Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Chrome Extension Steals Login Details

kdawson posted about 4 years ago | from the hey-it-was-sitting-there-in-the-dom dept.

Google 155

An anonymous reader sends word of a proof-of-concept Google Chrome browser extension that steals users' login details. The developer, Andreas Grech, says that he is trying to raise awareness about security among end users, and therefore chose Chrome as a test-bed because of its reputation as the safest browser. Grech says he does not doubt that Chrome is a safe browser, but the point is that such an extension could be written for any of them. Grech says he has not uploaded his extension to the Google Chrome repository or anywhere else; but he has published enough details to allow others to reproduce the technique easily.

cancel ×

155 comments

Muslims are barbaric fucks (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#32861240)

These bitches hiding behind the Islamic so-called law are nothing more than cowards and assholes. I hope the good people of the world will band together to rid our society of this blight upon civilization.

Fuck Mohammad, Fuck Allah, Fuck Islam!!!

And if you're a Muslim? FUCK YOU!!!!!

Re:Muslims are barbaric fucks (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#32861258)

Yes, you're right, even if you forgot Christianity and others... but that's a wee bit of topic.

whoever wrote that was a barbaric fuck (0, Offtopic)

blai (1380673) | about 4 years ago | (#32861306)

and proved nothing else

Andreas Grech (2, Insightful)

sycodon (149926) | about 4 years ago | (#32861800)

Someone should illustrate his lack of body armor by shooting at him with a large caliber rifle.

Re:Muslims are barbaric fucks (0, Offtopic)

Anonymous Coward | about 4 years ago | (#32861496)

Clearly you are misinformed. Islam is the religion of peace. In order to protect that peace, detractors of Islam must be brutally murdered. So, if you are against the brutal murdering of detractors of Islam then clearly you are a warmonger; you, sir, disgust me.

How is this different (5, Insightful)

yoyhed (651244) | about 4 years ago | (#32861260)

How is this different than just downloading and installing a program? Chrome (and Firefox for that matter) give you a warning about trusting the source before installing an extension. Does it surprise anyone that allowing malicious code to run on their computer can expose their information?

Re:How is this different (0, Redundant)

Ziekheid (1427027) | about 4 years ago | (#32861274)

True. Nuff said.

Re:How is this different (2, Interesting)

binkzz (779594) | about 4 years ago | (#32861284)

You are correct, and this "news" article is hardly shocking or news. But I do agree that plugins have too many permissions.for all sites that you browse, and that security could be a lot tighter.

Re:How is this different (1)

Jurily (900488) | about 4 years ago | (#32861390)

Does a tight Noscript setup block the attempts of malicious plugins to communicate with malicious sites?

Re:How is this different (1, Interesting)

Anonymous Coward | about 4 years ago | (#32861456)

Definitely not. Noscript only prevents scripts running on web pages.

Re:How is this different (4, Informative)

n0-0p (325773) | about 4 years ago | (#32861672)

NoScript does nothing whatsoever to restrict extensions or plugins. Nor would it even possible for it to do so without a major redesign of Firefox's extension system including the introduction of a security model with trust levels.

Re:How is this different (2, Funny)

Anonymous Coward | about 4 years ago | (#32862346)

NoScript does nothing whatsoever to restrict extensions or plugins.

*gasp* HERETIC!!! This is SLASHDOT, unbeliever! The almighty NoScript and its blessed son FlashBlock are the infallible answers to every single problem you have ever had or will ever have. REPENT! REPEEEEEEENT!!!

Re:How is this different (1, Interesting)

Anonymous Coward | about 4 years ago | (#32861816)

Funny you should mention NoScript, since that's a plugin that's already been involved in its own scandal [hackademix.net] . Not as bad as stealing login information but still a breach of the users' trust.

Re:How is this different (1, Interesting)

Anonymous Coward | about 4 years ago | (#32861362)

Some check boxes showing which permissions the plugin wants, and which permissions you will give it, would be nice, easy, and effective at preventing something titled as a "bookmark enhancer" from stealing your passwords

Re:How is this different (4, Informative)

n0-0p (325773) | about 4 years ago | (#32861682)

Chrome already lists the permissions an extension requests at installation. The UI on that interaction is junk, so you need to be a fairly knowledgeable user to make heads or tails of it, but the information is definitely there.

Re:How is this different (4, Funny)

nacturation (646836) | about 4 years ago | (#32862540)

Maybe what the browsers need is some sort of vetted App Store for extensions, where all submissions are reviewed by a central authority and approved or rejected?

Re:How is this different (1, Insightful)

Anonymous Coward | about 4 years ago | (#32862832)

Like addons.mozilla.org?

Re:How is this different (4, Insightful)

Tom (822) | about 4 years ago | (#32861396)

Does it surprise anyone

Yes, anyone who is not a geek.

Look, to us tech people, these things are obvious. But everyone else out there doesn't have a clue. You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter, or if he does get that idea, that he can't do it. No matter how silly it sounds. This is why our society works, because we can safely use tools without having to be experts in them.

