Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chrome Web Store. Show all posts

Brave Disabled a Chrome Extension Linked to Facebook Users

 

Last week, security analyst Zach Edwards stated how Brave had restricted the L.O.C. Chrome extension citing concerns it leaked the user's Facebook information to the third server without warning or authorization prompt. An access token used by L.O.C. was obtained easily from Facebook's Creator Studio online app. After retrieving this token — a text thread made up of 192 alphanumeric characters – from the apps, the chrome extensions can use it with Facebook's Graph API to get data about the signed-in user without being a Facebook-approved third-party app. 

The concern is whether this type of data access could be exploited. Without the user's knowledge, an extension using this token could, copy the user's file and transmit it to a remote server. It might also save the user's name and email address and use it to track them across websites. According to a Brave official, the business is working with the programmer to make certain changes — most likely an alert or permission prompt – to ensure the extension is appropriate in terms of privacy and security. 

In September 2018, Facebook announced a security breach impacting nearly 50 million profiles, it blamed criminals for stealing access tokens supplied by its "View As" function, allowing users to see how the profiles appear to others." They were able to steal Facebook access tokens, which subsequently used to take over people's accounts," said Guy Rosen, Meta's VP of Integrity.

Cambridge Analytica accessed people's Facebook profiles using a third-party quiz app which was linked to the social media platform. One would assume a quiz app won't disclose your Facebook profile information with others, and a Chrome extension won't do the same. Despite Facebook's assurances, some steps must be taken to prevent a repetition of the Cambridge Analytica scandal, the Creators Studio access tokens in the hands of a malicious and widely used Chrome extension might lead to a rerun of history. 

Part of the problem is Google's Chrome extensions seem easy to corrupt or exploit, and Meta, aside from reporting the matter to Google, has no immediate ability to block the deployment of extensions which abuse its Graph API. The Creator Studio token is detailed to the user's session, according to a Meta representative, meaning it will terminate if the extension user signs out of Facebook. And, if the token hasn't been transferred to the extension developer's server, as looks to be the situation with the L.O.C. extension, uninstalling it will also result in the token expiring. 

Meta has asked Google to delete the extension from the Chrome Web Store once more and is looking into alternative options.

Attention! Fake Extensions on the Chrome Web Store Again!


Reportedly, Google was in the news about having removed 49 Chrome extensions from its browser’s store for robbing crypto-wallet credentials. What’s more, after that, there surfaced an additional set of password-swiping “extensions” aka “add-ons”, which are up for download even now.

Per sources, the allegedly corrupt add-ons exist on the browser store disguised as authentic crypto-wallet extensions. These absolutely uncertified add-ons invite people to fill in their credentials so as to make siphoning off them easy and the digital money accessible.

Reports mention that the security researchers have affirmative information as to 8 of the 11 fake add-ons impersonating legitimate crypto-wallet software being removed including "Jaxx Ledger, KeyKeep, and MetaMask." A list of “extension identifiers” which was reported to Google was also provided.

Per researchers, there was a lack of vigilance by the Google Web Store because it apparently sanctions phisher-made extensions without giving the issue the attention it demands. Another thing that is disturbing for the researchers is that these extensions had premium ad space and are the first thing a user sees while searching.

According to sources, much like the Google Play Store with malicious apps, the Google Web Store had been facing difficulty in guarding itself against mal-actors. There also hadn’t been much of a response from their team about the issue.

One solution that was most talked about was that Google should at the least put into effect mechanisms in the Chrome Web Store that automatically impose trademark restrictions for the store and the ad platforms in it.

Per sources, Google’s Chrome Web Store “developer agreement” bars developers from violating intellectual property rights and also clearly mentions “Google is not obligated to monitor the products or their content”. Reports mention that as per the ad policy of Google, it could review trademarks complaints from trademarks holders only when it has received a complaint.

Google heeding all the hue and cry about the extensions did herald more restrictions with the motive of wiping away traces of any fake extensions and spammers creating bad quality extensions that were causing people trouble.

The alterations in the policy will block the spammers and developers from swarming the store with similar extensions and elements with questionable behavior. Word has it that because of hateful comments the Chrome Web Store was “locked down” in January.

But, as promising as it may be, allegedly Google has been making such promises about the Chrome Web Store security strengthening for more than half a decade. So no one can blame researchers for their skepticism.

Google Stops Displaying Security Warnings in Microsoft Edge, No Longer Recommends Switching to Chrome


Google has stopped advising Microsoft Edge users to switch to Chrome for a more secure experience as the browser extensions crafted for Google's Chrome web browser are also suitable for the new Microsoft's new Edge browser based on Chromium.

