Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Some shady script in Phoronix opening shady ad in new tab

  1. #11
    Join Date
    May 2013
    Posts
    573

    Default Browser extensions are cross-platform

    Quote Originally Posted by Mat2 View Post
    Do You have any ideas on what could have caused the breach?
    I had only the SQLite Manager installed and it looked legitimate (likely I have installed it after the breach).
    There was no other suspicious activity, no EXE and ELF files on my disk were modified.
    That's the thing: a browser extension that does not use native operating system executables at all and simply runs in browser should be as OS-agnostic as a Flash game. If I had a machine stolen and didn't know what OS the thieves had installed but could push a program to it by a known IP address, that's exactly how I would do it. A browser extension that keylogs passphrases entered into websites, for instance, is a monetizable cross-platform attack that could target not only your online accounts but your bank accounts too if you ever bank online! Also, for that malicious login don't forget plain old phishing, man in the middle attacks on wifi access points-even with WPS if a weak passphrase is used, all the usual stuff.

  2. #12
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    114

    Default

    My computer has not been stolen and hasn't been used by anyone except me. These are the extensions that I currently use in Google Chrome:

    • "Top Stories" Section Remover
    • Adblock for Youtube™
    • Adblock Plus
    • Better History
    • Chromebleed
    • chromeIPass
    • Flashcontrol
    • Google Apps Script
    • Google Docs
    • Google Drawings
    • Google Voice (by Google)
    • Google+ Notifications
    • High Contrast
    • Image Properties Context Menu
    • KnowURL: Expand tiny short links
    • NetBeans Connector
    • NotScripts (like NoScript for Firefox but in Google Chrome)
    • Password Peek
    • Personal Blocklist (by Google)
    • Plus Minus (For showing/hiding anyone/group in the main stream, but does not work with new Google+ and still worked on by developer)
    • Radium (EPUB reader for Chrome)
    • Responsive Web Design Tester (for testing to see if a website will fit well with a mobile device)
    • Scientific Calculator
    • Secure Shell
    • Take me to my Youtube™ Subscriptions (Automatically redirects you to Uploads only of your subscriptions.)
    • User-Agent Switcher for Chrome


    And that's about it. I don't think any of the extensions would trigger adcash.com to open up a malicious site, so I'm out of ideas now. Well, at least I did not see any tabs showing up with porn/malicious site today while surfing the Internet.

  3. #13
    Join Date
    May 2013
    Posts
    573

    Default Is anyone else seeing Adcash while using Phoronix?

    Quote Originally Posted by GraysonPeddie View Post
    My computer has not been stolen and hasn't been used by anyone except me. These are the extensions that I currently use in Google Chrome:

    • "Top Stories" Section Remover
    • Adblock for Youtube™
    • Adblock Plus
    • Better History
    • Chromebleed
    • chromeIPass
    • Flashcontrol
    • Google Apps Script
    • Google Docs
    • Google Drawings
    • Google Voice (by Google)
    • Google+ Notifications
    • High Contrast
    • Image Properties Context Menu
    • KnowURL: Expand tiny short links
    • NetBeans Connector
    • NotScripts (like NoScript for Firefox but in Google Chrome)
    • Password Peek
    • Personal Blocklist (by Google)
    • Plus Minus (For showing/hiding anyone/group in the main stream, but does not work with new Google+ and still worked on by developer)
    • Radium (EPUB reader for Chrome)
    • Responsive Web Design Tester (for testing to see if a website will fit well with a mobile device)
    • Scientific Calculator
    • Secure Shell
    • Take me to my Youtube™ Subscriptions (Automatically redirects you to Uploads only of your subscriptions.)
    • User-Agent Switcher for Chrome


    And that's about it. I don't think any of the extensions would trigger adcash.com to open up a malicious site, so I'm out of ideas now. Well, at least I did not see any tabs showing up with porn/malicious site today while surfing the Internet.
    If this shows up surfing Phoronix from a live disk, the problem is at Phoronix or at an adserver used by Phoronix. If this is so a lot of users should see it, at least in a single geographic area using the same browser.

    If one user only see this and it does not reappear when using a live disk, but DOES reappear on the main OS, than the problem is on that computer. If the problem does not reappear at all, diagnosis after the fact is quite beyond me.

    I cannot evaluate the listed extensions as I do not have Chrome installed due to distrust of Google. It's a lot of extensions overall, you might do a Startpage search checking each extension one at a time to see if any malicious updates have been reported. There have been several cases in Firefox where an originally safe extension was subsequently monetized by the addition of adware to it, waiting for users to update to the malicious versions. Also, is it possible in Chrome for the author of a malicious extenson to hide it from being listed?

    If you don't want to use adblocking extensions or want to whitelist sites for other adservers, you might want to 127.0.0.1 out adcash.com in your /etc/hosts file to prevent ever connecting to them again.

  4. #14
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    114

    Default

    Yeah, I'm going to 127.0.0.1 them out. Thanks.

  5. #15
    Join Date
    Nov 2010
    Posts
    94

    Default

    Quote Originally Posted by Luke View Post
    There have been several cases in Firefox where an originally safe extension was subsequently monetized by the addition of adware to it, waiting for users to update to the malicious versions.
    The problem of extention monetization was in Chrome, not in Firefox (it was some kind of an RSS reader AFAIR).

  6. #16
    Join Date
    May 2013
    Posts
    573

    Default I heard a report of different extensions being made malicious in Firefox

    Quote Originally Posted by Mat2 View Post
    The problem of extention monetization was in Chrome, not in Firefox (it was some kind of an RSS reader AFAIR).
    I heard a report somewhere of this shit turning up in firefox extensions as well, but can't remember where. Anyway, if it can be done for one browser it can be done in another, as the basic concept is exactly the same. Whatever it was, I DO recall more than one extension was involved. The problem of updates that do things you don't want (mostly just bugs or function removal, though) is ugly enough I keep known good .mozilla directory tarballs in case I have to roll back a bad update. I especially worry about Ghostery going bad in the future given who bought it and it's importance. If I get a crapware version in the future I will simply roll back.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •