WHAT'S NEW?
Loading...

Can you trust your browser extensions? Exploring an ad-injecting chrome extension

My perspective on JavaScript-based browser extensions has been far too naïve until this point. We were all burned by bad toolbars or evil ActiveX add-ons in the past, so when I run IE I run it with no add-ons enabled, or very few. However, with Google Chrome and it"s sync feature, as well as its rich extension store, it"s easy to add a bunch of add-ons and get them synced to other machines.

I wanted to download a YouTube video recently so I installed a "U-Tube Downloader" extension. It is highly rated, seemed legit, so I added it. It puts a nice Download button next to any YouTube video. Like greasemonkey script it was there when I needed and it, and out of sight otherwise.

I installed it and forgot about it. So, put a pin in that and read on...

image

Today I was on my own site and this happened. A video slid onto my page from the right side and started playing. I was gobsmacked. I know this site, I know its code. I know my advertisers. WTH. Where is this coming from?

It"s the surfing video there in the lower right corner.

newevil

First I knee-jerk emailed my advertiser asking if they were injecting this, then I pulled back and started to Inspect Element.

Looks like there"s a supporting iframe, along with an injected div. That div includes JS from "vidible.tv" and the ads are picked from "panoramatech." But that"s not all.

image

There"s references to literally a half-dozen other ad-networks and then this, something called RevJet.

image

Search around and here"s the first description of what RevJet is.

image

Whoa, ok, it"s an extension. But which one? Grep for "Rev" in this folder C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Default\Extensions and I my U-Tube one.

Nicest Ad Ever

I particularly like the comment "nicest ad ever."

image

This extension also injects ads from "Yllix" when I"m on YouTube, and RevJet when elsewhere. Apparently if I set revjetoptout in my local storage, I can get around this. Very NOT intuitive. I saw no options for this extension exposing this.

image

Worse yet, every once in a while, Kim Kardashian shows up in my New Tab page. Again, there"s no way for non-technical relative to figure this out. And it"s pretty hard for technical me to figure it out. This is deceptive at best.

BxmVMpICUAA6lZq

Ugh.

Yes, I realize someone put work into this extension, and yes, I realize it was free. However, it wasn"t clear that it was going to randomly inject ads into any website without asking. It wasn"t clear that the ads were injected by this extension. There was/is no clear way for anyone without the ability to debug this to make it stop. Charge me a $1, but don"t reach into webpages I visit and mess with my content without telling me.

I recommend you check out chrome://extensions/ and give each enabled one a good hard look. Consider disabling or uninstalling extensions you may have forgotten about or ones you don"t explicitly trust. If you"re a dev, consider reading the code within the extensions and make sure you"re getting what you expect.


SOURCE: http://www.hanselman.com/blog/CanYouTrustYourBrowserExtensionsExploringAnAdinjectingChromeExtension.aspx

0 comments:

Post a Comment