Chrome Extensions Going Rogue

Google Chrome is a great browser, and it became my primary browser as soon as it introduced support for extensions. I’d previously been using Firefox, which had a tendency to crash and lose my open tabs at annoyingly regular intervals (it’s fair to say that I’ve always had a problem with having way too many tabs open at the same time, which didn’t help, and typically have to declare tab bankruptcy every six months or so).  I would have moved to Chrome sooner, but for me, browser extension support was a vital requirement so I could streamline my web browsing experience.

Unfortunately, extensions pose serious security and privacy risks, and my recent experiences have led to me having serious concerns about whether I should continue to use them.  I’ve now had two extensions go rogue on me in the last year, after updating themselves automatically and adding unwanted “features” in the process.  In addition, my girlfriend had one which started creating links in web page text and showing ads on mouse over (which was really hard to get rid of).  Here’s a rundown of the two extensions I personally had go rogue on me, and my tips for tracking them down.

Window Resizer

The first extension I had a problem with was Window Resizer, a really handy extension that resizes your browser to match different screen sizes, such as that of tablets and phones.  It’s a great tool for web developers who are developing responsive websites, like I do.  Unfortunately, after a while, the developer decided to cash in by having all Google search results be redirected through EcoSia, effectively tracking a huge proportion of my web activity without my permission.  I noticed this problem as my browser started randomly failing to successfully navigate to sites, getting stuck on the EcoSia redirect, and was able to track the problem down eventually to the Window Resizer extension thanks to other posts on the web about it.

I never agreed to this behaviour when I installed Window Resizer, and it didn’t do this when I first installed it.  Unfortunately, extension developers can introduce these “features” into new versions, which get automatically installed thanks to the fact that like Chrome itself, Chrome extensions automatically update silently as new versions are released.  This is a big problem, as extensions can build up a big user base from providing a useful and expected service, and then suddenly go rogue without warning (occasionally being bought by malware operators).  And it can be really hard to track down the culprit – that’s if you even realise that there’s even a problem.

In the case of the Window Resizer extension, the developer decided to make money out of his extension by having the extension send all clicks on Google results via EcoSia.  He did make this behaviour optional (it could be turned off), but turned it on by default.  With this update being pushed out to all users automatically, suddenly the browsing activity of all users was getting tracked without their express permission, with most not even realising it.  Ultimately, the developer of Window Resizer faced a huge backlash, and after attempting to defend his decision by blaming the users for not reading the release notes, he ultimately apologised and backed down under a barrage of criticism.

Quick Note

Just last night I found another Chrome extension had gone rogue.  I was using Fiddler (a web debugging tool that logs all web requests/responses) to analyse an OAuth2 negotiation workflow.  However, I started to notice all these requests to a domain named each time I navigated to a URL, which started to concern me.  After Googling the domain and discovering it was a click tracking domain I realised another browser extension must have gone rogue, and went into investigative mode to track down the culprit.


The unexpected calls being to webovernet, which I’ve highlighted in red.

Note in the image above that the requests are sent via HTTPS calls, which make them even harder to detect.  They only show in Fiddler if you are capturing HTTPS content (i.e. the Capture HTTPS CONNECTs and Decrypt HTTPS traffic options are enabled for Fiddler, which are turned off by default). So you wouldn’t even see these calls in regular use of the tool, making this behaviour hidden to even tech savvy users.

The process of tracking down the culprit was quite simple. I opened up the Google search page to use as my test.  Any page would do, but I chose this as it makes minimal additional server requests so it wouldn’t clog up the Fiddler logs.  Open Fiddler, make sure capturing HTTPS traffic is on, and start capturing your web traffic.  Each time I refreshed this page, corresponding requests would be sent to the webovernet domain, so I had a clear failing test case (for those of you into test driven development).  The task now was to disable various extensions and refresh the Google search page until I didn’t see any more requests to the webovernet domain. Disable an extension, refresh the page, check the traffic, and repeat.

Ultimately, I discovered it was an extension called Quick Note that was the offender.  This was an extension I must have installed a long time ago but never really used.  Looking at its details in the Chrome store, you can see that the developer updated their privacy policy to allow it to capture all my browsing history.  Of course, I was never made aware of this.  Bastards.


The big lesson from this is to disable or uninstall all extensions that you don’t use!

The Big Issue

The big issue I have with extensions is that developers can introduce this malware/adware/spyware without users being aware of it, and potentially never actually realising it.  It’s only because I spend a fair bit of time in the Chrome Debugging Tools and Fiddler that I notice these sorts of issues.  I’m in a position to be able to detect these problems, but these are just skills that the average punter doesn’t have.

We live a lot of our online lives in a web browser these days, including a lot of private activity such as shopping, banking, and so on.  Depending on the permissions you’ve granted them, browser extensions can have access to all of this.  We are making a lot of private information available to unknown entities, and putting them in a position of trust to not take advantage of it, which is ultimately being abused in the name of money.

