One thing I wish I had called out more clearly in my post ("See it in action") was the fact that the "feature" would re-enable itself after every update of the extension, which seemed to be quite frequently.
It's a shame; it really was a feature-packed, helpful extension.
No it doesn't re-enable after any update. It only re-enables if you uninstall the extension and install it back, because settings are lost and it switches to the default.
Please check your facts before making such claims, ok? Anyone with minimal JavaScript skills can look at the source code and see exactly what's happening!
Whether or not it was your intention or the design of your extension, that was the behavior I observed - hence my factual claim.
I've looked deeply into your extension and you did a very nice, impressive job. I don't believe anyone is discounting the quality of your work here. The pattern you exhibited by enabling the ecolinks feature by default (right or wrong) simply highlighted, for many, the risks inherent in granting browser extensions such great permissions to the browser.
What is more interesting is the reaction from the developer himself. He seems to be completely unimpressed by the criticism. Noting that one permits Chrome extensions to do stuff, and they would have seen this permission the extension required when they updated or installed it.
Furthermore, he is quoted as joking about how he could have sold the extension to someone to get your passwords and whatnot (but ensures us that he hasn't done so).
He asks specifically if he has broken some rules in Google Chrome's terms of service, where another user replies with quotations from the ToS. He barks at that saying his extension is allowed to do what he does, because his extension does reveal exactly what it does, if you read its permissions carefully.
Although, I cannot confirm whether that is true, but that's what he is saying.
I have no idea what he is up to; but aren't extensions supposed to be reviewed if they in the extension catalogue?
He does indicate the user gives the OK to 'access all data on all websites' - like most extensions do, come to think of it. I do think things like that should be more fine-grained, and/or that developers have to indicate /why/ they need that access.
Yeah, seems like they should maybe institute some type of manual review for any type of "global" permissions. It would impede the well-behaving apps that legitimately need global permissions, but it might be worth it.
Since Chrome auto-updates extensions, users are likely not aware of this change.
I've been using the extension for several months until I noticed the transparent redirection. In fact, the only reason I noticed the redirect is when it failed. I clicked on a Google search result and got stuck on a blank page like this:
Google made a big mistake by not including a GUI option to manageme auto-updates. I write an extension that interacts with data on a financial website, and this policy of forcing automatic updates on all extensions is dangerous. It means I can not guarantee my users my extension is 100% safe, even if they audit its javascript files, because if I were a bad guy, I would still have the power to update the code in the dead of night. It's not very attractive to tell users they can only protect themselves if they both understand javascript, and also dig through files to manually disable auto-updates.
Which pops up a toast notification whenever an extension gets updated so you can investigate (Chrome doesn't force changelogs on updates either so you might have to dig deeper into the code).
If you don't mind having another extension which could be doing nefarious things.
If there was something like »Updates for your extensions are available, install them now?« would it really help or would most users just say »yes«? They'd have no way of verifying that the update is benign or not anyway.
I've never been a fan of automatic updates for this reason. Changing things silently, while seemingly praised by some "usability experts", implies taking away user choice and replacing it with submissiveness. It's creepy.
Whoa, wait. One guy in this thread is claiming that Window Resizer was sending all your keystrokes back to a central server based on what he saw in Wireshark. Can anyone else verify this? I've had this extension installed for...a year, at least. Do I need to now go change every single password on every site because chances are it's been keylogged? This is insane.
I just can't even fathom. Like, every email I've typed. Every interaction with any site. Credit card numbers.
How is this not entirely illegal?
And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?
Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.
A chrome extension can make network connections that you won't (normally) see in Dev Tools using a background page. You'll see the connections if you inspect the background page directly but most users won't.
Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.
This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.
There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.
Be very aware of the permissions an extension asks for.
Depending on where you live, this might very well be illegal. Unauthorized access and recording of private information of an IT-System is covered in some hacking parapgraphs, in the US and the EU (in the EU maybe as part of the cyber attack tools, as the keylogger would have recorded passwords).
