[HN Gopher] Using Fake Reviews to Find Dangerous Extensions
___________________________________________________________________
Using Fake Reviews to Find Dangerous Extensions
Author : todsacerdoti
Score : 167 points
Date : 2021-05-29 16:25 UTC (6 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| bozzcl wrote:
| Ah, this takes me back! On my first job, our CEO asked me to look
| at some fraud transaction data from an airline and use a graph
| database to gather some insights from it. His idea was to show
| that to some executives from the airline as a prototype to get
| some buy-in to build a fraud detection tool from them.
|
| The data source basically contained account IDs, billing
| addresses, credit card hashes and whether an account was
| identified as fraudulent or not.
|
| Using that data, I built a quick GraphDB prototype that showed
| clusters of fake/fraud accounts. It was simple stuff, but back
| then said execs were pretty impressed.
|
| I don't know what came of that because I left shortly after, but
| it was an interesting little experiment. I had fun building it!
| 8note wrote:
| Likely, it worked for a couple months until the bad actors
| found a cheap bypass to your detection method.
| bozzcl wrote:
| Such is the war against fraud.
| the_local_host wrote:
| I'm surprised anyone ever installs browser extensions, given how
| many malicious extensions exist, and how intrusive they are
| whether malicious or not.
| kodon wrote:
| I had this amazing extension for Google play music. it had
| cover art and some great hot keys. I noticed a bug with it
| pulling low Rez cover art sometimes so I tried to see if I
| could fix it in the source code. The GitHub repo was not public
| anymore, so I made the changes locally and it worked.
|
| I emailed the dev (his email was on the about section of the
| extension). He told me that the code was no longer public
| because he was selling it to someone else that wanted to take
| it over. I had all kinds of red flags from this, so I
| uninstalled it right away.
| bellyfullofbac wrote:
| But you could've probably taken the local copy and removed
| the update URL so it doesn't update itself anymore.
|
| Anyway, since you said "Google Play Music" it's no longer
| relevant is it.
| Jverse wrote:
| Everyone's use case is different. There are definitely a lot of
| very useful extensions available.
| user-the-name wrote:
| Of course there are, but the point is, you can not really
| trust any of them. Today they will be very useful, tomorrow
| they may be malware, and there is no way for you to know or
| protect yourself.
| deckard1 wrote:
| This is true of anything you find on github as well.
|
| Open source works on the idea that "given enough eyeballs,
| all bugs are shallow." The thing people forget is the
| "enough eyeballs" part. As if people are sitting around
| auditing every sub-dependency of a sub-dependency of React.
|
| In addition, I don't know of any package repository that
| requires the authoritative source[1] from github to match
| the compiled/minified/etc. package that is uploaded and
| published. And I suspect most repos are vulnerable to this.
|
| There are many popular but unloved packages out there.
|
| [1] I'd also point out how incredibly stupidly dangerous it
| is that the open source community has basically given
| Microsoft the keys to be _the_ authoritative source for all
| of open source. No one has learned a damn thing. And,
| somewhat ironically, Microsoft buying out an entire user
| base for their own nefarious purposes really fits the topic
| at hand.
| devwastaken wrote:
| Ublock origin and https everywhere improved security by
| removing deceptive advertisements masquerading as legitimate on
| search engines and freeware download sites. https everywhere
| prevented some forms of https downgrade attacks. Also ublock
| has an option to remove webrtc IP leaking.
| leotaku wrote:
| I'm not sure what you mean by non-malicious extensions being
| intrusive. I use a number of extensions, mostly content-
| blocking and privacy-related and they mostly just get out of my
| way. The Firefox Extension Store also has a recommended
| extensions feature that shows that the extension has been
| reviewed by Mozilla for privacy and security. Most extensions I
| use have this seal.
| the_local_host wrote:
| I should have said _potentially_ intrusive. Giving any
| extension permission to "Access your data for all websites"
| would give me pause.
