from Hacker News

We busted a fake Chrome extension that was trying to steal data

by cws on 12/7/18, 2:29 AM with 32 comments

  • by tyingq on 12/7/18, 12:23 PM

    "It's also not clear how any other tool would have detected the long-lived, persistent outbound connection with relatively low bandwidth"

    Perhaps, but this extension could have been stealthier. It was using a plaintext web socket on port 6332. If the extension author had instead gotten a Google analytics account, and exfiltrated data via encrypted https GETS to Google servers, it might have never been spotted. That kind of traffic likely happens 24/7 in a typical corporate environment.

  • by kungfufrog on 12/7/18, 4:06 AM

    The blog post was moderately informative/useful and interesting, marketing brochure website behind it next to useless and can't find anything meaningful about what they actually sell or do. Frustrating follow-up experience for me that reminds me of most enterprise ISVs.

  • by codedokode on 12/7/18, 11:24 AM

    This is a serious issue with Chrome Store. Google doesn't properly warn users that the store is not premoderated and can contain malware. Instead, they have made a colourful positively looking site without necessary warnings.

  • by porlune on 12/7/18, 7:47 AM

    It should be noted, that at one time, Postman was a chrome extension. They recently depreciated that extension.

    http://blog.getpostman.com/2017/11/01/goodbye-postman-chrome...

  • by empyrical on 12/7/18, 4:47 PM

    Because the visibility of the Arc Welder extension (the one that lets you use Android apps on desktop chrome) is set to hidden, which hides it from both Web Store and Google Searches, there are malicious extensions that take advantage of this and will become the top search result for Arc Welder. And if you don't know where to look, it can be very hard to find the real link for Arc Welder. So as a result, these malicious Arc Welders often get many thousands of installs before being taken down. Very frustrating because even if you report them immediately after they are added, it takes a few days to take them down.

  • by ocdtrekkie on 12/7/18, 4:25 AM

    As of this writing, the malicious "Postman" extension is still available in the Google Chrome extension store and has been downloaded over 27,000 times.

    This is pretty much par for the course, unfortunately.

  • by cws on 12/7/18, 5:32 AM

    Here’s a ZDNet article about the same extension https://www.zdnet.com/article/industrial-espionage-fears-ari...

  • by kalehrishi on 12/7/18, 3:56 AM

    Black theme of tool makes me chuckle. Wondering how it became defacto color theme of hacking tools! Only thing missing is neon green.

  • by AznHisoka on 12/7/18, 2:42 PM

    .. and this is what SimilarWeb browser extensions have been doing for 5+ years. Yet Google doesn't seem to care.

  • by m_developer on 12/7/18, 11:00 AM

    Well, that was a fun way to find out you have a malicious app installed in your browser.

    It would be nice to have an overview of what exactly was exported to know the impact of this breach (without having to use reveal(x) myself).

  • by xte on 12/7/18, 7:25 AM

    Generally speaking anyone can create malicious software disguised in various way, so FOSS project included.

    However instead of creating a "antivirus" vs "virus" classic scenario, that we all know it doesn't work my lines is: all must be open (hw, sw) and developed in a FOSS way from the start.

    For instance if you are an hw OEM who want to produce a new GNU/Linux phone? Ok, start work on it in a public repo. If your project interest others, many with valuable skills came to help. Perhaps including some bad one. But the community will protect you, because you publish from the start the rate of benevolent and interested individuals that follow your project from the start will likely detect any bad guys, far better than any software, heuristic and even "AI" in general terms. After you know that community give credit so if the project will be successful people will buy your product, paying you back for your part of work and physical production. Other, of course, may use your schematics and software for free but if they add competitive features you get them back for free because of FOSS licensing, if they do not respect licenses you'll get backed by FSF&c that have a firepower and advertising capability normally superior to any new company/startup. Otherwise if there is only a price competition many will go for the cheap, many, not all. And if you and the community keep innovate the project you keep gaining money, no different than pharmaceutical industry that do research vs pharmaceutical "generic" industry.

    Long story short: I can't trust closed sources extensions nor more nor less than closed source security software, I can't trust a company no more than another (only reputation can lead to small percentage variations). So I do my best to avoid inoculate in my systems software that I can't trust... Good assessments are still needed but they are IMO not really much valuable without the openness at the base: the need of trust is a weakness, so we need to being able to trust each other with the power of verify trust at the core, not only at the skin.

  • by berbec on 12/7/18, 3:26 AM

    Nice ad.

  • by cws on 12/7/18, 5:24 PM

    As of this writing, the fake Postman extension appears to have been removed from the Chrome extension store. Huzzah!