Re:How is this different (1)

rumith (983060) | about 4 years ago | (#32861464)

Yes, but this crap is reported on Slashdot, which is advertised to deliver news for nerds, not plumbers! Hell, this guy didn't even try to upload his exploit to the official extension repository because, as he claims, he "didn't want to exploit the vulnerability and harm end users".
Remember when Google pulled a vulnerability exploit proof of concept app from the Android Market, and purged it from end-user phones? That was a security research project. And this is just an A-grade crap.

Re:How is this different (1)

yoyhed (651244) | about 4 years ago | (#32861466)

What I meant by "does it surprise anyone" is "this is sensationalist BS to the Slashdot crowd". You're correct, but you're also missing my point - that this is about the same as downloading and installing any program, as far as the actions a user has to take to do so.

Clueless people can go install LimeWire just as easily as they can install a bad extension for Chrome. Hell, look at how easy it is to download and install something from IE - try the installer at http://www.google.com/chrome [google.com] in IE8. It's a single click to get the installer running, and subsequently downloading and installing Chrome on its own. Chrome actually has as much security/warning for an extension as IE8 has for any software download coded like Google's installer!

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861556)

Hell, look at how easy it is to download and install something from IE - try the installer at http://www.google.com/chrome [google.com] [google.com] in IE8. It's a single click to get the installer running, and subsequently downloading and installing Chrome on its own.

Firefox and Safari both have methods to initiate installs for setup executables from websites. Chrome is the only browser that does not.

Chrome's inability to perform this (Chrome's developers are publicly against it) is a weakness to be counted against it, IMO. One of the main reasons for the advancement of web apps is the difficulty in getting users to manually download and install executables. It should be a one-click, highly-warned action that only works for signed programs. It should not be a dozen-click operation of hide-and-go-seek.

Re:How is this different (2, Interesting)

yoyhed (651244) | about 4 years ago | (#32861764)

I agree with your sentiments. However, note that in IE it does NOT warn you at all - that's not good. There should be one warning.

However, that's beside my point. I was just demonstrating that Chrome has plenty of warning for installing an extension, and that people should not get their panties in a bunch because *gasp* users ignoring a warning about downloading and installing software from third parties can lead to malicious code execution.

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861914)

I agree with your sentiments. However, note that in IE it does NOT warn you at all - that's not good. There should be one warning.

I think that Google's web installer is using the previously-installed Google Updater 'OneClick' plugin for IE. If it used ActiveX (which it did when GU was not installed) then there would be a very clear, visible warning with the name of the company ("Google, Inc.") at the top of the page.

Re:How is this different (1)

yoyhed (651244) | about 4 years ago | (#32861944)

I could have sworn that it behaves the same on a brand-new install of Windows 7 (and Chrome is usually the very first thing I install). However, I'm too lazy to test it on a VM so you may be right.

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32862186)

The easy test is to disable the Google Update Plugin within IE. After visiting the Chrome installer site again, I received this new notice:

http://i32.tinypic.com/sggyo2.png [tinypic.com]

Re:How is this different (1)

yoyhed (651244) | about 4 years ago | (#32862564)

Good call. I should have thought of that. I suppose I remembered it as one click because I mindlessly click through stuff like that when I know what I'm doing.

My argument stands - Chrome gives you a warning for extension installation, so there's nothing to see here; unless it's suddenly news that installing third-party software and ignoring warnings about the possible consequences can lead to theft of information.

Re:How is this different (1)

hitmark (640295) | about 4 years ago | (#32861470)

sad thing is, most non-geeks will not read this unless it happens to land on some front page in scare-types.

and even then they will likely not see the simple solution (be smarter when you browse) and instead hit the government "protect me!" button over and over like a caffeinated squirrel.

Re:How is this different (1)

yeshuawatso (1774190) | about 4 years ago | (#32861484)

You have to design the car so that the user doesn't get the idea of looking into the fuel tank with a lighter

Or, you could educate the user that fire and gasoline don't mix. They don't need to know the chemical reaction side of it, but simply informing them that these two things don't mix shouldn't be too difficult. (I know you were being extreme to prove a point, so was I).

  I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few? I resist the notion that learning should be back-seated for short-term profits. In the long run, people will become too stupid to buy those products and we're stuck with even dumber products.

Case in point, I know what a chainsaw is; I know what it does. I also know that a chainsaw is a dangerous tool. Because of the danger, the risk involved, and my lack of knowledge on proper use, I'm not going to buy a chainsaw, crank it up, and yell timber because the manufacture replaced the pull cord with a button. I will hire someone who knows HOW to use the tool, and to teach me HOW to use the tool before I venture on my own.

Dumbing down products isn't the answer, proper education is the answer, and there's a difference between making things easier, and making them idiot proof.

Re:How is this different (1)

snl2587 (1177409) | about 4 years ago | (#32861532)

I find it ridiculous to continually dumb down products. To me, this seems like it will cause a slippery slope to stupidity. What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few? I resist the notion that learning should be back-seated for short-term profits. In the long run, people will become too stupid to buy those products and we're stuck with even dumber products.