| leotaku wrote:
| Yeah, I get that, but it seems to me like that's worse than
| the security model for any non-containerized application.
| If you don't trust the author there really isn't much there
| that will protect you.
| matheusmoreira wrote:
| Yeah. The only extensions people should install are uBlock
| Origin and EFF extensions like Privacy Badger. All others are
| potential malware.
|
| I get downvoted a lot every time I post this here.
| ant6n wrote:
| But the question is, how can I install uBlock Origin knowing
| I got the official version and not a malware infested one.
| rand0mx1 wrote:
| You can follow ublock origin subreddit
| ant6n wrote:
| You'd think that download links would be prominently
| feautured on subreddit, but its not the case:
| https://www.reddit.com/r/uBlockOrigin/
| gorhill wrote:
| The official "home" of uBlock Origin is the GitHub
| repo[1], you will find all the correct information there.
|
| [1] https://github.com/gorhill/uBlock
| macNchz wrote:
| Five years ago I had a whole bunch of extensions, but that
| ended whenever it was that I first learned that there were bad
| actors buying legitimate extensions from their developers and
| filling them with malware. After that I dramatically reduced
| the number I had installed, down to basically a password
| manager and ublock origin. The brief install-time vetting I
| used to do would would do nothing to prevent an auto update
| from installing something malicious in the future. Nowadays
| malicious browser extensions are the most common thing I find
| on family and friends' computers when I'm helping them with an
| issue.
| xingyzt wrote:
| Can confirm. As a dev of an extension with 10k users I get
| 3-4 emails a month in my spam which ask me to monetize my
| extension by secretly changing its users' search engines. My
| extension is open-source and quite small, but if the change
| was sneaked in I think most of the users would not notice. I
| stick to using userscripts for the most part since you can
| easily check their downloaded source and disable updates.
|
| Example:
|
| Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM To:
| Mostly Spam <dev@x-ing.space>
|
| Hello
|
| I am Beth and I am offering monetization for browser
| extensions, with everything that is going on our team was
| extremely focused and productive in creating a way to earn
| revenue on extensions.
|
| We offer to change default search to Bing or Yahoo on your
| extension which can earn up to $800 a month per 5000 users.
| This is a premium product by invitation only and can easily
| be added to your chrome extensions.
|
| You are might curious to know if it is allowed? And I must
| say that this is completely allowed! Please reply to this
| email to discuss this further!
|
| Looking forward hearing from you!
|
| Beth Anderson
|
| Business Development Manager
| namrog84 wrote:
| Open source doesn't solve it completely.. What you have in
| repo and what is published doesn't have to be the same
| thing. Unless people are doing the extra effort to compare
| them, which is extremely rare unless its quite popular.
| I've seen this happen a few times.
| BeFlatXIII wrote:
| It's because the web is unusable without them. Need the ad
| blocker and the vertical tree of tabs plus extensions to make
| Reddit usable, etc...
| voxl wrote:
| How does your reasoning not apply to applications on any
| device?
| user-the-name wrote:
| Normal applications distributed through app stores tend to
| have access to a lot less personal data than browser
| extensions do.
| dylan604 wrote:
| not the person you are replying to, but for me, it applies
| the same. I only have uBlock Origin and password manager for
| extensions, and my phone has very few apps. I don't trust
| other devs to not succumb to temptation, so I don't use their
| apps. It would not be difficult for me to give up the smart
| phone for a feature phone.
| squiggleblaz wrote:
| Linux users who install their apps via a package manager
| (other than, iiuc, AUR) have at least the vetting of a third
| party. And this is why a lot of work goes into reproduceable
| builds and minimal bootstraps.
|
| Apps provided on any platform by major, trusted vendors are
| much more likely to be safe. Apple/Microsoft/Adobe might find
| themselves compelled to add a government backdoor, but
| they're probably not going to chuck in code to send your
| credit card number to the darkweb.