That, my friend, sounds exactly as ridiculous as you are! If you know your JavaScript you can look at the source code and see that the extension is doing none of that. If not, you can try wireshark for yourself and see that there is no keystroke sent anywhere. The guy that made the claim is a complete A-hole that wanted to see the extension being remove from the webstore at any cost, including committing perjury.
Holly crap? Do you honestly think I can monitor the whole internet so I can deny every affirmation made by some random dude?
Look! I deny it now, ok?! I haven't done anything like that. I just mentioned somewhere that it is technically possible to do such thing in an attempt to increase users' awareness about what would truly be a "horrible thing", unlike my attempt to support further development of my extension through advertising.
That's why I asked. I saw a few accusations of it, but in all the referenced threads, could not locate you mentioning the accusation at all. I've not used the extension in a while, otherwise I would have dug into the JS itself to answer the question.
I wrote an extension (HTTP Switchboard) which can log and filter behind-the-scene requests, which also comprise net requests made by extensions. I suppose this could be used to validate that an extension connects to a remote server. In any case, it can be set to selectively block/allow net traffic of extensions.
Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.
I googled the problem and opted out ecoasia from the extension settings when i noticed my urls getting redirected everytime. but i had no idea that the extensions can 'Access all data on all the websites'. now I notice most of my extensions like web developer, page ruler, web font previewer have this permissions. need further clarification from the chrome team as to what this exactly is. passwords? credit card numbers? can also be accessed by the extensions?
Pretty much, yeah. The 'access all data on all websites' permission basically gives the extension access to injecting Javascript in all of your pages, which gives the extension full access to the DOM, and thus access to password and credit card fields.
This is true, but existing Chrome users aren't notified when an extension is removed from the store. I had no idea of this malware until it surfaced when the redirect failed.
Smooth Gestures (lfkgmnnajiljnolcgolmmgnecgldgeld) has done the same thing for well over a year now. I (and many others) reported the addon to Google, but it still remains.
What does it take to get something like this removed?
In the extension text, they say: "This extension is ad supported, you can disable your support by going to the options and making a one-time donation. We depend on your support, but we understand if you would prefer to withhold it."
This, from what I can tell, plays within the bounds of Chrome's policy on extensions.
(I also spent some time looking at the extension source to verify that the only annoying thing they do is inject ads according to this whitelist: http://goo.gl/3WAej6 Nothing else caught my eye. )
Of all the stuff under "Interfering with Third-party Ads and Websites", it only complies with "This behavior is clearly disclosed to the user." IMO obviously.
The extension did more than just add ads. A javascript listener for the click event was attach to each link on the result page.
If the user hovered with his mouse over a link, he couldn't tell the link would lead him to http://www.ecosia.org/. But this is exactly what was happening, because the click listener was changing the URL only after the user clicked.
So now the user was redirected to http://www.ecosia.org/ along with a bunch of parameters, including the original query and the original URL, and from there http://www.ecosia.org/ redirected the user to the original URL (after logging whatever it wanted to log), without the user having a way to notice what had just happened (unless looking in the dev console).
The fact that the URL was changed only after the user clicked is quite a hint that deception was intended there.
Paul was talking about a different extension, but anyway...
The onclick event listener is the same thing Google does with the search results. Perform a search on Google and right-click a link, then you'll see the URL changes to the a Google proxy server that collects data about your click for analytics purposes. The reason is so the whole process is more transparent and the users can see the actual URL they end up with when clicking the link. The intention was not to hide anything, but to keep things as unobtrusive as possible. I'm sorry if it felt any other way!
Seems like the quintessential dark pattern is to have a "feature" like this enabled by default. Further, I discovered that the feature would re-enable on a regular cadence - perhaps every time the extension was updated.
I run a local user group that educates developers on Google's technologies that while proudly independent from Google, has a great working relationship with their developer relations teams.
Back in March of 2012 (that's almost two years ago) I first brought to the attention of the Chrome developer relations team an extension called Bookmark Sentry that essentially contained a trojan that hijacks links to serve up spam ads. You can read more about it here: http://stopmalvertising.com/malvertisements/beware-of-the-go...
