[HN Gopher] Using Fake Reviews to Find Dangerous Extensions ___________________________________________________________________ Using Fake Reviews to Find Dangerous Extensions Author : todsacerdoti Score : 167 points Date : 2021-05-29 16:25 UTC (6 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | bozzcl wrote: | Ah, this takes me back! On my first job, our CEO asked me to look | at some fraud transaction data from an airline and use a graph | database to gather some insights from it. His idea was to show | that to some executives from the airline as a prototype to get | some buy-in to build a fraud detection tool from them. | | The data source basically contained account IDs, billing | addresses, credit card hashes and whether an account was | identified as fraudulent or not. | | Using that data, I built a quick GraphDB prototype that showed | clusters of fake/fraud accounts. It was simple stuff, but back | then said execs were pretty impressed. | | I don't know what came of that because I left shortly after, but | it was an interesting little experiment. I had fun building it! | 8note wrote: | Likely, it worked for a couple months until the bad actors | found a cheap bypass to your detection method. | bozzcl wrote: | Such is the war against fraud. | the_local_host wrote: | I'm surprised anyone ever installs browser extensions, given how | many malicious extensions exist, and how intrusive they are | whether malicious or not. | kodon wrote: | I had this amazing extension for Google play music. it had | cover art and some great hot keys. I noticed a bug with it | pulling low Rez cover art sometimes so I tried to see if I | could fix it in the source code. The GitHub repo was not public | anymore, so I made the changes locally and it worked. | | I emailed the dev (his email was on the about section of the | extension). He told me that the code was no longer public | because he was selling it to someone else that wanted to take | it over. I had all kinds of red flags from this, so I | uninstalled it right away. | bellyfullofbac wrote: | But you could've probably taken the local copy and removed | the update URL so it doesn't update itself anymore. | | Anyway, since you said "Google Play Music" it's no longer | relevant is it. | Jverse wrote: | Everyone's use case is different. There are definitely a lot of | very useful extensions available. | user-the-name wrote: | Of course there are, but the point is, you can not really | trust any of them. Today they will be very useful, tomorrow | they may be malware, and there is no way for you to know or | protect yourself. | deckard1 wrote: | This is true of anything you find on github as well. | | Open source works on the idea that "given enough eyeballs, | all bugs are shallow." The thing people forget is the | "enough eyeballs" part. As if people are sitting around | auditing every sub-dependency of a sub-dependency of React. | | In addition, I don't know of any package repository that | requires the authoritative source[1] from github to match | the compiled/minified/etc. package that is uploaded and | published. And I suspect most repos are vulnerable to this. | | There are many popular but unloved packages out there. | | [1] I'd also point out how incredibly stupidly dangerous it | is that the open source community has basically given | Microsoft the keys to be _the_ authoritative source for all | of open source. No one has learned a damn thing. And, | somewhat ironically, Microsoft buying out an entire user | base for their own nefarious purposes really fits the topic | at hand. | devwastaken wrote: | Ublock origin and https everywhere improved security by | removing deceptive advertisements masquerading as legitimate on | search engines and freeware download sites. https everywhere | prevented some forms of https downgrade attacks. Also ublock | has an option to remove webrtc IP leaking. | leotaku wrote: | I'm not sure what you mean by non-malicious extensions being | intrusive. I use a number of extensions, mostly content- | blocking and privacy-related and they mostly just get out of my | way. The Firefox Extension Store also has a recommended | extensions feature that shows that the extension has been | reviewed by Mozilla for privacy and security. Most extensions I | use have this seal. | the_local_host wrote: | I should have said _potentially_ intrusive. Giving any | extension permission to "Access your data for all websites" | would give me pause. | leotaku wrote: | Yeah, I get that, but it seems to me like that's worse than | the security model for any non-containerized application. | If you don't trust the author there really isn't much there | that will protect you. | matheusmoreira wrote: | Yeah. The only extensions people should install are uBlock | Origin and EFF extensions like Privacy Badger. All others are | potential malware. | | I get downvoted a lot every time I post this here. | ant6n wrote: | But the question is, how can I install uBlock Origin knowing | I got the official version and not a malware infested one. | rand0mx1 wrote: | You can follow ublock origin subreddit | ant6n wrote: | You'd think that download links would be prominently | feautured on subreddit, but its not the case: | https://www.reddit.com/r/uBlockOrigin/ | gorhill wrote: | The official "home" of uBlock Origin is the GitHub | repo[1], you will find all the correct information there. | | [1] https://github.com/gorhill/uBlock | macNchz