[HN Gopher] Button Stealer
___________________________________________________________________
Button Stealer
Author : kickofline
Score : 228 points
Date : 2024-07-23 03:37 UTC (19 hours ago)
(HTM) web link (anatolyzenkov.com)
(TXT) w3m dump (anatolyzenkov.com)
| kickofline wrote:
| github: https://github.com/anatolyzenkov/button-stealer
| neontomo wrote:
| now add a leaderboard for most collected...
|
| btw i had a look at the code and it seems benign. no clue if
| there's a way to verify the same code is in the chrome
| extension store.
| stuffoverflow wrote:
| On windows the location of chrome's extensions is
| "AppData\Local\Google\Chrome\User Data\Default\Extensions".
| You can read the source code of all of your installed
| extensions there. This requires you to install the extension
| first. It is also possible to download the crx file of any
| extension from the chrome web store and just unzip it to
| inspect the source, though i'm not sure how to do it with the
| official chrome. Ungoogled chromium downloads the crx file if
| you press "add to chrome" and then cancel.
| whodev wrote:
| I diff'd the chrome extension against the github repo and
| they are _basically_ the same, outside of a few lines in the
| README.md missing and the manifest.json containing an update
| URL key to
| "https://clients2.google.com/service/update2/crx".
| sweca wrote:
| This sounds like a great way to find inspiration for UI UX
| designs
| elitepleb wrote:
| reminds me of https://adnauseam.io/ 's clicked ad view
| https://adnauseam.io/img/adnauseam_vault.png
| erremerre wrote:
| I love watching mine, and love watching the cost to
| advertisers. Modern problems require modern solutions!
| jer0me wrote:
| "It's fun, useless, and free!"
| koito17 wrote:
| Is there a particular reason this uses Chrome-specific APIs
| instead of the standard WebExtensions API? I have considered
| experimenting with web extensions, but wondering what the
| practical limitations of the standard API are compared to the
| browser-specific APIs.
| purple-leafy wrote:
| chrome doesn't support web extension API
| creesch wrote:
| Technically correct, but it is a bit more complex. The
| original web extension API is based on the chrome extension
| API. So most (there are some annoying exceptions at times) of
| the chrome extension API calls also work with very little
| adjustment on firefox. It becomes even easier when you use
| mozilla's polyfill library
| https://github.com/mozilla/webextension-polyfill
|
| Then you can just target the promise based webextension
| syntax and as long as you still stick to the calls also
| available in chrome your extension works with very little
| effort in both browsers.
|
| Safari is a different story which basically amounts to Apple
| being Apple and sort of supporting webextensions but in such
| a roundabout way that it is barely worth it for the majority
| of extension devs.
| sn0wleppard wrote:
| There's some difference but a lot of overlap in the basic
| functionality - Firefox is compatible with all the chrome.* API
| calls I use in my own extension
| impure wrote:
| ICH WILL MEINE 5EUR!
| Hamuko wrote:
| I'd be worried about installing these sorts of extensions in case
| someone decides to offer the developer a lucrative amount of
| money to buy it and then uses it for less-than-fun purposes. Not
| sure if they'd need additional permissions for it, but at least
| the current content script is ran against "https://*/\*" already.
| skybrian wrote:
| This is the app version of a phishing email. Give us access to
| everything on every website you visit, just for some eye candy.
| mavamaarten wrote:
| Bonzi buddy vibes
| purple-leafy wrote:
| Issue with this "benign" extension is that it will be using
|
| "host_permissions": "<all_urls>"
|
| In its manifest means it can basically do anything on any webpage
| you visit, scrape data etc.
|
| As an extension developer, no thanks. "Fun" pointless extensions
| like this that have no real utility, but funnily enough require
| broad permissions, are dangerous
| Refusing23 wrote:
| just like 'Grammarly' which is basically just a keylogger
| MrSS wrote:
| Grammarly has to be able to connect back to their online
| service while the button addon could be implemented in a way
| that it can read every website but not send antyhing anywere
| (in theory, the addon could of course simulate a form and
| send data out through that or somehow).
|
| But yeah i tested grammarly for 5 minutes and found it crazy.
|
| there has to be a better way getting both worlds :|
| bargainbin wrote:
| Local software of course! But good luck getting funding for
| a product that doesn't phone home every 5 seconds and
| present an opportunity to plague the user with ads "that
| they want to see"
| vstollen wrote:
| I haven't used it myself, but the LanguageTool browser
| extension might allow users to use a self-hosted or
| locally running instance.
| dspillett wrote:
| In DayJob we've had to block (actually block, because
| people didn't listen to being asked not to use it and
| similar tools) Grammarly because it sending text that could
| potentially include client data off to their servers for
| checking would have given us a nasty fail should a client
| request or conduct an audit.
|
| As an alternative there is LanguageTool which you can
| install locally. We have it running on a small VM that
| people can configure their installs to talk to, and block
| the public service end-point (as sending to that would be a
| big no-no for us for the same reason as Grammarly). It
| doesn't have all the features of Grammarly so isn't a
| complete drop-in replacement, but the self-hosted version
| works as well as the free features of Grammarly.
| Suppafly wrote:
| >As an alternative there is LanguageTool which you can
| install locally. We have it running on a small VM that
| people can configure their installs to talk to, and block
| the public service end-point
|
| I'm surprised that Grammarly hasn't come up with a local
| service like that, I bet they have a ton of enterprise
| users that would appreciate it.