What I found troubling was the response back. I received an official response that it was within compliance of Chrome App Store policies. Specifically I was told:
"Ad injections are not in violation of the Chrome Web Store program policies. The policy requires that ads must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with. We believe that ads are a legitimate way to monetize, but that they should be a known cost to the extension user."
I certainly hope since then they've changed their policy on this issue and are actively policing and enforcing against spyware and malware.
Chrome App extensions can access extremely sensitive data such as webforms with credit card, contact details, passwords and more and in the wrong hands can do untold damage.
I noticed this about a month back. I was browsing the web one Saturday morning and spotted an "Eco link" next to the search results. Most of them were big sites, like Amazon and eBay etc.
I immediately emailed one of our SEO guys with a snippet of the page and said, "we need to know how to do this in Google, it must be a new feature". I stupidly assumed it was a new feature Google had rolled out. When he replied that he can't see it I started googling the problem, most of the results pertained to Malware and I was shocked, I'm a very careful browser in general.
When I started digging around it was only then I started switching off my plugins 1 by 1 and the eco link went when I switched off the browser resizer, I was honestly shocked. I knew the developer wasn't supporting the plugin any more due to funding but I didn't think it would go in that direction, I expected it to just fade away.
No, I didn't read the updates on the product. I don't have time to read updates on products, especially plugins. After reading his comments on there, there is no remorse for his actions. He is nothing more than a simple malware spreader, he should apply for a job at SourceForge.
It just occurred to me: installing malware on an extension targeted towards developers - the kind of people who just might notice hijacked links - seems like the dumbest idea in the world. Leads me to wonder what sort of nastiness is hidden in those other extensions.
(I zipped the '3rd-party' directory and removed references to those scripts in the manifest file. So it's there if you wanna inspect it, but ecolinks won't run. I don't have time to restructure the options page though :-)
I would argue that if you installed any extension that requested full access to your data without understanding the implications, you're not as careful a browser as you believe you are.
This isn't to say what the developer did is in any way ok ( I don't think it is), nor is it my intent to insult you. Rather - it's to highlight a deeper problem with this kind of click-through security model that chrome web store, play store, et al are fostering.
If somebody who has a reasonable understanding of computers and works with them for a living still clicks though this kind of agreement, what hope has the other 99% of the connected-device-using population?
I guess you're right in a respect. I think I trusted this to be right though, I never imagined that you could change something so dramatically to the point where it isn't even the same product any more.
With Chrome having such a good level of sandbox and Google being proud of that I didn't think it would be so easy for someone to release an extension that basically acted as malware.
I do in general have really good browsing habits, I just need to re-evaluate who I trust.
I ran into this. I only found out because ecolink went down for a while. So when I clicked on google search results, it would error out while trying to redirect.
Valuable lesson learned. I never thought a chrome developer would be quite so stupid to pull something like this. Now I'll keep my eye on every extension.
And yes, you should never install Window Resizer, or anything else Ionut Botizan (the developer) releases again.
I love that the developer's defense is that he could have sold our passwords to someone but (supposedly) didn't. That really instills confidence in his morals, doesn't it?
My claim was not that I could have sold your passwords, it was that I could have sold the extension! Last time I checked, the extension itself was my property and I could sell it to whoever I want. What the buyer does with it shouldn't be any of my concerns. I was just pointing out that, if I would have sold it, the buyer might have been the kind of person that would do those terrible things.
At least Firefox extensions on Mozilla's add-ons site gets more thoroughly reviewed on every update.
The add-ons installed from outside of the add-ons site can be very dangerous, but Mozilla tries to block these too: List of blocked add-ons with reasons: https://addons.mozilla.org/en-US/firefox/blocked/
Is it correct to class this as malware? I get that the portmanteau is "malicious software" and hijacking your Google search results isn't the friendliest thing to do but I think this is closer to "adware" than "malware".
Although the author seems like a bit of a di- ...fficult person, maybe we should coin the term "dickware" to cover this sort of software.
EDIT: I missed the keylogging bit, thanks to everybody that pointed it out. Adware + Spyware = Malware.