|
| As for install random programs from unknown vendors on the
| Google Play Store, yeah, I'm a bit nervous about that. It
| would be nice if we could manage trust on such platforms in
| some way, but all we can do is hope to be on guard at all
| times. Google clearly doesn't care if you get hacked by a
| third party, as long as they don't do it directly.
| ocdtrekkie wrote:
| Web browsers do a lot of sandboxing to prevent outside
| tampering by other applications. Your secured content is
| encrypted by HTTPS between the server and your browser... but
| extensions sit inside the browser sandbox, often with full
| access to your decrypted web traffic.
|
| If most of your secure information is handled via web
| browsers, as is usually the case today, extensions are
| drastically more risky than arbitrary software, because of
| the privileged place in the stack they operate.
| hedora wrote:
| > _Additionally, Google's account recovery tools indicate many
| different developer email addresses tied to extensions reviewed
| here share the same recovery email_
|
| What?!? This work was done by an independent researcher. Why is
| google providing account recovery emails to the general public
| (and therefore attackers)?!?
|
| Edit: fixed typo; replaced "recovery passwords" with "recovery
| emails"
| [deleted]
| dragonwriter wrote:
| > Why is google providing account recovery passwords to the
| general public
|
| It doesn't refer to passwords but email addresses.
|
| And Google doesn't have to provide them even the actual address
| for them to determine that they are identical, they just need
| to provide something that maps 1:1 with the email, without the
| mapping.
| hedora wrote:
| The actual email addresses are in screenshots in the article.
| skybrian wrote:
| It looks like spreadsheet has the developer's public email,
| not their recovery email.
| dragonwriter wrote:
| Those are the developer emails, not the account recovery
| emails that it says are shared between _different_
| developer emails.
|
| Developer emails for extensions are public normally, so
| those being revealed aren't an issue.
| skybrian wrote:
| Often, account recovery reveals something about where the email
| will be sent but with some characters in the email redacted.
| Maybe that's what's happening here?
| krebsonsecurity wrote:
| You are correct. Using the "forgot your password" function on
| Gmail often reveals snippets of the email account used for
| recovery and authentication of that account.
| nerdponx wrote:
| Coming soon: consulting firm uses this technique to build a
| training set of fraudulent reviews, builds review fraud detector
| that doesn't take metadata into account and discriminates against
| elderly people and non-Western reviewers.
|
| In all seriousness, this is a really interesting technique. Maybe
| there are analogues for other fake/bot behavior in other
| contexts.
| MattGaiser wrote:
| My team recently built a Chrome extension and expected to be
| grilled on permissions. We sailed through despite requesting
| access to all sorts of things. Their vetting seems strict from
| the outside, but does not seem like it after going through the
| process.
| gnicholas wrote:
| It's possible they are more focused on extensions with lots of
| users. My extensions with tens of thousands of users have been
| under increased scrutiny in the last year or two, and have had
| several false positive issues arise, which has been
| frustrating.
| remram wrote:
| It seems but it doesn't seem? Sorry I can't figure out the typo
| MattGaiser wrote:
| Clarified with an edit. What I mean is that they require you
| to write up all sorts of justifications for permissions and
| be very specific about use cases in the submission process,
| but they didn't have a single comment about any of it,
| despite our application requiring a lot of invasive
| permissions. They also approved it very rapidly.
|
| It is possible that we just did a really good job on the
| justifications, but I have never had a store submission come
| back with no required changes or clarifications outside of
| Google.
| joshtynjala wrote:
| I took his meaning as, the vetting seems strict before you
| submit, but it actually turns out to be much less strict
| after you submit.
| CamelCaseName wrote:
| Google's vetting seems strict from the outside. However, now
| that GP has gone through the process, GP no longer believes
| it is strict.
| thehours wrote:
| Were these reviewers _only_ leaving reviews on spoofed
| extensions? Seems like it'd be trivial to mix in positive reviews
| of legit extensions, making the trail harder to follow.