wrote: | Five years ago I had a whole bunch of extensions, but that | ended whenever it was that I first learned that there were bad | actors buying legitimate extensions from their developers and | filling them with malware. After that I dramatically reduced | the number I had installed, down to basically a password | manager and ublock origin. The brief install-time vetting I | used to do would would do nothing to prevent an auto update | from installing something malicious in the future. Nowadays | malicious browser extensions are the most common thing I find | on family and friends' computers when I'm helping them with an | issue. | xingyzt wrote: | Can confirm. As a dev of an extension with 10k users I get | 3-4 emails a month in my spam which ask me to monetize my | extension by secretly changing its users' search engines. My | extension is open-source and quite small, but if the change | was sneaked in I think most of the users would not notice. I | stick to using userscripts for the most part since you can | easily check their downloaded source and disable updates. | | Example: | | Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM To: | Mostly Spam <dev@x-ing.space> | | Hello | | I am Beth and I am offering monetization for browser | extensions, with everything that is going on our team was | extremely focused and productive in creating a way to earn | revenue on extensions. | | We offer to change default search to Bing or Yahoo on your | extension which can earn up to $800 a month per 5000 users. | This is a premium product by invitation only and can easily | be added to your chrome extensions. | | You are might curious to know if it is allowed? And I must | say that this is completely allowed! Please reply to this | email to discuss this further! | | Looking forward hearing from you! | | Beth Anderson | | Business Development Manager | namrog84 wrote: | Open source doesn't solve it completely.. What you have in | repo and what is published doesn't have to be the same | thing. Unless people are doing the extra effort to compare | them, which is extremely rare unless its quite popular. | I've seen this happen a few times. | BeFlatXIII wrote: | It's because the web is unusable without them. Need the ad | blocker and the vertical tree of tabs plus extensions to make | Reddit usable, etc... | voxl wrote: | How does your reasoning not apply to applications on any | device? | user-the-name wrote: | Normal applications distributed through app stores tend to | have access to a lot less personal data than browser | extensions do. | dylan604 wrote: | not the person you are replying to, but for me, it applies | the same. I only have uBlock Origin and password manager for | extensions, and my phone has very few apps. I don't trust | other devs to not succumb to temptation, so I don't use their | apps. It would not be difficult for me to give up the smart | phone for a feature phone. | squiggleblaz wrote: | Linux users who install their apps via a package manager | (other than, iiuc, AUR) have at least the vetting of a third | party. And this is why a lot of work goes into reproduceable | builds and minimal bootstraps. | | Apps provided on any platform by major, trusted vendors are | much more likely to be safe. Apple/Microsoft/Adobe might find | themselves compelled to add a government backdoor, but | they're probably not going to chuck in code to send your | credit card number to the darkweb. | | As for install random programs from unknown vendors on the | Google Play Store, yeah, I'm a bit nervous about that. It | would be nice if we could manage trust on such platforms in | some way, but all we can do is hope to be on guard at all | times. Google clearly doesn't care if you get hacked by a | third party, as long as they don't do it directly. | ocdtrekkie wrote: | Web browsers do a lot of sandboxing to prevent outside | tampering by other applications. Your secured content is | encrypted by HTTPS between the server and your browser... but | extensions sit inside the browser sandbox, often with full | access to your decrypted web traffic. | | If most of your secure information is handled via web | browsers, as is usually the case today, extensions are | drastically more risky than arbitrary software, because of | the privileged place in the stack they operate. | hedora wrote: | > _Additionally, Google's account recovery tools indicate many | different developer email addresses tied to extensions reviewed | here share the same recovery email_ | | What?!? This work was done by an independent researcher. Why is | google providing account recovery emails to the general public | (and therefore attackers)?!? | | Edit: fixed typo; replaced "recovery passwords" with "recovery | emails" | [deleted] | dragonwriter wrote: | > Why is google providing account recovery passwords to the | general public | | It doesn't refer to passwords but email addresses. | | And Google doesn't have to provide them even the actual address | for them to determine that they are identical, they just need | to provide something that maps 1:1 with the email, without the | mapping. | hedora wrote: | The actual email addresses are in screenshots in the article. | skybrian wrote: | It looks like spreadsheet has the developer's public email, | not their recovery email. | dragonwriter wrote: | Those are the developer emails, not the account recovery | emails that it says are shared between _different_ | developer