Funny thing: how many people do you know in regular society that can put together a lightbulb? How about a microwave? What about the latest iPhone?

Re:How is this different (1)

yeshuawatso (1774190) | about 4 years ago | (#32862982)

Yeah, I should have been more clearer. I didn't mean that the society today can put together their tech and the future won't, but those putting the tech together will be forced to merge into the ignorance because we're making the tech easier for them to create/put together instead of teaching them the long way before the shortcut. Example: A JavaScript programmer gets so used to using jQuery or Prototype that they forget how to do the same task when they don't have access to those libraries. I've seen the same thing happen to high school students who are allowed to use calculators so much they forget how to do the math by hand and head. Realistically, this will probably never happen, but in the event that it does occur, our society might be in trouble if the brawns rid the brains.

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861614)

Or, you could educate the user that fire and gasoline don't mix. They don't need to know the chemical reaction side of it, but simply informing them that these two things don't mix shouldn't be too difficult. (I know you were being extreme to prove a point, so was I).

And when you tell them that simple repetition, they don't realize that fuel can be ignited by a random spark, or a nearby lighter, or even "harmless" static electricity. The problem is, even your approach is ultimately a dangerous simplification.

Re:How is this different (1)

Tom (822) | about 4 years ago | (#32861706)

Or, you could educate the user that fire and gasoline don't mix.

Yes, and to only walk on green, and to install antivirus, and to have safe sex, insurance, not go into certain parts of town, keep the car in working condition, verify their patch level is current, check all money for forgery is easy as well, and two million other things.

There is only so much that a human brain can actually act on. Storage is not the problem, recall is. Sometimes, the right decision is to educate people, but it is not a panacea. If it is easier to simply design in a safety than to educate everyone and keep them educated, then building in the safety is the proper thing to do.

Also, often these things go hand in hand. I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

What happens if we dumb down the products to the point where people don't know how to create them anymore, or the knowledge is only in the hands of the far and few?

That's a philosophy that has never worked in all of human history. Sorry to say that. We always start out with new technology that only a few understand, be it fire, mathematics, science, cars or computers. At first, you need to be an expert just to use it. But then the rest of humanity wants a piece of the cake, too. That's when we "dumb down" the technology. Actually, it is not dumb at all, it is making it useable. I've written Linux kernel modules, and still I enjoy a good user interface design, because it makes my work easier, and more often than not I use the computer to actually accomplish something, not to mess with its interiors.

I don't see a dictatorship anywhere just because we have put fire into light bulbs instead of torches, and give people lighters instead of teaching them how to use flintstone.

Really, if you want to tinker with something, why not flat out say that you enjoy the tinkering? Why try to make it political?

Re:How is this different (1)

yeshuawatso (1774190) | about 4 years ago | (#32862874)

I'm not trying to make this political, I'm just expressing my opinion (the only one I can give [yes, opinions are like...]).

But to answer some of your questions:

I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

This isn't dumbing the OS down, it's creating a different translations/interpretation. However, making all applications run at a root or guest level because informing the user about permissions is too difficult is dumbing down the software. This is one of the best features about Linux. If you're going into root, then you most likely know what you're doing. Otherwise, you stay at the user level and sudo your way down if needed. MS got this wrong until Windows 7. XP Home gave anyone admin run rights and Vista didn't give any.

I've written Linux kernel modules, and still I enjoy a good user interface design, because it makes my work easier, and more often than not I use the computer to actually accomplish something, not to mess with its interiors.

But this isn't dumbing the tech down, as you're probably still doing the same action, just in a different way. I can type up a business plan in VI all day long, or I can use a word processor with a more usable GUI to work faster. But I understand why I'm using the WP vs VI. The problem with our society today is we're dumbing our tech to match the ever lowering intellect. This isn't so much a problem in other parts of the world as it is here in the US.

I'm not talking about safety here, I'm talking about reducing our technology down to the point where the stupid are able to use it-- ONLY for the sake of profit. The motor vehicle is a marvelous technological breakthrough that reduced the time it took one to travel from one point to the other. However, it's also a moving death trap in the hands of the uneducated. Because it's so dangerous, every State in the US has a law that requires you to take an exam to ensure, to some degree, that you understand not only the rules of the road, but also how to operate the moving death box; only to reduce the chances of harming yourself and others. However, when we make the cars so that idiots receive less and less harm when in an accident, we have more and more wrecks. It's one of the reasons I admire roundabouts and traffic circles. Instead of providing traffic signals that people try to race with, ignoring the signs of a roundabout can be pretty unhealthy.

Now, don't equate that we need the government's blessing to use a browser and the internet, but I don't think we should shield the stupid who refuse to read the warning signs. I say keep doing what we're doing and at least keep a lot of /.'s with steady employment fixing Windows. Educate the ignorant, don't protect them.

Learn enough to know your limits. (1)

SanityInAnarchy (655584) | about 4 years ago | (#32863162)

It's not about memorizing facts, or about recalling something, it's about knowing what you know and what you don't know. I don't know how to use a chainsaw properly, but I know enough to know that I don't know, and that I would need to learn how or I'm going to get hurt.

If it is easier to simply design in a safety than to educate everyone and keep them educated, then building in the safety is the proper thing to do.

That's true, if the safety has no downsides whatsoever. Otherwise, it bears more discussion.

For example, the iPhone and the Great Firewall of China [wikipedia.org] , both of which claim to be making things more secure and stable for you by removing your choice. Even if the iPhone is more secure for the kind of user who would download BonziBuddy [wikipedia.org] , I don't think it's worth it, and this is exactly what is meant by dumbing down. Compare that to your idea:

I still don't understand why current operating systems don't indicate the priviledge level an application is running at by, say, a coloured border. You'd still need to educate people on what it means, but a fairly simple safety gives them a lot more options than the stupid "well, you could open a console and run ps" geek solution.

But for this to work, you need to educate people on a hell of a lot more than "Here's a colored border." You need to educate them on what privilege separation means, why they might trust or not trust a given program, why they should trust things as little as possible, etc.

It requires fundamental education, much like you'd get from driver's education, to be truly useful. Yes, we should include antilock brakes, but those cannot be a substitute for knowing something about hydroplaning and ice.

You don't need to know how to change your oil -- you can pay someone else to do that. You don't even need to know how often to pay someone else to change your oil. You just need to know that cars occasionally need maintenance, and that before buying a car, you should learn what you need to know to maintain it.

To bring it back to the original "fire" example: If there are no disadvantages, we should make it so no one wants to look into their gas tank with a lighter. But there's a limit to how much idiot-proofing you can do. If you don't teach people that fire and gasoline don't mix, or about flammability in general, stupidity will find a way. [youtube.com]

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861634)

Wrong analogy.

It's more closer to your average Joe picking up strangers when driving their cars.

Sometimes you get the chance to screw your pick-ups, while at times you risk yourself getting screwed.

Re:How is this different (1)

Spyware23 (1260322) | about 4 years ago | (#32861806)

Does it surprise anyone

Yes, anyone who is not a geek.

Look, to us tech people, these things are obvious.

Please, most people (>90%) posting on Slashdot are perfectly ignorant of how security works. Don't toot your/our horn too much.

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861902)

"This is how our society works, we have to make tools that can be safely used because we're not experts in them."

Fixed.

(Your own examples explain why it needed to be fixed.)

Re:How is this different (1)

Yvanhoe (564877) | about 4 years ago | (#32862394)

Because, obviously, the average user who apparently is not able to read a warning on his computer screen is likely to go look for information on security blogs...

Re:How is this different (0)

m0interactive (1250788) | about 4 years ago | (#32861444)

I laughed how a tech blog stated it as a "flaw" how could this be a flaw? It is a feature, extension developers can inject content scripts to any websites. And yes, that extension script can listen to keystrokes, and other events. That is part of the extension API. Unfortunetly many users don't understand the risk of installing third party app, but as Yoyhed stated, they give you a warning which is clear about that risk.

Re:How is this different (0)

Anonymous Coward | about 4 years ago | (#32861576)

How is this different than just downloading and installing a program?

It was different for ActiveX, wasn't it? Holy bias, Slashdot.

Re:How is this different (1)

yoyhed (651244) | about 4 years ago | (#32861846)

The problem with ActiveX was not the possibilities for malicious software, it was that it executed without warning until what, IE6 SP2? Even then there were ways around it if I remember correctly.

Chrome gives you a clear warning for installing extensions. Chrome also runs each process in its own sandbox, unlike the security nightmare that was IE back in the ActiveX glory days.

And of course I'm biased toward clearly better software (in this case, Chrome vs. IE).

Re:How is this different (1)

helix2301 (1105613) | about 4 years ago | (#32863288)

I agree this is not breaking news. We know malicious software can steal your information for any geek this is not anything new.

Re:How is this different (3, Informative)

scamper_22 (1073470) | about 4 years ago | (#32863440)

We, developers take it as a given that programs (and thus extensions) should be able to do anything. Arbitrary code if you will.
If you actually think about it, it's a little nuts. You download an application, and it could reformat your harddrive.

Truth be told, even we programmers simply rely on 'trust' that the various programs and extensions aren't doing anything evil.
I don't go through every line of source code. I trust the developers. I trust a popular program. But it really is just that... trust.

Now the OS does prevent somethings to enhance trust. There are file permissions for example.

Other web technologies have other security. Silverlight for example can open local files... but the user has to manually select it via the windows file dialog. You can't program in a file location.
They were smart enough to not just take the Active X approach were 'just because you visit this website and run the application, it can do anything'. They build limitations into the environment.

So what safeguards does a browser provide?
Well, password information is crucial. Quite frankly, any application that even attempts to access a password field should be blocked... unless the user explicitly understand this. And I don't mean some generic warning message that applies to every extensions.

And so the point is... extension are no different than downloading and installing a regular program... but they bloody well should be!