| 1cvmask wrote:
| Reviews are mathematical garbage even there are real reviewers
| because we all have different expectations and it varies
| completely across cultures and geographies.
| lanstin wrote:
| Maybe this signal (fake reviews => fraudulent products) is the
| most useful info reviews provide.
| 10000truths wrote:
| Reviews are subjective and qualitative data. Math deals with
| objective and quantitative data. It's no surprise that
| shoehorning the former into the latter is a highly non-trivial
| problem, that even the best minds in the tech industry struggle
| to solve for their use cases.
| kenniskrag wrote:
| I once watched a movie where the rating was "do you like the
| item on the left more than on the right". I'm not sure if it is
| mathematically possible to create a rank from it. I assume,
| that new items appear and have less comparisons than others.
| kenniskrag wrote:
| That would remove the bias of what is 5 point of 10 I think.
| nerdponx wrote:
| This is a technique for "preference elicitation", and related
| to techniques like Elo scoring and social science fields such
| as psychometrics.
|
| And yes, I think it's much better than reviews that ask for
| an absolute scale with no context.
| throwawayboise wrote:
| I once helped develop a "survey" for a nonprofit org, which
| wanted to gain some insight on what they were doing well and
| what they could improve. One of the other people involved
| kept insisting on reducing the number of questions and
| complexity of the ratings. He said it all boiled down to one
| basic question, "would you use this service again" and while
| we didn't quite get that simple, in retrospect I think he was
| more right than wrong.
|
| Maybe a boolean "would you buy this product again" is the
| basic question for a review. It's still open to being gamed,
| but only in one way.
| remram wrote:
| That works when judging aesthetic, but how would that work
| for extensions though? You can only really judge extensions
| you have used, and even then how would you choose between
| your adblocker and your password manager? They do completely
| different things and I'm not willing to browse without
| either.
|
| edit: I guess the signal "I tried this extension but replaced
| it with that other one which I like better" would be very
| informative though
| facorreia wrote:
| I treat each and every Chrome extension as potentially malware,
| given that there are plenty of instances of legit extensions
| being sold and repurposed, and Chrome will silently install
| malware on my machine because of its auto-update-without-asking-
| or-verifying policy. I only trust a few, select extensions from
| large companies that hopefully won't sell them to a shady hacker.
| dataviz1000 wrote:
| I build my own personal Chrome extensions to be used only by
| myself and I treat them as potentially malware every single
| time I type `npm install`. If I built an extension to share, I
| would likely make it completely with vanilla JavaScript.
| trutannus wrote:
| One approach would be to intercept your own traffic with
| Fiddler as a proxy for a few hours after installing and look
| for any nefarious requests. This is a pretty effective way to
| run a basic security audit.
| kortilla wrote:
| Only effective against ones that don't have activation
| criteria.
| trutannus wrote:
| Yep, but it's a good start. Why I called it a "basic
| audit".
| londons_explore wrote:
| Usually the activation criteria will be "Contact this
| server and see what it tells me to do".
|
| An extension developer ought to know the exact purpose of
| every network request their extension makes, so
| inspecting network logs is indeed a good plan.
|
| Just remember there are ways to detect if the developer
| tools panel is open...
| ceejayoz wrote:
| > Usually the activation criteria will be "Contact this
| server and see what it tells me to do".
|
| Right, but it could be set up to only do that starting
| six months after installation or something.
| welder wrote:
| Yes, for open source extensions that don't update often I
| load them unpacked from my local filesystem.
| gnicholas wrote:
| This thread exposes the challenge of running a business based on
| a Chrome extension. On the one hand, most users are not savvy
| enough to install extensions or even understand what they are.
|
| On the other hand, someone who is very savvy knows that the
| permissions required by many/most browser extensions create an
| opportunity for massive privacy intrusions and security risks.
|
| It's hard to create a business aimed at people who are savvy
| enough to know what extensions are but not savvy enough to
| realize what a huge risk they represent.
