One thing I wish I had called out more clearly in my post ("See it in action") was the fact that the "feature" would re-enable itself after every update of the extension, which seemed to be quite frequently.
It's a shame; it really was a feature-packed, helpful extension.
What is more interesting is the reaction from the developer himself. He seems to be completely unimpressed by the criticism. Noting that one permits Chrome extensions to do stuff, and they would have seen this permission the extension required when they updated or installed it.
Furthermore, he is quoted as joking about how he could have sold the extension to someone to get your passwords and whatnot (but ensures us that he hasn't done so).
Since Chrome auto-updates extensions, users are likely not aware of this change.
I've been using the extension for several months until I noticed the transparent redirection. In fact, the only reason I noticed the redirect is when it failed. I clicked on a Google search result and got stuck on a blank page like this:
Google made a big mistake by not including a GUI option to manageme auto-updates. I write an extension that interacts with data on a financial website, and this policy of forcing automatic updates on all extensions is dangerous. It means I can not guarantee my users my extension is 100% safe, even if they audit its javascript files, because if I were a bad guy, I would still have the power to update the code in the dead of night. It's not very attractive to tell users they can only protect themselves if they both understand javascript, and also dig through files to manually disable auto-updates.
Whoa, wait. One guy in this thread is claiming that Window Resizer was sending all your keystrokes back to a central server based on what he saw in Wireshark. Can anyone else verify this? I've had this extension installed for...a year, at least. Do I need to now go change every single password on every site because chances are it's been keylogged? This is insane.
I wrote an extension (HTTP Switchboard) which can log and filter behind-the-scene requests, which also comprise net requests made by extensions. I suppose this could be used to validate that an extension connects to a remote server. In any case, it can be set to selectively block/allow net traffic of extensions.
Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.
I googled the problem and opted out ecoasia from the extension settings when i noticed my urls getting redirected everytime. but i had no idea that the extensions can 'Access all data on all the websites'. now I notice most of my extensions like web developer, page ruler, web font previewer have this permissions. need further clarification from the chrome team as to what this exactly is. passwords? credit card numbers? can also be accessed by the extensions?
This is true, but existing Chrome users aren't notified when an extension is removed from the store. I had no idea of this malware until it surfaced when the redirect failed.
Smooth Gestures (lfkgmnnajiljnolcgolmmgnecgldgeld) has done the same thing for well over a year now. I (and many others) reported the addon to Google, but it still remains.
What does it take to get something like this removed?
I run a local user group that educates developers on Google's technologies that while proudly independent from Google, has a great working relationship with their developer relations teams.
Back in March of 2012 (that's almost two years ago) I first brought to the attention of the Chrome developer relations team an extension called Bookmark Sentry that essentially contained a trojan that hijacks links to serve up spam ads. You can read more about it here: http://stopmalvertising.com/malvertisements/beware-of-the-go...
What I found troubling was the response back. I received an official response that it was within compliance of Chrome App Store policies. Specifically I was told:
"Ad injections are not in violation of the Chrome Web Store program policies. The policy requires that ads must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with. We believe that ads are a legitimate way to monetize, but that they should be a known cost to the extension user."
I certainly hope since then they've changed their policy on this issue and are actively policing and enforcing against spyware and malware.
Chrome App extensions can access extremely sensitive data such as webforms with credit card, contact details, passwords and more and in the wrong hands can do untold damage.
I noticed this about a month back. I was browsing the web one Saturday morning and spotted an "Eco link" next to the search results. Most of them were big sites, like Amazon and eBay etc.
I immediately emailed one of our SEO guys with a snippet of the page and said, "we need to know how to do this in Google, it must be a new feature". I stupidly assumed it was a new feature Google had rolled out. When he replied that he can't see it I started googling the problem, most of the results pertained to Malware and I was shocked, I'm a very careful browser in general.
When I started digging around it was only then I started switching off my plugins 1 by 1 and the eco link went when I switched off the browser resizer, I was honestly shocked. I knew the developer wasn't supporting the plugin any more due to funding but I didn't think it would go in that direction, I expected it to just fade away.