OK... (4, Insightful)

The MAZZTer (911996) | about 4 years ago | (#32861266)

He's just doing basic stuff here with that extension. When you try to install any extension Chrome throws up a warning that the extension can access your personal data on whatever sites the extension author has requested access to in the manifest.json file. Ignore that warning at your own peril, especially if it doesn't match with what the extension description says it should do.

Lots of extensions inject content scripts. Lots of extensions do random AJAX calls to random sites that the user doesn't have open in a tab. That he put the two together to steal data is hardly revolutionary.

The only problem I see is that if the author specifies enough websites in their extension permissions, Chrome truncates them to "multiple sites" which is a bit ambiguous.

Standard abuse of trust. Is this /. worthy? (2, Insightful)

Anonymous Coward | about 4 years ago | (#32861286)

Guy learns to program, abuses trust of software users. Film at 11?

Evidence (0)

Z00L00K (682162) | about 4 years ago | (#32861292)

Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions.

So avoid installation of unnecessary problems by not installing anything else than really necessary extensions for your browser activities. What browser manufacturers needs to consider is how to improve security related to extensions and plugins. One way is to make sure that the plugins and extensions run in isolated subprocesses with lowest necessary privileges.

Re:Evidence (1)

Khyber (864651) | about 4 years ago | (#32861900)

"Evidence exists that browser plugins and extensions are providing a lot of leaks and possibilities for intrusions."

*coughFLASHcoughJAVASCRIPTcoughACTIVEXcough*

UGH! When are you going to learn?? (-1, Troll)

countertrolling (1585477) | about 4 years ago | (#32861300)

Chrome is NOT safe. It is delusional to believe otherwise.. Can you say "keylogger"? Jeeze! Talk about a trap and you suckers are falling right into it, in fact you're jumping into it... Trusting Google to protect privacy is so very naive.. Just look at how they appease the Chinese government to make a buck. And everywhere else, all their spying is "inadvertent".. Uh huh... Riiiight

Re:UGH! When are you going to learn?? (0)

Anonymous Coward | about 4 years ago | (#32861366)

Just look at how they appease the Chinese government to make a buck.

You mean like how they refuse to censor their search results?

Re:UGH! When are you going to learn?? (2, Interesting)

countertrolling (1585477) | about 4 years ago | (#32861412)

They ARE censoring their search results. And they are doing that everywhere, not just China. What makes you think they aren't? Because they say so? Please... stop

Re:UGH! When are you going to learn?? (1)

insertwackynamehere (891357) | about 4 years ago | (#32861462)

[citation needed]

I really hate to do this but unless you can back that up, then please...stop

Re:UGH! When are you going to learn?? (1)

countertrolling (1585477) | about 4 years ago | (#32861476)

*sigh [google.com] *

We're #4! (1)

AnonymousClown (1788472) | about 4 years ago | (#32861524)

Take that Europe and your wimpy less than 10! Hah! We're so much better than you!

USA! USA! USA! USA!

Uh, wait a minute.

Re:We're #4! (1)

RoFLKOPTr (1294290) | about 4 years ago | (#32861548)

That's not less than 10 in all of Europe. That's less than 10 for every one of those European countries listed (and 59 for the UK, and 188 for Germany, and 57 for Italy, and 32 for Spain... totalling much more than 123 for the United States for a lot fewer citizens than the United States). How is this at all relevant, anyway?

Re:We're #4! (1)

countertrolling (1585477) | about 4 years ago | (#32861624)

Guess you didn't notice the red question mark over China. That's what we call censorship at their "request".. Relevant now? And it all goes back to my original premise that Google cannot be trusted with anybody's privacy, unless you happen to have the power of the state backing you up.

Re:We're #4! (1)

RoFLKOPTr (1294290) | about 4 years ago | (#32863136)

Relevant now?

Not really. Google isn't telling you what information they're distributing... only that they're distributing information. You know they're distributing information to China just like they're distributing information to every other country Google has operations in. Google knows that you know this, and Google knows that anybody with any sense in their head won't need the exact number to know that Google is doing this (and that's why they make the question mark red and noticeable... if they wanted to hide it, they'd probably use a fake number or something). Hiding the exact number of Chinese government requests is a fairly small price to pay for an incredibly large slice of the Chinese money pie.

And yes, Google is a corporation, and a corporation's primary objective is to make money. It would be incredibly foolish to do something that would make China kick Google out... especially if that thing is simply posting a little number that nobody actually cares about for the sake of making some nerds on Slashdot happy.

Re:We're #4! (1)

countertrolling (1585477) | about 4 years ago | (#32863274)

The question mark is there to show us they acceding to China's wish that they not reveal "state secrets". They have stated as much. I never said they're trying to hide it. All I'm saying is that they are untrustworthy for the user, and their software is suspicious. They filter (and possibly misdirect) what you're searching for, and they try to track your every move. It's easy to block, but they are making the effort. And the fanboi-ism is also as extreme as with Apple. I hope that somebody with the resources is performing an in depth investigation.