|
| note: it's also possible to sell to super-unsavvy users, who do
| not know what extensions are but are willing to install them
| anyway.
| theiz wrote:
| I live in the Netherlands. We speak dutch. This makes it quite
| handy to pick fake reviews since these are (almost) always bad
| translations. Why does no one look outside the main language
| areas and compare these? Most reviews are on global stuff anyway.
| sneak wrote:
| Any of Google's thousands of staff could have done this trivial
| research, too, but apparently it's no one's job over there: just
| like detecting the hijacked verified Twitter accounts that reply
| to almost all Elon tweets with cryptocurrency scam links that any
| non-Twitter person can find in 100 seconds, or the antivax
| hashtag spammers on Instagram, etc.
|
| These companies are very bad at being proactive in enforcing
| their published policies.
| throwawayboise wrote:
| That was my reaction as well. If an external independent
| researcher can do this, Amazon, Google, and other big platforms
| surely have enough resources, smarts, and full access to all
| the data to identify and eliminate bogus accounts, shill
| reviews, and scammy or counterfeit products. Yet they don't do
| it.
| quotemstr wrote:
| I would pay for a service that reviewed the source code of my
| extensions (and other installed software) and stamped each
| specific version as being OK. Then I'd configure my browser not
| to update an extension to a new version until the extension-
| verification service had read through the code of the update and
| okayed it.
|
| Granted, such a service wouldn't have the resources to review
| _all_ extensions, but it could probably handle vetting the most
| popular and updates to those popular extensions. I can even
| imagine some kind of market that would let a group of people get
| this service to begin vetting a new extension.
| gnicholas wrote:
| > _The extensions spoofed a range of consumer brands, including
| Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon_
|
| Does the Chrome store not require that the dev account associated
| with these extensions be on the official corporate domains? That
| would seem like an easy way to prevent spoofing of Fortune 100
| companies.
| donmcronald wrote:
| The trust industry is awful and somehow Google and Apple came
| up with worse versions.
|
| Simple domain validated publishing similar to Let's Encrypt
| would be way better for devs and users, but that would require
| Google and Apple to give up control and that doesn't happen in
| monopoly markets.
|
| Edit: And Microsoft. Between them those 3 companies are the
| gatekeepers of almost all (signed) app distribution.
| CharlesW wrote:
| > _The trust industry is awful and somehow Google and Apple
| came up with worse versions._
|
| You're putting them in the same bucket, but TFA calls out
| Google (and not Apple) for good reason.
|
| > _Between them those 3 companies are the gatekeepers of
| almost all (signed) app distribution._
|
| And? I'm assuming you're not saying "software should not be
| signed", in which case I'm missing your point.
| formerly_proven wrote:
| It's the opposite actually, the Chrome store forces the use of
| @gmail.com addresses, so e.g. Microsoft is publishing Chrome
| extensions from addresses like legitmicrosoftapps@gmail.com or
| microsoftofficextension@gmail.com
|
| See: https://news.ycombinator.com/item?id=27192997 (no one
| could actually tell which where legit and which were not)
| ChrisClark wrote:
| It's because of that thread that people mistakenly believe
| you need a gmail.com address. A bunch of people in that
| thread guessed you needed a gmail.com address. Others
| immediately said no, you don't need it and showed examples.
|
| But this is how misinformation spreads. Many people only read
| it and believe it without looking closer.
|
| We just trust that other people know what they are talking
| about. :)
|
| ... Also I could be wrong, I'm trusting the counter examples
| in that thread. :D
| gnicholas wrote:
| This isn't my experience. I created my dev account years ago
| with a non-gmail account. Admittedly, it is a corporate
| account that is managed by google, but I don't think there
| was any step in the process that required this.
|
| It's possible that things have changed since I created my
| account nearly a decade ago, or that somehow I got a pass
| because google manages my domain's email. But they definitely
| do not force @gmail.com addresses for all devs.