emails. | | Developer emails for extensions are public normally, so | those being revealed aren't an issue. | skybrian wrote: | Often, account recovery reveals something about where the email | will be sent but with some characters in the email redacted. | Maybe that's what's happening here? | krebsonsecurity wrote: | You are correct. Using the "forgot your password" function on | Gmail often reveals snippets of the email account used for | recovery and authentication of that account. | nerdponx wrote: | Coming soon: consulting firm uses this technique to build a | training set of fraudulent reviews, builds review fraud detector | that doesn't take metadata into account and discriminates against | elderly people and non-Western reviewers. | | In all seriousness, this is a really interesting technique. Maybe | there are analogues for other fake/bot behavior in other | contexts. | MattGaiser wrote: | My team recently built a Chrome extension and expected to be | grilled on permissions. We sailed through despite requesting | access to all sorts of things. Their vetting seems strict from | the outside, but does not seem like it after going through the | process. | gnicholas wrote: | It's possible they are more focused on extensions with lots of | users. My extensions with tens of thousands of users have been | under increased scrutiny in the last year or two, and have had | several false positive issues arise, which has been | frustrating. | remram wrote: | It seems but it doesn't seem? Sorry I can't figure out the typo | MattGaiser wrote: | Clarified with an edit. What I mean is that they require you | to write up all sorts of justifications for permissions and | be very specific about use cases in the submission process, | but they didn't have a single comment about any of it, | despite our application requiring a lot of invasive | permissions. They also approved it very rapidly. | | It is possible that we just did a really good job on the | justifications, but I have never had a store submission come | back with no required changes or clarifications outside of | Google. | joshtynjala wrote: | I took his meaning as, the vetting seems strict before you | submit, but it actually turns out to be much less strict | after you submit. | CamelCaseName wrote: | Google's vetting seems strict from the outside. However, now | that GP has gone through the process, GP no longer believes | it is strict. | thehours wrote: | Were these reviewers _only_ leaving reviews on spoofed | extensions? Seems like it'd be trivial to mix in positive reviews | of legit extensions, making the trail harder to follow. | 1cvmask wrote: | Reviews are mathematical garbage even there are real reviewers | because we all have different expectations and it varies | completely across cultures and geographies. | lanstin wrote: | Maybe this signal (fake reviews => fraudulent products) is the | most useful info reviews provide. | 10000truths wrote: | Reviews are subjective and qualitative data. Math deals with | objective and quantitative data. It's no surprise that | shoehorning the former into the latter is a highly non-trivial | problem, that even the best minds in the tech industry struggle | to solve for their use cases. | kenniskrag wrote: | I once watched a movie where the rating was "do you like the | item on the left more than on the right". I'm not sure if it is | mathematically possible to create a rank from it. I assume, | that new items appear and have less comparisons than others. | kenniskrag wrote: | That would remove the bias of what is 5 point of 10 I think. | nerdponx wrote: | This is a technique for "preference elicitation", and related | to techniques like Elo scoring and social science fields such | as psychometrics. | | And yes, I think it's much better than reviews that ask for | an absolute scale with no context. | throwawayboise wrote: | I once helped develop a "survey" for a nonprofit org, which | wanted to gain some insight on what they were doing well and | what they could improve. One of the other people involved | kept insisting on reducing the number of questions and | complexity of the ratings. He said it all boiled down to one | basic question, "would you use this service again" and while | we didn't quite get that simple, in retrospect I think he was | more right than wrong. | | Maybe a boolean "would you buy this product again" is the | basic question for a review. It's still open to being gamed, | but only in one way. | remram wrote: | That works when judging aesthetic, but how would that work | for extensions though? You can only really judge extensions | you have used, and even then how would you choose between | your adblocker and your password manager? They do completely | different things and I'm not willing to browse without | either. | | edit: I guess the signal "I tried this extension but replaced | it with that other one which I like better" would be very | informative though | facorreia wrote: | I treat each and every Chrome extension as potentially malware, | given that there are plenty of instances of legit extensions | being sold and repurposed, and Chrome will silently install | malware on my machine because of its auto-update-without-asking- | or-verifying policy. I only trust a few, select extensions from | large companies that hopefully won't sell them to a shady hacker. | dataviz1000 wrote: | I build my own personal Chrome extensions to be used only by | myself