To help solve problems like this, Google prevented Chrome extensions from being installed outside of the Chrome Web Store, in May this year.  Unfortunately, this doesn’t really do much, as you can see from my issue with the Quick Note extension.

You can’t trust extensions after doing an audit, because they auto update.  Just because you verified the behaviour of all your extensions and haven’t installed any new extensions recently doesn’t mean that you’re OK, as any one of those installed extensions may auto update and go rogue.

The other big issue is the amount of access that extensions have to your browsing activity.  Unfortunately, most of the useful extensions need a very wide permission base, with almost all the extensions I have installed requiring access to my data on all websites, and access to my tabs and browsing activity.  This is particularly concerning, and while I’m not an expert in this since I haven’t written an extension myself, it seems much of it is because Chrome’s permission levels are quite coarse.  The Window Resizer extension developer wrote this about the permission levels it requires just to resize the browser window:

This extension doesn’t *need* access to your browsing history or data on any site, but it *needs* access to the tabs and window in order to manipulate the window size and read its properties. Unfortunately, these are all tied together and you can’t have one without the other. So, by receiving the right to access the window properties, the extension also receives access to the browsing history and all.

If this is true, it’s indicative of a big problem with Chrome’s extension security model.

The Lesson

After seeing three browser extensions go rogue in the past year, I sense that the Chrome Web Store has a big problem in the making.  In the meantime we just need to mitigate the problem by acting wisely.  There’s a number of lessons to be learned, so here’s my advice:

  1. Treat all browser extensions as suspicious.  Check their requested permissions, and if they ask for too much for their required needs then don’t install them!
  2. Always read the reviews and details of extensions before installing them.  You’ll learn a lot.  If they have a privacy policy, read it!
  3. Disable all extensions that you aren’t currently using, or don’t really need.  Out of sight is not out of mind.  Stick with just high profile extensions.  That said, the more users extensions have, the more likely they are to be sought after by malware operators, who purchase them and abuse them.
  4. Just because you don’t see anything wrong, doesn’t mean there isn’t anything going on under the covers.
  5. The old saying of “If the product is free, then you are the product” I guess unfortunately extends to browser extensions.

Go and check your browser extensions now.


It’s worth noting that all our browsing habits are being tracked anyway by Google, which is disconcerting enough as it is.  Between my browsing history being synced back to their servers, all search links going via them, storing all my email, and so on, it’s fair to say that they know way too much about me.  However, at least I’m well aware of this situation and have made my own decision to keep using their products based upon reading and agreeing to their privacy policies, and the fact that I get a worthwhile enough benefit in exchange.  But I never agreed to allow these extensions to spy on me, and that really disgusts me.

September Meeting

For those of you wondering about this month’s meeting (which normally would be on tonight according to the normal schedule of the third Monday of the month), it’s been postponed for a week (to the 26th of September) so that we can get Jose back from BUILD to tell us all the exciting stuff he’s learnt, what XAML’s future is in Windows 8, and what other news has finally been unembargoed.
Of course, the release candidate of Silverlight 5 was also released recently, so I may talk a bit about that if we have time.
Note that we have a new room at the City Hotel starting this month, with it being held in the “Emperor Lounge”. We meet at 6pm, with a 6:30pm start.
Sorry for the late notice!  Hope to see you there…

Willoughby “Star Gazing Evening” This Saturday

Based in Sydney and not doing anything this Saturday evening?  Do you like looking up at the sky at night?  Do you want a closer look at the Moon, Jupiter, and various beautiful deep sky objects such the Jewel Box, Omega Centauri, and various Messier objects?  Don’t have a clue what I’m talking about but would like to learn a bit about astronomy?  Then join the Northern Sydney Astronomical Society (which I’m a member of) and Willoughby Council for a “star party” this Saturday September 26.  Click here for details on the council website (though there’s not much there).

I’ll have my telescope there showing people Jupiter and its moons (the 4 that are visible from Earth), and there will be 9 other telescopes set up looking at various objects in the sky (fingers crossed for good weather and no dust storms).  There will also be talks, food, and information stalls, and I’m sure lots of fun to be had.

It’s free, so come along and join us between 6pm and 9pm this Saturday at Bicentennial Reserve, Small Street, Willoughby.

Building a Silverlight Line-Of-Business Application – Part 5

Part 5 of my series on building a line-of-business application with Silverlight is now available on the website here:

The focus of this article is building the data entry form for a product – it sounds simple but there were quite a few issues to workaround.

SWMUG Presentation

Tonight I did a short presentation at the Sydney Windows Mobile user group (SWMUG) about how to put your mobile application into a kiosk mode, disabling the Start menu and the hardware buttons effectively stopping the user getting to the underlying Windows Mobile shell and generally causing a maintenance nightmare.

You can download a demo application that implements a library I wrote for this demo to enable this functionality here:

While I demonstrated putting the Prize Draw application I had developed a few years ago and used regularly at SWMUG into kiosk mode, I’ve simplified the demo included here to a simple form in kiosk mode.  As you will see it only requires two lines of code (one per form event) to implement.