Re:UGH! When are you going to learn?? (0)

Anonymous Coward | about 4 years ago | (#32861726)

Google's USA removals are for copyright infringement, and, when issued by the courts, part of public record. The other USA removals are also for copyright infringement, as infringement is the only means [google.com] for non-government persons to submit a takedown request.

countertroll, more like megatroll.

Re:UGH! When are you going to learn?? (1)

countertrolling (1585477) | about 4 years ago | (#32861844)

The reasons make no difference. They are censoring.. Oh, and fuck copyright! Its sole reason for existence is censorship.

Re:UGH! When are you going to learn?? (0)

Anonymous Coward | about 4 years ago | (#32862098)

Yes, there is a difference. When censorship is used to control opinion and enable oppression, there is a vast difference. Limitations on freedom of information (note: I said "limitations" -- this is NOT censorship [wikipedia.org] ) are not the only restriction that applies here; consider the controversial hate speech laws, or even privacy laws, for example. Nothing is truly free, and not all government authority is inherently bad.

Re:UGH! When are you going to learn?? (1)

countertrolling (1585477) | about 4 years ago | (#32862144)

controversial hate speech laws = censorship

copyright = censorship

And in direct violation of the 1st Amendment

You are wrong.

...not all government authority is inherently bad.

In this case it is.

Re:UGH! When are you going to learn?? (0)

Anonymous Coward | about 4 years ago | (#32862418)

I said controversial because opinion of hate speech laws is not uniform within the USA, and, more importantly, laws differ significantly for hate speech within the EU. I'm not arrogant enough to believe that my laws (the USA's) are instrinsically superior -- I can see merits for both arguments.

In any case, I don't care to argue for opinion on infringement or government or freedom. I only wanted to make clear the difference between censorship and regulation, because your posts were an insult to those actively fighting for equal human rights recognition across the world.

Re:UGH! When are you going to learn?? (1)

countertrolling (1585477) | about 4 years ago | (#32862466)

You cannot acquire any rights through censorship. Any and all regulation of speech is censorship.

Re:UGH! When are you going to learn?? (1)

countertrolling (1585477) | about 4 years ago | (#32861644)

Troll??? HAHAHAHA!

Fanbois to the rescue [youtube.com] ...

tl;dr (0)

Anonymous Coward | about 4 years ago | (#32861302)

tl;dr: When Chrome says an extension has access to your data on all sites, it means that extension has access to your data on all sites.

In other news ... (4, Funny)

gdshaw (1015745) | about 4 years ago | (#32861310)

... a proof-of-concept Google Chrome browser extension that steal users' login details.

That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

Re:In other news ... (1)

Nemilar (173603) | about 4 years ago | (#32861386)

I get your point (that a kernel module, being low-level, gives you greater access), but I think a malicious browser extension is worse.

* It's a lot less likely that a user will install a malicious kernel module, as compared to a browser plugin.
* It's a lot easier for someone with bad intentions, a few hours, and a little coding experience to write a browser plugin, than it is for them to write a kernel module.
* It's much easier to distribute a plugin, and the install base is much greater.
* The signal/noise ratio of data you would want to steal is much more attractive for a browser plugin, than it would be inside the kernel.

Re:In other news ... (1)

hitmark (640295) | about 4 years ago | (#32861500)

and this is why i dont worry much about rootkits for home computers, as even access to just the users account will likely expose a whole lot of valuable data to whoever wants it. so if one want more security the valuable data should be accessed by way of an account that only do so, and have no real contact with the everyday user activity.

heck, was there not talk about a livecd specifically for banking?

Re:In other news ... (1)

gdshaw (1015745) | about 4 years ago | (#32861562)

You're reading too much into my subtle sarcasm: I was merely suggesting that this is a highly unsurprising result. All that has been discovered here is a special case of the rule that your security is at risk if you download and execute malicious code.

Re:In other news ... (0)

Anonymous Coward | about 4 years ago | (#32861946)

What's interesting is the perception even on first FA's site that this is a security hole that should be patched by Google. They don't get that it's a trusted source type issue, though the coder does.

This sort of thing on /. isn't News For Nerds in the sense of technical revelation, it's NFN about how the world outside is perceiving things. Kinda a useful "heads up" about the kind of questions you're going to be getting next week from friends and family.

Re:In other news ... (1)

hilather (1079603) | about 4 years ago | (#32861632)

... a proof-of-concept Google Chrome browser extension that steal users' login details.

That's nothing. Wait till you see my research on what's possible when you get the user to install a malicious kernel module ...

I can't wait to see how long the instructions for installing your kernel module will be. Remember you have to /trick/ a regular user.

Re:In other news ... (1)

gdshaw (1015745) | about 4 years ago | (#32861906)

OK, let me explain. The kernel module was what's known as a 'rhetorical device' intended to illustrate a point. The point was that writing a program do commit a dastardly deed, then executing it in a context where it has permission to commit that dastardly deed, is (a) not news, and (b) not even a security violation.

Super secret security advice... (1)

christoofar (451967) | about 4 years ago | (#32861314)

Is this different than someone deciding to run a bash script that wipes their hard drive, as root?