and I treat them as potentially malware every single | time I type `npm install`. If I built an extension to share, I | would likely make it completely with vanilla JavaScript. | trutannus wrote: | One approach would be to intercept your own traffic with | Fiddler as a proxy for a few hours after installing and look | for any nefarious requests. This is a pretty effective way to | run a basic security audit. | kortilla wrote: | Only effective against ones that don't have activation | criteria. | trutannus wrote: | Yep, but it's a good start. Why I called it a "basic | audit". | londons_explore wrote: | Usually the activation criteria will be "Contact this | server and see what it tells me to do". | | An extension developer ought to know the exact purpose of | every network request their extension makes, so | inspecting network logs is indeed a good plan. | | Just remember there are ways to detect if the developer | tools panel is open... | ceejayoz wrote: | > Usually the activation criteria will be "Contact this | server and see what it tells me to do". | | Right, but it could be set up to only do that starting | six months after installation or something. | welder wrote: | Yes, for open source extensions that don't update often I | load them unpacked from my local filesystem. | gnicholas wrote: | This thread exposes the challenge of running a business based on | a Chrome extension. On the one hand, most users are not savvy | enough to install extensions or even understand what they are. | | On the other hand, someone who is very savvy knows that the | permissions required by many/most browser extensions create an | opportunity for massive privacy intrusions and security risks. | | It's hard to create a business aimed at people who are savvy | enough to know what extensions are but not savvy enough to | realize what a huge risk they represent. | | note: it's also possible to sell to super-unsavvy users, who do | not know what extensions are but are willing to install them | anyway. | theiz wrote: | I live in the Netherlands. We speak dutch. This makes it quite | handy to pick fake reviews since these are (almost) always bad | translations. Why does no one look outside the main language | areas and compare these? Most reviews are on global stuff anyway. | sneak wrote: | Any of Google's thousands of staff could have done this trivial | research, too, but apparently it's no one's job over there: just | like detecting the hijacked verified Twitter accounts that reply | to almost all Elon tweets with cryptocurrency scam links that any | non-Twitter person can find in 100 seconds, or the antivax | hashtag spammers on Instagram, etc. | | These companies are very bad at being proactive in enforcing | their published policies. | throwawayboise wrote: | That was my reaction as well. If an external independent | researcher can do this, Amazon, Google, and other big platforms | surely have enough resources, smarts, and full access to all | the data to identify and eliminate bogus accounts, shill | reviews, and scammy or counterfeit products. Yet they don't do | it. | quotemstr wrote: | I would pay for a service that reviewed the source code of my | extensions (and other installed software) and stamped each | specific version as being OK. Then I'd configure my browser not | to update an extension to a new version until the extension- | verification service had read through the code of the update and | okayed it. | | Granted, such a service wouldn't have the resources to review | _all_ extensions, but it could probably handle vetting the most | popular and updates to those popular extensions. I can even | imagine some kind of market that would let a group of people get | this service to begin vetting a new extension. | gnicholas wrote: | > _The extensions spoofed a range of consumer brands, including | Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon_ | | Does the Chrome store not require that the dev account associated | with these extensions be on the official corporate domains? That | would seem like an easy way to prevent spoofing of Fortune 100 | companies. | donmcronald wrote: | The trust industry is awful and somehow Google and Apple came | up with worse versions. | | Simple domain validated publishing similar to Let's Encrypt | would be way better for devs and users, but that would require | Google and Apple to give up control and that doesn't happen in | monopoly markets. | | Edit: And Microsoft. Between them those 3 companies are the | gatekeepers of almost all (signed) app distribution. | CharlesW wrote: | > _The trust industry is awful and somehow Google and Apple | came up with worse versions._ | | You're putting them in the same bucket, but TFA calls out | Google (and not Apple) for good reason. | | > _Between them those 3 companies are the gatekeepers of | almost all (signed) app distribution._ | | And? I'm assuming you're not saying "software should not be | signed", in which case I'm missing your point. | formerly_proven wrote: | It's the opposite actually, the Chrome store forces the use of | @gmail.com addresses, so e.g. Microsoft is publishing Chrome | extensions from addresses like legitmicrosoftapps@gmail.com or | microsoftofficextension@gmail.com | | See: https://news.ycombinator.com/item?id=27192997 (no one | could actually tell which where legit and which were not) | ChrisClark wrote: | It's because of that thread that people mistakenly believe | you need