No, I didn't read the updates on the product. I don't have time to read updates on products, especially plugins. After reading his comments on there, there is no remorse for his actions. He is nothing more than a simple malware spreader, he should apply for a job at SourceForge.
It just occurred to me: installing malware on an extension targeted towards developers - the kind of people who just might notice hijacked links - seems like the dumbest idea in the world. Leads me to wonder what sort of nastiness is hidden in those other extensions.
(I zipped the '3rd-party' directory and removed references to those scripts in the manifest file. So it's there if you wanna inspect it, but ecolinks won't run. I don't have time to restructure the options page though :-)
I would argue that if you installed any extension that requested full access to your data without understanding the implications, you're not as careful a browser as you believe you are.
This isn't to say what the developer did is in any way ok ( I don't think it is), nor is it my intent to insult you. Rather - it's to highlight a deeper problem with this kind of click-through security model that chrome web store, play store, et al are fostering.
If somebody who has a reasonable understanding of computers and works with them for a living still clicks though this kind of agreement, what hope has the other 99% of the connected-device-using population?
I ran into this. I only found out because ecolink went down for a while. So when I clicked on google search results, it would error out while trying to redirect.
Valuable lesson learned. I never thought a chrome developer would be quite so stupid to pull something like this. Now I'll keep my eye on every extension.
And yes, you should never install Window Resizer, or anything else Ionut Botizan (the developer) releases again.
I love that the developer's defense is that he could have sold our passwords to someone but (supposedly) didn't. That really instills confidence in his morals, doesn't it?
My claim was not that I could have sold your passwords, it was that I could have sold the extension! Last time I checked, the extension itself was my property and I could sell it to whoever I want. What the buyer does with it shouldn't be any of my concerns. I was just pointing out that, if I would have sold it, the buyer might have been the kind of person that would do those terrible things.
At least Firefox extensions on Mozilla's add-ons site gets more thoroughly reviewed on every update.
The add-ons installed from outside of the add-ons site can be very dangerous, but Mozilla tries to block these too: List of blocked add-ons with reasons: https://addons.mozilla.org/en-US/firefox/blocked/
Is it correct to class this as malware? I get that the portmanteau is "malicious software" and hijacking your Google search results isn't the friendliest thing to do but I think this is closer to "adware" than "malware".
Although the author seems like a bit of a di- ...fficult person, maybe we should coin the term "dickware" to cover this sort of software.
EDIT: I missed the keylogging bit, thanks to everybody that pointed it out. Adware + Spyware = Malware.
It's inserting fake search results and running a keystroke monitor. To me this isn't even a close call; of course it's malware. I would also say that any developer who would do this simply can't be trusted; if he will do this, he might do just about anything else. He doesn't seem to have any regard for others.
The term malware came about as an umbrella to cover viruses, trojans, worms, spyware, and adware. It made it much easier to explain to users what was going on, while still using words that make sense.
Hover Zoom had a similar problem recently, but still exists on the Chrome store. Up until a certain version, their data collection did nothing much (perhaps save non-existing domain hits).
Then they partnered with someone and started sending certain form data (!!) to a third party -- claiming they wanted to collect anonymous demographic information. It didn't help that the script injection on all pages (which I discovered when debugging with the web tools) used some shady domains with no web presence.
They claim they did not send e.g. any password data -- but they perfectly could have. I tried reporting the extension on the store as did many others, but that had no effect. The developer seems to have reverted that bit of the code -- for now.
Someone should (and I just might) write an extension that updates a list of evil extensions and authors and warns the user when they have a bad extension or try to install a new extension on that list. Powered by a blocklist type of listing and community moderated.
Really what this boils down to, imho, is a need to educate users on the meaning of the permissions that are granted (with approval) to these extensions. Certainly the vast majority of users confirm the security permissions without comprehending the weight of access they've just provided the extension author.