It appeared like Google stoked the flames of browser wars when it subtly encouraged Edge users to shift to Chrome by displaying warnings of potential security threats. The alert displayed by Google read that it "recommends switching to Chrome to use extensions securely". A developer at Edge revealed that the new Microsoft Edge is designed to effectively safeguard its users from malicious extensions, that said, Edge already had Windows Defender Smart Screen and Unwanted Application protection built-in.

Whenever a user visited the Chrome Web Store via the new Microsoft Edge, Google displayed a message in yellow at the top of the webpage recommending users to switch to Chrome in order to use extensions with added safety. However, seemingly, as soon as Google realized that greeting users with a warning message which clearly implied that Microsoft Edge is less secure of a browser is not making them look good, the tech giant softened and decided to take the alert down. Not only that, Google went a step ahead and replaced the previously displayed warning with a fresh one that tells users that now they can add extensions to Microsoft Edge from the Chrome Web Store.

However, still, officially only a few extensions are supported by Microsoft Edge as the installation of all these extensions for the first will seem to be a bit complex. Users need to enable 'allow extensions' from other stores via the settings page. On attempting to do that, Microsoft warns that it doesn't verify extensions downloaded from third-party stores and cautions that doing the same may cause performance issues in Edge. Then it suggests users get verified extensions from Microsoft Edge add-ons site. As soon as the users allow extensions by clicking on 'Allow', they will be able to add extensions to Edge from Chrome Web Store.

Attention! The Ad-Blocker Installed In Your Browser May Actually Turn Out To Be a Malware


The co-founder of Ad-blocker Ad Guard as of late has reviewed various ad blockers on the Google Chrome Web Store. The purpose behind being that the Ad-Blocker that the users' may have installed in their browsers may in reality turn out to be a malware.

Posing like the world's most well-known advertisement blocking software, a false extension made it onto the Chrome Web Store and deceived countless of victims into installing what ended up being an exceptionally irritating bit of adware.

A large portion of these extensions are styled to look genuine yet they are really carrying malware in their code, says Andrey Meshkov, the co-founder of the advertisement blocker software Ad Guard, who got inquisitive about the expanding number of knock-off ad-blocking extensions accessible for Google's prominent browser Chrome quite recently.

"Basically I downloaded it and checked what requests the extension was making and some very strange requests caught my attention."

-Said Meshkov in a recent interview with Kaleigh Rogers, who writes for Motherboard.

He additionally found that the AdRemover extension for Chrome had a script loaded from the remote command server, giving the extension engineer the ability to change its functionality without restoring the current code.

In spite of the fact that Meshkov didn't forthwith notice what the extension was really gathering the information for, he said that having a connection to a remote server is perilous on the grounds that it could change the way your browser behaves in many ways, later including that the extension could modify the appearance of the website pages that a user visits.

What's more is that, this by itself is against Google's policy, and after Meshkov expounded on a couple of cases on Ad Guard’s blog, a large number of which had millions of downloads, Chrome removed the extensions from the store.

“For instance, the extension could probably man-in-the-middle all the requests coming from your browser, but it can’t, for instance, read your browser’s encrypted password database, because that is not a privilege that extensions can have,” explained  Yan Zhu, a software engineer who works for the privacy-conscious browser Brave, over a Twitter direct message.

Now while Google rushed to expel the extensions that Meshkov hailed, there is still no legitimate notice about whether the store is still brimming with these sorts of Chrome extensions or not , by and by the users are as yet encouraged to continue  but with caution.

Google Rejecting All Cryptocurrency Mining Extensions Submitted To The Chrome Web Store

Google is taking action against all Chrome extensions that incorporate a cryptographic money mining segment and is banning them from the Chrome Web Store. Up until now, Google had permitted cryptocurrency mining extensions till mining was the extension's just reason, and clients were appropriately informed about this conduct, Google's Extensions Platform Product Manager James Wagner noted in a blog post on Monday .

While the organization has no issue listing extensions with a solitary reason for straightforwardly mining digital coins in the background rather, Google has an issue with the developers uploading and posting Chrome extensions promoting one particular functionality, and furthermore furtively mining digital coins in the background without the client's assent.

In the course of recent months, there has been an ascent in virulent extensions that seem to provide useful functionality at first glance, acknowledged Wagner and this happens he further adds, while the embedded and concealed cryptographic money mining scripts keep running in the background without the user's assent.

 These mining scripts often consume significant CPU resources and can severely impact system performance and power consumption.

"Unfortunately, approximately 90 per cent of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with the company’s policy, of adequately informing users about the full behaviour of a listed extension and have been either rejected or removed from the store," Wagner adds.

Nonetheless Google is further planning to delist every current extension that mines cryptocurrency in "late June" however extensions with "block chain-related purposes other than mining" are still permitted. The ban has nothing to do with ads running mining scripts in the background, yet rather the plans and schemes related with the "unregulated or speculative financial products.”