Just reiterating some points in my talk:

– Set your application to start up automatically when the device is restarted (by putting a shortcut in the StartUp folder or set the Run key in the registry).  Therefore the user can’t just restart the device to gain access to the shell.

– The device after being left idle for a period of time (normally 4 hours) may automatically switch to the Today screen, effectively nullifying the kiosk mode.  This is a setting in the control panel (Start, Control Panel, Today, go to the Items tab, and uncheck the check box).

– If you use the Open or Save dialog boxes, they can’t  have the kiosk mode applied as we don’t know their window handle.  Therefore I recommend you roll your own versions of these dialog boxes (it’s not too hard, they’re fairly basic).

Hope you find it useful!

Back To Blogging

For months now I’ve been saying to myself that I’ll need to blog this or that and never getting around to it.  Well the list of blog topics has grown, so it’s time I started knocking a few off the list.  There will be the occasional rant but I promise to keep them to a minimum.  Most will be programming tips, so my apologies to those on my Facebook friends list if you’re not a developer and my posts keep popping up in your newsfeeds – I’m sure there’s a way to turn them off if you get sick of them!

So to start off, something that has absolutely nothing to do with programming (but I will get there)!  Tomorrow night (Monday) I noticed Channel 7 at 10:40pm is showing "The Most Hated Family In America", a documentary by Louis Theroux.  I haven’t seen this, but I’ve seen others he’s made from his previous Weird Weekends series after Boing Boing blogged about it, and they were fantastic.  The way he tried to understand his subjects and how they came to do what they do (even though he mostly didn’t agree) allowed a unique insight into these worlds that you very very rarely see via any other reporting style.  I’m sure this episode will be no exception and provide intimate insight into this family and their hate fuelled beliefs.

And while I’m talking about TV, the HBO series Flight Of The Conchords is finally being played on Channel 10 starting next Sunday.  I was introduced to "New Zealand’s fourth most popular folk parody duo" back in 2004 on the short lived ABC series Stand Up! (the show had the exclamation point in the name – that’s not bad or overexcited punctuation from me).  I became an instant fan and many of those songs they played over the course of that series (they were repeat guests) have been worked into this series.  I saw the first few episodes a couple of months ago and they were awesome.  I’m looking forward to seeing the rest of the series!

Amazon Selling Uranium

I saw today (thanks to Boing Boing) that Amazon is now selling low grade uranium ore:

The comments are pure gold.  However the correlation between uranium ore and the items people who had purchased it also purchased (some of which need not be delved into on this blog) is somewhat beyond me…

In other news, Nerds FC is up for The Sydney Morning Heralds’ Couch Potato Awards in the category for Best Observational Reality Show.  Help us win by voting here:

Asimo – The Humanoid Robot

I went to see Asimo the humanoid robot created by Honda yesterday down at Darling Harbour.  I have to say it’s really amazing technology and very impressive.  The show goes for 1/2 and hour, and is essentially (as you’d expect for a free show) an ad for Honda, but it’s still worth going to see I think anyway.  Next week it will be in Parramatta, so if you want to see it check it out there.  The details are on the associated website.  Note however that to get tickets you have to be really early.  I got there 45 minutes early but the tickets were all gone (you can only get tickets in the 2 hours before the show).  However I did hop in the reserve queue and managed to get in that way.  I think that although they have tickets, they still provide a lot of space for those without tickets – the reserve queue was quite long and a fair number of those behind me appeared to have been let in anyway.

Unfortunately as I guess the show’s just meant to be for entertainment for all levels (down to pre-schoolers), there’s not much said about how the robot works (it was more what it does than how).  You might be a bit underwhelmed if you don’t understand the complexities of what the robot has to deal with in order to function, and how far it has come over the last 20 years.  The Tech Guide on the website is well worth reading as it fills in a lot more details on how it operates.  I guess I’m just a nerd and like to know how things work.

At uni (I studies Computer Systems Engineering at UTS in Sydney) there were 2 related subjects (called Computer Systems Analysis and Computer Systems Design) which provided my only real experience with robots.  We had to analyse, design, and write the software for the robots in a “chocolate factory” – a massive project for a bunch of students to do in a semester (there were a lot of late nights) ,which has given me a lot of appreciation for dealing with robotics and the issues you have to deal with just to do something simple.

In the show Asimo walks, runs, dances, interacts with an audience member (shaking their hand, copying what they do),  and picks up a tray of coffees and takes it to another location.  Asimo does walk a little bit as if he were constipated, but it is damn impressive.  Running (considering the definition of running is having both feet off the ground at the same time) and landing smoothly for the next takeoff is even more impressive.  “He”can do this at 6km an hour – not bad!  Also the recognition of the (I can only assume) unscripted movements of the chosen audience member (I also assume there is no human involvement in this recognition either) such that he can copy it is extremely impressive.

So fair to say I am very impressed by the technology.  Just if you do go to a show, expect a half hour ad for Honda, and don’t expect to be hit with many details on the technology.  But worth the effort anyway.