It's inserting fake search results and running a keystroke monitor. To me this isn't even a close call; of course it's malware. I would also say that any developer who would do this simply can't be trusted; if he will do this, he might do just about anything else. He doesn't seem to have any regard for others.
a hell of a lot of chrome extensions inject adverts and other tracking code into websites you visit, like Facebook and youtube. would you class those extensions as malware as well?
I would, but that then means that the chrome web store is riddled with malware which isn't a nice thought and doesn't bode well for its future as something that is supposed to be more secure than traditional native platforms.
Considering that Google search result ads are riddled with malware* and Google AdSense ads are riddled with malware and that Google Play has numerous ongoing issues with Android malware, I don't think it's really surprising that the Google Chrome Extensions store is also riddled with malware.
* Which my mother confirmed JUST THIS WEEKEND by searching Google for Firefox and Spider Solitaire clicking one of the Google ads up top for each to get the download and... 2 hours of cleaning later and removing 18 different malware apps. Then just deciding it was faster to restore it to a factory image.
* * Which I'm trying to block one by one using the pitiful tools that Google makes available to block individual adsense advertisers.
The term malware came about as an umbrella to cover viruses, trojans, worms, spyware, and adware. It made it much easier to explain to users what was going on, while still using words that make sense.
Hover Zoom had a similar problem recently, but still exists on the Chrome store. Up until a certain version, their data collection did nothing much (perhaps save non-existing domain hits).
Then they partnered with someone and started sending certain form data (!!) to a third party -- claiming they wanted to collect anonymous demographic information. It didn't help that the script injection on all pages (which I discovered when debugging with the web tools) used some shady domains with no web presence.
They claim they did not send e.g. any password data -- but they perfectly could have. I tried reporting the extension on the store as did many others, but that had no effect. The developer seems to have reverted that bit of the code -- for now.
Someone should (and I just might) write an extension that updates a list of evil extensions and authors and warns the user when they have a bad extension or try to install a new extension on that list. Powered by a blocklist type of listing and community moderated.
Really what this boils down to, imho, is a need to educate users on the meaning of the permissions that are granted (with approval) to these extensions. Certainly the vast majority of users confirm the security permissions without comprehending the weight of access they've just provided the extension author.
With JavaScript, it's nearly impossible for Chrome to reasonably explain, with any level of granularity, what exactly an extension will do with its access - hence the "access your data on all websites" warning.
A proof of concept to demonstrate how you can take advantage of this access for nefarious reasons, even after getting approval into the Chrome Web Store, would be quite simple.
Long/short of it is: make sure you trust the author of any extension you install!
Wow, I had noticed the clickjacking of my Google result links (to ecolink) but had no idea who/what was doing it. Very glad this mystery is finally solved! Thanks for posting this.
I'm most concerned about the keylogging claims. Does anyone have a copy of the CRX so that we can determine if keystrokes were in fact being transmitted?
NO! It wasn't logging anything! The only thing it was doing was proxying clicks on search results through Ecosia's analytics servers instead of Google's.
Anyone who still has the extension installed can view the source code by looking in their /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh
The extension is also available at http://ionut-botizan.net/window-resizer/ both as a .zip and .crx file.
"No, that's bundled adware. If I wanted to give you malware, I would have added a keylogger which you wouldn't have ever discovered (ask around; it's technically possible).
So stop whining already, uninstall the extension and move on with your life!"
http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/FL6...
(Also, he's now posting on the linked thread. 7 minutes ago last reply.)
It is passing the search string I submit via google to ecosia which I elaborated on a few posts after the initial one. It is logging all search traffic keywords and then serving related ads in a backdoor manner. It is not sitting on my desktop logging or anything like that. But it is breaching my privacy expecations with Google by logging my user submitted keystrokes and sending them to Ecosia for sure. What are they doing with that info?
I agree that logging search queries has severe privacy implications, but "tracking all data and keystrokes" is unnecessarily alarming. If this extension were tracking all data and keystrokes available to Chrome, the end user might spend the next week tracking down and securing online accounts, cancelling credit cards, informing clients of potential breaches of confidentiality, etc.
Unfortunately, the developer was such a douche about everything, I would find it difficult to trust him just based upon his behavior alone. Would I want my data in his hands? NOPE.
