn't have looked at the comments in the reviews as I know what the Microsoft Authenticator does, as I use it constantly on my mobile device. So in this instance, I could have seen myself finding this link, clicking Add to Chrome without much thought.
I can surely see how an average user would fall for this and it's frightening.
As a Firefox extension user myself, it is pretty crazy what permissions we allow from them. Even with something like uBlock Origin, which I'm sure a lot of people here use, one of the permissions you have to accept is literally "Access your data for all websites". Why are we okay with that?
Even development ones are dangerous, even more so because of the broad permissions they often requires. I’m pretty sure that’s how I got my credit card number stolen once.
I’ve always been concerned with the chrome store in regard to chrome extensions. While I do know some level of scrutiny is applied to new brand new extensions uploaded to their store platform, my concern has always lied in a developers ability to update an existing extension, which is then almost universally updated on all clients upon which that extension as it’s installed.
I have seen extension updates (updates not releases) get approved much too quickly to be properly vetted on the stores side.
The pitch from companies offering "stores" like these (Apple, Google, Microsoft) is that they're for the protection of users. Apple can't stop scams, Google can't stop scams, Microsoft can't stop scams. It's time we saw these stores for their true purpose: platform control, vendor lock-in, and in the case of pay stores, recurring services revenue. They were never about protecting users.
You would not get a fake Microsoft-impersonating app on the Apple App Store, though, because of the very checks you're writing off as nothing but a money grab.
So I submit my scam app as "MichaelSoft". Given how many scams remain on every app store, it's clear these companies don't actually want to address these problems because it's not actually a problem for them, it's just a cost center. Apple can tout their "numbers" (https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...) all they want, but there's no way to verify them. They can make up any of these numbers and nobody can say otherwise. It's all smoke and mirrors.
No, I'm making the point that you can't get something on the App Store that is a scam version of basically any reasonably well known product or company that is going to just phish data.
It will not get through the checks you're suggesting are 'not really for security'.
I would pay you a $100 USD if you could consistently get a scam like this into the App Store. And by this I mean:
- Low effort
- Phishing for data
- Pretending to be Microsoft.
A simple solution would be to allow any domain to sign up and show he email extension like company.com or helloworld.co.uk etc……
I remember seeing this app when I had searched for the Saas Pass Authenticator & Password Manager in the past. (worked on the 2FA design of the saas pass browser extension). I naturally assumed it was an official Microsoft extension.
yeah, the chrome marketplace is the wild west. probably the easiest way to get hacked is to install some extensions from there, like this one https://chrome.google.com/webstore/detail/microsoft-autofill... that is from "Microsoft Corporation" but has a gmail contact address.
the android app store is probably not much better. google just doesn't care about the users. they invest in good tech and launch shiny products that get some market share and then leave the users to deal with the automated replies while engineers go to build the next shiny thing.
It is surprising that they apparently haven't added a more strict check when an extension claims to be from a known company.
I would have thought they would have a list of names like "Microsoft", "Facebook" etc. that would trigger a more thorough check. In this case it should be clear that they tried to pose as Microsoft, and it is coming from an account that has no association with Microsoft.
You'd think they'd have a vetting process on their ads as well, but they don't. Not a good one at least.
Either Google doesn't care, or they aren't able to do any form of sensible checking of stuff uploaded to they various platforms. Well, either that or they don't see it as a massive issue.
They don’t care. A company that can soft-censor (by placing specific warning messages) videos about a virus a few weeks after it became a hot topic in the West could easily detect big corpo brand appropriation if they wanted.
Caring removes money from them, at least in add case, so better to shift the bullshit to their "users", who are really the product being sold to advertisers, so who cares. Customer is always right, its just we are not the customer.
These reports are usually handled by a single person with a dozen other responsibilities. Chances are, nobody will ever read majority of user generated reports. Also, the person may have already left the company and a replacement was deemed by management to not be necessary.
I’m sure that, if enough people report it, it’ll be delisted. It only has 500 users so I doubt it’s in any priority queue for a human reviewer to look into it.
Microsoft could file a DMCA claim for violating their copyright. Google usually does not verify claims before executing them, and there's no penalty for false claims.
False DMCA claims are penalized under section F of the DMCA.
> (f)Misrepresentations.—Any person who knowingly materially misrepresents under this section—
> (1)that material or activity is infringing, or
> (2)that material or activity was removed or disabled by mistake or misidentification,
> shall be liable for any damages, including costs and attorneys’ fees, incurred by the alleged infringer, by any copyright owner or copyright owner’s authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.
Now, in this instance we're talking about a fraudulent listing, so I can't imagine there's much civil liability to worry about, but the suggestion that there is "no penalty for false claims" is not true.
And also, DMCA claims are made with a statement that they are accurate "under penalty of perjury". I haven't seen anyone convicted under this, but I wouldn't imagine that MS legal would find this to be an acceptable way to solve the issue.
Can confirm that's how it works. Google does not verify that claims are fully filled out (a nearly blank claim form is sufficient), they don't respond to counter-notices in a timely matter (1+ month processing time), and they don't provide information on the claimant that you can use to pursue them for a false claim.
Imo, it's not a good idea to directly link to the extension as one might accidentally hit the "Add to chrome" button. (e.g. when coming from the homepage and not peeking into the thread here)
Unless someone changed the submission title within the 2 minutes of your comment and this reply... you really have a high expectation of catastrophe.
Edit: well, don't complain about the downvotes, but here I am after a few downvotes thinking "Wow, who are these baby-coddling users who think HN readers are idiots who don't read the headline and just accidentally click 'Add to Chrome'?".
So maybe to explain myself: I'm used to scan through the homepage and open link and comment side by side for a few things that I think are interesting to me. While reading through it, I might get interrupted. So I might come back to a link a few hours later. So lets say, I open up the extension page and forgot the initial context. So for me, it could theoretically happen that I install this extension cuz I assume links posted at HN to be safe.
https://chrome.google.com/webstore/detail/microsoft-autofill...
I literally can’t tell real from fake on these shitty platforms.
Edit: Or this using msandapp.chrome@gmail.com:
https://chrome.google.com/webstore/detail/microsoft-news-new...
The average person has no chance :-(