With JavaScript, it's nearly impossible for Chrome to reasonably explain, with any level of granularity, what exactly an extension will do with its access - hence the "access your data on all websites" warning.
A proof of concept to demonstrate how you can take advantage of this access for nefarious reasons, even after getting approval into the Chrome Web Store, would be quite simple.
Long/short of it is: make sure you trust the author of any extension you install!
Wow, I had noticed the clickjacking of my Google result links (to ecolink) but had no idea who/what was doing it. Very glad this mystery is finally solved! Thanks for posting this.
[+] [-] 8ig8|12 years ago|reply
http://www.reddit.com/r/YouShouldKnow/comments/1snyyl/ysk_th...
Also, alternative as discussed on SO:
http://stackoverflow.com/questions/20775775/alternative-to-c...
See it in action:
http://chrisbalt.com/blog/2013/12/20/link-hijacking-through-...
Edit: Related:
http://superuser.com/questions/694825/why-my-google-search-r...
http://windowresizer.userecho.com/topic/353032-did-you-pull-...
[+] [-] chrisbalt|12 years ago|reply
It's a shame; it really was a feature-packed, helpful extension.
[+] [-] Svip|12 years ago|reply
Furthermore, he is quoted as joking about how he could have sold the extension to someone to get your passwords and whatnot (but ensures us that he hasn't done so).
[+] [-] shurcooL|12 years ago|reply
It could be criticism of the existing system. Or he could have other goals/intentions.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] iamartnez|12 years ago|reply
I've been using the extension for several months until I noticed the transparent redirection. In fact, the only reason I noticed the redirect is when it failed. I clicked on a Google search result and got stuck on a blank page like this:
[+] [-] Encosia|12 years ago|reply
[+] [-] charlesism|12 years ago|reply
[+] [-] wfunction|12 years ago|reply
How do you disable this?
[+] [-] jelled|12 years ago|reply
[+] [-] silverlight|12 years ago|reply
[+] [-] Svip|12 years ago|reply
[+] [-] gorhill|12 years ago|reply
Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.
[+] [-] gokulk|12 years ago|reply
[+] [-] timmclean|12 years ago|reply
[+] [-] miles|12 years ago|reply
https://chrome.google.com/webstore/detail/window-resizer/kke...
[+] [-] iamartnez|12 years ago|reply
[+] [-] hendersoon|12 years ago|reply
What does it take to get something like this removed?
[+] [-] sergiotapia|12 years ago|reply
I don't feel safe using their services anymore.
[+] [-] AJ007|12 years ago|reply
After hearing from other Android devs and what they were getting away with I decided to stick to Apple for a while.
[+] [-] teknover|12 years ago|reply
I run a local user group that educates developers on Google's technologies that while proudly independent from Google, has a great working relationship with their developer relations teams.
Back in March of 2012 (that's almost two years ago) I first brought to the attention of the Chrome developer relations team an extension called Bookmark Sentry that essentially contained a trojan that hijacks links to serve up spam ads. You can read more about it here: http://stopmalvertising.com/malvertisements/beware-of-the-go...
What I found troubling was the response back. I received an official response that it was within compliance of Chrome App Store policies. Specifically I was told:
"Ad injections are not in violation of the Chrome Web Store program policies. The policy requires that ads must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with. We believe that ads are a legitimate way to monetize, but that they should be a known cost to the extension user."
I certainly hope since then they've changed their policy on this issue and are actively policing and enforcing against spyware and malware.
Chrome App extensions can access extremely sensitive data such as webforms with credit card, contact details, passwords and more and in the wrong hands can do untold damage.
[+] [-] chrislomax|12 years ago|reply
I immediately emailed one of our SEO guys with a snippet of the page and said, "we need to know how to do this in Google, it must be a new feature". I stupidly assumed it was a new feature Google had rolled out. When he replied that he can't see it I started googling the problem, most of the results pertained to Malware and I was shocked, I'm a very careful browser in general.