So you can install an extension that's bad. Like you can open an e-mail attachment that's bad. Like you can open a programmable document that has a bad macro.

Seriously, where's the security concern? Don't install crap extensions and you won't have your passwords stolen through crap extensions. Easy enough?

Sandbox? (1)

drolli (522659) | about 4 years ago | (#32861322)

how about a sandbox? How about stealing some Ideas from java? I think one can introduce a "Wants to read password" exception" or a "wants to transfer data outside" exception. And at least firefox points out to me that installing extensions requires thrusting the author

Re:Sandbox? (4, Funny)

christoofar (451967) | about 4 years ago | (#32861352)

I think you might also risk catching something if you're *thrusting* the author.

Re:Sandbox? (1)

symes (835608) | about 4 years ago | (#32861384)

For your average user, sometimes it is enough for a piece of software to come with a note saying that installing this app is absolutely essential. So the question is, do we harden the browser or do we harden the user? The latter is impossible, and thinking otherwise is potentially negligent. Seriously, people have tried suing burger chains because they got fat on burgers and chips. People have tried suing bar owners because they drank too much and crashed their car. The depths of stupidity know no limits. So the only realistic solution is some kind of sandbox. That or some sort of virtual eugenics programme where you have to pass tests in order to get online.

Re:Sandbox? (1)

selven (1556643) | about 4 years ago | (#32861440)

The Chrome extensions system has the concept of permissions, where an extension must list the special permissions it needs in its manifest.json file. If the extension requires special permissions, the user is warned. If the extension tries to do something requiring permissions without asking for them, it fails. One comment in TFA says that the proof of concept extension given does require permissions. If that's true, then this is a nonstory, since it would be just as hard to get in by convincing the user to download an extension as it is to get in by convincing the user to download a program.

Re:Sandbox? (1)

icepick72 (834363) | about 4 years ago | (#32861508)

Whooaaa buddy! ... you can imagine thrusting the author in a sandbox all you want but let's keep this discussion clean.

Re:Sandbox? (1)

n0-0p (325773) | about 4 years ago | (#32861736)

It's just sad that you find it perfectly acceptable to comment like this on an application you obviously know absolutely nothing about. Chrome actually does run extensions in a sandbox. It also warns on installation of an extension, and explains what permissions that extension requires. If an extensions attempts something require a privilege that wasn't in its installation manifest the operation fails. As I said in another comment, the UI has issues and could certainly be improved, but the fact is that Chrome currently does everything you just implied it fails at.

Any plugin or extension is a privacy & sec ris (0)

Anonymous Coward | about 4 years ago | (#32861326)

Any and every plugin for a browser is a security or the very least a privacy risk. You don't have to just look at Acrobat for so many security risks and flash for the enoumourous privacy risk. Atleast on my browser, I can't delete flash cookies using the GUI.

Atleast plugins/extensions can be disabled, but what about javascript? What about privacy leaks from JS?

Re:Any plugin or extension is a privacy & sec (1)

icebraining (1313345) | about 4 years ago | (#32862084)

I don't know of any browser that can't disable JS. With NoScript you can even do it on a per domain basis.

"For now.,," (4, Insightful)

John Hasler (414242) | about 4 years ago | (#32861388)

> For now, only install plugins from people you know and trust...

Um, "for now"?

Re:"For now.,," (0)

Anonymous Coward | about 4 years ago | (#32861432)

Well, "for now" there is not much possibilities aside from that. But in a "hopefully" near future, we'll get some easy to use and easy to set-up security for thingslike extensions and plugins, so we'll be able to ignore the "people you know and trust" part. Except for, you know, unexpected flaws in said security.

Re:"For now.,," (1)

AnonymousClown (1788472) | about 4 years ago | (#32861540)

Well, "for now" there is not much possibilities aside from that. But in a "hopefully" near future, we'll get some easy to use and easy to set-up security for thingslike extensions and plugins, so we'll be able to ignore the "people you know and trust" part. Except for, you know, unexpected flaws in said security.

How? If you're going to use, let's say, a password and userid manager, you pretty much have to accept that the plugin is going to be storing and accessing that shit. Unless Google develops an API that acts as a secure black box - developer uses an API for passwords and UIDs and any other private type of information so that he has no access, a user will have to accept some loss of security for convenience. Then there's the issue of auditing the plugins for compliance.

Erm, news? (3, Insightful)

thePowerOfGrayskull (905905) | about 4 years ago | (#32861426)

So, he created a plugin that let him do what the plugin architecture is designed to allow him to do? I'm not sure how this is newsworthy...

You mean my computer is a general purpose machine? (1)

calmofthestorm (1344385) | about 4 years ago | (#32861486)

capable of running whatever code I instruct it to? Waah, I want big government/big business to protect me!

Seriously though, this isn't news. Extensions are intended to be general purpose, and in order to be powerful enough to do what you want, some risks are taken. I suppose you could take a partial sandboxing approach such as BitFrost or that taken in Android to warn users of what permissions are being requested (and mitigate the effect of expoits), but there's a tradeoff between functionality and safety.