The extension hasn't existed on the chrome app store for months. Why is this news on HN now? It wasnt malware either, it was ecolinks garbage for google search results that you could opt-out of.
I'm glad it hit the home page. Had this on one of my machines as of December (booted it up a few minutes ago and it was no longer installed). Luckily my usage of the machine was limited, but ... now I've got to change passwords for the few sites I did visit.
Does anyone know if the Chrome Remote Desktop extension would have been impacted by the keylogging?
The original post on productforums.google.com is complete BS and the extension was NOT suspended because of that, but because it failed to make it clear, in the context of the ads, which extension enabled the EcoLinks. This is not the first, nor last, piece of software that uses ads in order to support its development.
Also, the extension never logged anything from the users. All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it.
It didn't alter the search results either. Those were exactly what Google returned for your search, nothing more, nothing less.
There was no malicious intent whatsoever. The whole purpose was to support further development of the extension through some form of advertising which you could disable at any point. The disable option was not even hidden among the other options; it had a dedicated page with a link in the main menu that only consisted of a checkbox - it was that simple and obvious.
Another false rumor is that the setting would enable itself automatically. No, it didn't! The only way that it would re-enable itself was to remove the extension and then install it right back. On uninstall all settings are lost and it fallbacks to the defaults.
The source code is plain HTML & JavaScript and it has always been available for anyone to review. Anyone could download the .CRX file and unzip it (it's just a special ZIP file) or take a look in the /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh folder (this varies based on your operating system) where the installed extension is. The source code has also been available at http://ionut-botizan.net
If you don't know JavaScript, you don't have to take my word for it; there is this prominent person in the web industry that, although he does not endorse this extension, has reviewed the code and confirmed there was no keylogger there: https://news.ycombinator.com/item?id=7048156#up_7056031
Another false accusation is that I bragged about how "I could sell your personal data and it wouldn't matter to me".
What I actually said is that "I could sell MY EXTENSION (as in transfer all rights and ownership to someone else) and it shouldn't matter to me (from a legal standpoint) what the buyer would do with it, be it collecting your private data or whatever". That claim was made just to point out that in fact I do care about the users' privacy and I chose not to sell the extension, even though I received plenty of offers. Some people asked "how could I even think of that"? Well, the extension is my property and receiving all those offers put me in the position where I had to think about it, whether I liked it or not.
In conclusion, yes, I admit the opt-out pattern is not the friendliest one and the whole thing could have been handled in some other way, but the reality is far from all these claims that I sneakily added malware to the extension, logged your keys and private data and sell all that to third parties or whatever.
The reality is I took your Google search results and converted them to sponsored links, plain and simple. All data that was transmitted when you clicked a search result was about the same that is sent whenever you click on any other ad or banner, which can not, in any circumstances, be used to identify you personally.
I am the developer and this is my answer; no excuses, just stating the facts. Learn what you want from it.
> All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it
I went ahead and looked at the code after downloading the zipped extension you linked too, and I effectively cannot see anything re. key logger. Where was that first reported? I would like to ask the original reporter on what piece of code he based his conclusion that there was a key logger in there.
Edit: Never mind, I see this apparently comes from original poster on google groups, so I asked him exactly how he came to this conclusion.
Ok, that guy just explained what he meant by keylogging. Leaving aside the fact that he's wrong about how it all works (the results are provided by Google; nothing about the search was changed by the extension) and he never ever looked at the source code and what it is doing (probably because he's too dumb to understand any of it), what he means by keylogging is adding the search terms to the URL query string when clicking on a link.
(Ex: www.ecosia.org/url?url=http%3A%2F%2Fmicrosoftstore.com&v=microsoft store <- this italic text right here is the result of the keylogger in his opinion)
http://www.reddit.com/r/YouShouldKnow/comments/1snyyl/ysk_th...
Also, alternative as discussed on SO:
http://stackoverflow.com/questions/20775775/alternative-to-c...
See it in action:
http://chrisbalt.com/blog/2013/12/20/link-hijacking-through-...
Edit: Related:
http://superuser.com/questions/694825/why-my-google-search-r...
http://windowresizer.userecho.com/topic/353032-did-you-pull-...