|
| EDIT: See this Microsoft extension [1] for example. It shows
| @microsoft.com, which is undoubtedly not managed by google
| like my little old startup's email is!
|
| 1: https://chrome.google.com/webstore/detail/microsoft-
| editor-s...
| londons_explore wrote:
| It is possible to make a non-gmail and non-gsuite google
| account... Just it isn't obvious how to do so.
|
| You need to go to any google signin page, click "Create
| account" > "For myself" > "Use my current email instead".
|
| You can then use that to make chrome extensions.
| formerly_proven wrote:
| > it is a corporate account that is managed by google
|
| All the counter-examples I could find in the linked thread
| are Google Mail (for Business), which is functionally the
| same as requiring a gmail account in that it requires
| Google to be your mail-provider.
| throwawaaarrgh wrote:
| You can also create a Google Account using a non-Google
| e-mail address, without any special Google Business
| thing. I did. I keep a Google account tied to my work
| e-mail address, but there is no Gmail account associated
| with this Google account. I can use Google services, but
| all my mail is on our corporate servers.
|
| A lot of people in corporations set things up without
| necessarily understanding _what_ they 're setting up.
| This includes apps. If you're thinking, "Wouldn't
| Microsoft know how to set things up correctly?" the
| answer is "Not necessarily". It's not "Microsoft" setting
| up some app account, it's a random guy on a random team
| somewhere in Microsoft, who might not have ever published
| an app before, much less gotten any training or done much
| investigation into it.
| extesy wrote:
| > In other words, there a great many developers who are likely to
| be open to someone else buying up their creation along with their
| user base.
|
| As a maintainer of a relatively popular extension (hoverzoom+,
| ~360K users) I get business offers all the time [1]. A few of
| them are pretty good, actually. I'm not surprised that some
| developers eventually give up and take one of those offers. But I
| am surprised that there aren't more of these "under new
| management" extensions, or maybe we just don't know about them.
|
| [1] https://github.com/extesy/hoverzoom/discussions/670
| eps wrote:
| Woah. That's really quite something O_O
| texasbigdata wrote:
| Woah indeed. Just doing the math it's about $1k per year for
| 10k-$15k users? Roughly?
|
| That could be very enticing for a lot of developers.
|
| Thanks for sharing this.
| extesy wrote:
| Yeah, knowing the financial incentives makes me very cautions
| about installing any new extensions. And even for the old
| extensions I check the recent comments from time to time to
| see if there's any suspicious new behavior.
| ehsankia wrote:
| I moved from old HoverZoom to Imagus, wasn't aware a reboot of
| HoverZoom around, thanks for sharing. I'm curious how the
| sieves and also writing custom sieves compare, if anyone has
| experience with both.
| throwawaaarrgh wrote:
| Do you think reporting these requests to the store(s) in
| question might result in investigation, or at the least, a list
| of suspicious investors to use to vet extensions/apps?
| bozzcl wrote:
| I would love to see a public database of app buyers. I think
| some interesting insights could come out of it.
| extesy wrote:
| I don't think that would be useful, for two reasons:
|
| 1. What rules are being violated by these offers? It is what
| happens _after_ the sale might break the rules but I can 't
| report someone for having bad intentions.
|
| 2. I do not believe Google would be interested in spending
| even a minute of their precious human time to do any real
| investigation. If they can't automate the solution then they
| ignore the problem.
| gnicholas wrote:
| Seems like the stores could investigate this on their own by
| creating fake extensions that appear to have lots of users.
| dmix wrote:
| Reminds me of Pirate Bay posting those DMCA emails or takedown
| notices. Of course not in the same league as random "Business
| Development" cold emails but it's interesting to public
| service.
|
| Especially for other extension devs to see who may share
| similar experiences and helping exposing a pattern of waste-of-
| time proposals (which I think at that point over values any
| assumed privacy it was a cold email after all).
|
| Half of those were probably scammers anyway.
___________________________________________________________________
(page generated 2021-05-29 23:00 UTC)