What is this browser safety you speak of? (2, Insightful)

nickdwaters (1452675) | about 4 years ago | (#32861554)

Security is only as effective as the experience and intelligence and of the user. You can't fix stupid. - Ron White

Please point me to similar vulnerability on iPhone (0, Flamebait)

Brannon (221550) | about 4 years ago | (#32861652)

Oh. I guess your point is that iPhone users are smarter than everyone else. My mistake.

Re:Please point me to similar vulnerability on iPh (1)

nickdwaters (1452675) | about 4 years ago | (#32861738)

I was under the impression we were talking about Google Chrome and how an add-on has the capability of capturing user data / ids and passwords!

yep, and... (1)

Brannon (221550) | about 4 years ago | (#32861780)

your original post claimed that these types of security holes were inevitable, the only way to combat them is with informed and careful users.

I countered that another way to counter them (even with uninformed and un-careful users) is to place all your users in a padded room which locks from the outside.

Re:Please point me to similar vulnerability on iPh (0)

Anonymous Coward | about 4 years ago | (#32861850)

You're joking right? Apple just patched the iPhone against almost 70 publicly reported security vulnerabilities [itproportal.com] that were up to a year old. The list included a huge range of code execution, origin bypass, and privacy disclosure bugs in Safari alone. And any moron watching the WebKit commit logs in the last year had a PoC and exploit roadmap for those particular vulnerabilities. Why do you think the iPhone got hacked at pwn2own [zdnet.com] this year, and why do you think so many large corporations refuse to support the iPhone in their enterprise?

So, I'm not getting your smug superiority here when we're talking about intentionally installing a malicious extension in Chrome versus getting owned just for using an iPhone.

Still waiting for a link... (1)

Brannon (221550) | about 4 years ago | (#32862708)

to some malicious extension or application available for the iPhone. My whole point is that it is possible to protect against clueless users installing a malicious app if you have a closed centrally managed app store. The GP post claimed that the only protection was user education.

Oh, and Chrome is built on top of WebKit also, genius.

Re:Still waiting for a link... (0)

Anonymous Coward | about 4 years ago | (#32862782)

My whole point is that it is possible to protect against clueless users installing a malicious app if you have a closed centrally managed app store.

Seriously, you think that Apple can protect you against an intentionally malicious third-party app, when they can't even address basic vulnerabilities in their core platform? I find your faith severely misguided.

Oh, and Chrome is built on top of WebKit also, genius.

Wow, that point just flew right by you. Chrome runs WebKit in a sandbox and still pushes out security updates every few weeks. Meanwhile Apple runs WebKit without any restrictions and they take up to a year to patch the same vulnerabilities. To me it's pretty clear which platform is safer.

FF before version 2 (1)

roman_mir (125474) | about 4 years ago | (#32861612)

I wrote an extension to FF long ago that was reading any form field at all, including password fields and was able to send this information to any address on the web via an http call. Starting from FF version 2 the method I used to read the form field (basically enumerating the form input fields with javascript) could no longer read the password field from a form.

In other news ... (3, Insightful)

GNUALMAFUERTE (697061) | about 4 years ago | (#32861714)

Executing arbitrary code downloaded from the internet might lead to arbitrary code execution. Not news.

The real question here is... (1)

avatar139 (918375) | about 4 years ago | (#32862142)

...WHY Google allows so much potential access of personal data to installed Extensions?!

I mean every time I tried to install an extension on Chrome I got the warning that it could potentially access my user data and or browser history, and I still don't see any reason that extensions should (even potentially) be allowed access to that information!

Responsible Disclosure (0)

Anonymous Coward | about 4 years ago | (#32862544)

Maybe Tavis should responsibly disclose this vulnerablity. We can then expect the fix in less than 5 days

this is excellent (0)

Anonymous Coward | about 4 years ago | (#32862768)

It will make my job so much easier.

Not only stupid, but detrimental (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#32863146)

This angers me, because I'm working on a Google Chrome extension right now, and people reading this article will be pointlessly paranoid of giving my extension a chance. The author of this article not only lacks common sense, but knows enough about technology that he's actually detrimental to those who don't.

Untrue that this could be written for any browser (1)

gig (78408) | about 4 years ago | (#32863552)

Safari on iOS (iPad, iPhone, iPod) doesn't have extensions. On iOS, instead of an extension, the developer just creates a whole other browser, and that has to be audited to be deployed. Although you may be able to write this for Safari on Mac/Windows, those extensions have to be signed to run, and signatures can be revoked immediately, so even if you got this deployed, at the first sign of trouble it stops running on 100% of systems. There is very little point in tagging a wall that can repaint itself instantly.

One problem with modern communication is the tendency to paint with too broad a brush. You found an attack vector in Chrome, that is real work, a scientific result. Don't fuck that up those hours of work by spending 1 second trumpeting an assumption that it works everywhere else. Either do the work to create the same extension on all other browsers or don't even fucking mention any other browser.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...