When I started digging around it was only then I started switching off my plugins 1 by 1 and the eco link went when I switched off the browser resizer, I was honestly shocked. I knew the developer wasn't supporting the plugin any more due to funding but I didn't think it would go in that direction, I expected it to just fade away.
No, I didn't read the updates on the product. I don't have time to read updates on products, especially plugins. After reading his comments on there, there is no remorse for his actions. He is nothing more than a simple malware spreader, he should apply for a job at SourceForge.
[+] [-] yen223|12 years ago|reply
[+] [-] chrome-resizer|12 years ago|reply
(I zipped the '3rd-party' directory and removed references to those scripts in the manifest file. So it's there if you wanna inspect it, but ecolinks won't run. I don't have time to restructure the options page though :-)
[+] [-] GrinningFool|12 years ago|reply
This isn't to say what the developer did is in any way ok ( I don't think it is), nor is it my intent to insult you. Rather - it's to highlight a deeper problem with this kind of click-through security model that chrome web store, play store, et al are fostering.
If somebody who has a reasonable understanding of computers and works with them for a living still clicks though this kind of agreement, what hope has the other 99% of the connected-device-using population?
[+] [-] nestlequ1k|12 years ago|reply
Valuable lesson learned. I never thought a chrome developer would be quite so stupid to pull something like this. Now I'll keep my eye on every extension.
And yes, you should never install Window Resizer, or anything else Ionut Botizan (the developer) releases again.
[+] [-] morgante|12 years ago|reply
I love that the developer's defense is that he could have sold our passwords to someone but (supposedly) didn't. That really instills confidence in his morals, doesn't it?
[+] [-] csmattryder|12 years ago|reply
Would avoid this developer 100% from now on, Chrome or otherwise.
[+] [-] prafuitu|12 years ago|reply
Read more carefully next time, ok?!
[+] [-] tmikaeld|12 years ago|reply
So i tried it, and sure - i was even able to replace password logins in the DOM with fake ones.
Firefox extensions does the same thing really, so now i only use a few "safe" extensions.
I'm surprised that this hasen't gotten more attention.
[+] [-] spyder|12 years ago|reply
[+] [-] daveid|12 years ago|reply
[+] [-] tracker1|12 years ago|reply
[+] [-] taspeotis|12 years ago|reply
Although the author seems like a bit of a di- ...fficult person, maybe we should coin the term "dickware" to cover this sort of software.
EDIT: I missed the keylogging bit, thanks to everybody that pointed it out. Adware + Spyware = Malware.
[+] [-] Bud|12 years ago|reply
[+] [-] mparlane|12 years ago|reply
[+] [-] Svip|12 years ago|reply
[+] [-] dec0dedab0de|12 years ago|reply
[+] [-] Erwin|12 years ago|reply
Then they partnered with someone and started sending certain form data (!!) to a third party -- claiming they wanted to collect anonymous demographic information. It didn't help that the script injection on all pages (which I discovered when debugging with the web tools) used some shady domains with no web presence.
They claim they did not send e.g. any password data -- but they perfectly could have. I tried reporting the extension on the store as did many others, but that had no effect. The developer seems to have reverted that bit of the code -- for now.
[+] [-] Xdes|12 years ago|reply
[+] [-] chippy|12 years ago|reply
[+] [-] chrisbalt|12 years ago|reply
With JavaScript, it's nearly impossible for Chrome to reasonably explain, with any level of granularity, what exactly an extension will do with its access - hence the "access your data on all websites" warning.
A proof of concept to demonstrate how you can take advantage of this access for nefarious reasons, even after getting approval into the Chrome Web Store, would be quite simple.
Long/short of it is: make sure you trust the author of any extension you install!
[+] [-] Chirael|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] callesgg|12 years ago|reply
[+] [-] siliconviking|12 years ago|reply
"There is no such thing as bad publicity" by Ionut Botizan
(Source: http://productforums.google.com/d/msg/chrome/mlAD1ygc0v0/1MP...)
[+] [-] susi22|12 years ago|reply
https://chrome.google.com/webstore/detail/read-later-fast/de...