a gmail.com address. A bunch of people in that | thread guessed you needed a gmail.com address. Others | immediately said no, you don't need it and showed examples. | | But this is how misinformation spreads. Many people only read | it and believe it without looking closer. | | We just trust that other people know what they are talking | about. :) | | ... Also I could be wrong, I'm trusting the counter examples | in that thread. :D | gnicholas wrote: | This isn't my experience. I created my dev account years ago | with a non-gmail account. Admittedly, it is a corporate | account that is managed by google, but I don't think there | was any step in the process that required this. | | It's possible that things have changed since I created my | account nearly a decade ago, or that somehow I got a pass | because google manages my domain's email. But they definitely | do not force @gmail.com addresses for all devs. | | EDIT: See this Microsoft extension [1] for example. It shows | @microsoft.com, which is undoubtedly not managed by google | like my little old startup's email is! | | 1: https://chrome.google.com/webstore/detail/microsoft- | editor-s... | londons_explore wrote: | It is possible to make a non-gmail and non-gsuite google | account... Just it isn't obvious how to do so. | | You need to go to any google signin page, click "Create | account" > "For myself" > "Use my current email instead". | | You can then use that to make chrome extensions. | formerly_proven wrote: | > it is a corporate account that is managed by google | | All the counter-examples I could find in the linked thread | are Google Mail (for Business), which is functionally the | same as requiring a gmail account in that it requires | Google to be your mail-provider. | throwawaaarrgh wrote: | You can also create a Google Account using a non-Google | e-mail address, without any special Google Business | thing. I did. I keep a Google account tied to my work | e-mail address, but there is no Gmail account associated | with this Google account. I can use Google services, but | all my mail is on our corporate servers. | | A lot of people in corporations set things up without | necessarily understanding _what_ they 're setting up. | This includes apps. If you're thinking, "Wouldn't | Microsoft know how to set things up correctly?" the | answer is "Not necessarily". It's not "Microsoft" setting | up some app account, it's a random guy on a random team | somewhere in Microsoft, who might not have ever published | an app before, much less gotten any training or done much | investigation into it. | extesy wrote: | > In other words, there a great many developers who are likely to | be open to someone else buying up their creation along with their | user base. | | As a maintainer of a relatively popular extension (hoverzoom+, | ~360K users) I get business offers all the time [1]. A few of | them are pretty good, actually. I'm not surprised that some | developers eventually give up and take one of those offers. But I | am surprised that there aren't more of these "under new | management" extensions, or maybe we just don't know about them. | | [1] https://github.com/extesy/hoverzoom/discussions/670 | eps wrote: | Woah. That's really quite something O_O | texasbigdata wrote: | Woah indeed. Just doing the math it's about $1k per year for | 10k-$15k users? Roughly? | | That could be very enticing for a lot of developers. | | Thanks for sharing this. | extesy wrote: | Yeah, knowing the financial incentives makes me very cautions | about installing any new extensions. And even for the old | extensions I check the recent comments from time to time to | see if there's any suspicious new behavior. | ehsankia wrote: | I moved from old HoverZoom to Imagus, wasn't aware a reboot of | HoverZoom around, thanks for sharing. I'm curious how the | sieves and also writing custom sieves compare, if anyone has | experience with both. | throwawaaarrgh wrote: | Do you think reporting these requests to the store(s) in | question might result in investigation, or at the least, a list | of suspicious investors to use to vet extensions/apps? | bozzcl wrote: | I would love to see a public database of app buyers. I think | some interesting insights could come out of it. | extesy wrote: | I don't think that would be useful, for two reasons: | | 1. What rules are being violated by these offers? It is what | happens _after_ the sale might break the rules but I can 't | report someone for having bad intentions. | | 2. I do not believe Google would be interested in spending | even a minute of their precious human time to do any real | investigation. If they can't automate the solution then they | ignore the problem. | gnicholas wrote: | Seems like the stores could investigate this on their own by | creating fake extensions that appear to have lots of users. | dmix wrote: | Reminds me of Pirate Bay posting those DMCA emails or takedown | notices. Of course not in the same league as random "Business | Development" cold emails but it's interesting to public | service. | | Especially for other extension devs to see who may share | similar experiences and helping exposing a pattern of waste-of- | time proposals (which I think at that point over values any | assumed privacy it was a cold email after all). | | Half of those were probably scammers anyway. ___________________________________________________________________ (page generated 2021-05-29 23:00 UTC)