| elaus wrote:
| > [...] but funnily enough require broad permissions
|
| I don't think there is a way to implement this without said
| permission. You can always check out the code from GitHub and
| install the extension locally to avoid any malicious changes in
| the future.
| skybrian wrote:
| And that's why it shouldn't be in the Chrome app store at
| all.
|
| As a hobbyist developer, having that kind of access in other
| people's browsers is not something I want, and I'm suspicious
| of developers who do seem to want it. It's like "hey, I wrote
| a fun game that requires root access."
|
| At least limit it to people who know what Github is.
| firtoz wrote:
| > hey, I wrote a fun game that requires root access
|
| So... Just like AAA game studios, eh?
| MOARDONGZPLZ wrote:
| No. They are large and presumably have some sort of
| trust, and can lose the trust of people if they do
| particularly shady things. This may not bear itself out
| in practice of course. But a game studio has something to
| lose, whereas hobbyist developer 73683 asking for root
| permissions for no real gain to you has nothing to lose
| from any number of things like scraping sites you visit
| or using your browser as a tor exit node or any number of
| things.
| gryn wrote:
| yeah, I'm sure Genshin impact's creators went out of
| business when their Kernel access anti-cheat was hacked
| by ransomware or more recently the hacks mid live
| broadcasted tournaments (don't remember which game, I
| think it was apex).
|
| I mean that's what kids, teenagers, and young adults and
| non technical people in general are known for: their
| prudence and good technical decision making.
|
| lets not talk about the other risk vector that Tencent, a
| chinese company is the one buying most of these game
| studios that have Kernel access (not exclusively).
| MOARDONGZPLZ wrote:
| I don't know what that is.
| dspillett wrote:
| Which is the problem with games having kernel access for
| anti-cheat and <whatever-else-they-want-to-do-with-it>.
|
| You don't know what they are doing in there. You don't
| really know who they are. Even if you do, corporate
| machinations might mean who has access to the facility to
| <what-ever-they-want-to-do> on your PC could change at
| any moment without your knowledge.
|
| Most end-users are blissfully unaware of the potential
| consequences of these level of access (Games having
| kernel access, and browser extensions having all-
| sites/all-contexts access).
| techjamie wrote:
| Can you imagine if one of the big anti-cheats got hit
| with a supply chain attack? That would be _devastating_.
| dspillett wrote:
| It doesn't even need to be a hack, or a malicious new
| owner taking over a game or other software package that
| has such access.
|
| The original company could be malicious/stupid/both. See
| https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_ro
| otk... for the most famous example of "both".
| sandworm101 wrote:
| >> No. They are large and presumably have some sort of
| trust, and can lose the trust of people if they do
| particularly shady things.
|
| Sony? Microsoft? EA? Apple? Exactly which giant
| megacorporation is beyond shady things?
|
| https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_ro
| otk...
| oneeyedpigeon wrote:
| Right, but Google is surely the one at fault here. There
| should be absolutely no reason that this extension can
| "change all my data on all websites", whatever the hell
| that actually means.
| Retr0id wrote:
| I was under the vague impression that Manifest V3 was
| supposed to prevent this sort of thing. But looking at
| the extension, it _is_ using MV3. Maybe it really was
| just about weakening ad blockers.
| tetromino_ wrote:
| Not "change all my data on all websites" but "read the
| content of all websites I visit".
|
| Because an extension that finds all button elements on
| all websites you visit, must necessarily start by reading
| the content of all websites you visit.
| oneeyedpigeon wrote:
| Yes, I think that one's acceptable in this case. It's the
| "change all my data" that is problematic.
| skybrian wrote:
| I think both the developer and Google have some control
| over what appears in the Chrome store.
| beeboobaa3 wrote:
| What are you even talking about? Every piece of desktop
| software you have ever ran has more permissions than a
| browser extension.
|
| Is your stance that hobbyist developers should not be
| allowed to develop desktop software or CLI tools? The
| entire software development ecosystem would collapse in an
| instant. Or are you just not familiar with Windows & Macs
| (lack of a) permission system?
| skybrian wrote:
| The lack of sandboxing in desktop applications is bad,
| but you aren't going to be writing code to read every web
| page a user visits by accident, and that's what some
| browser extensions do on purpose. They're inherently
| working with more sensitive data. So that's worse in
| certain ways. (And they are more sandboxed in other
| ways.)
| beeboobaa3 wrote:
| > but you aren't going to be writing code to read every
| web page a user visits by accident
|
| No, instead you're just reading all files on the
| filesystem, including the browser's cookie store or
| whatever. The data you are, or can be, handling is just
| as, if not more, sensitive since it's literally a
| superset of what the browser has access to.
|
| > The lack of sandboxing in desktop applications is bad
|
| Some sandboxing would be nice, but the Google/Apple
| approach of needing to beg the vendor for every little
| permission isn't the way to go, either. I'd rather have
| software that can actually do things as opposed to only
| having useless sandboxed "apps".
| skybrian wrote:
| My Mac sometimes prompts me to see if a Mac application
| should have access to certain directories, such as
| "Downloads," so I'm not sure that's entirely true
| anymore?
|
| But in any case I think this is missing a distinction
| between what software developers can install in
| "developer mode" versus stuff that's in the store for
| non-technical people to use. Apps in app stores see
| widespread use by people who barely know what a computer
| is, so I think there _should_ be hoops you need to jump
| through to get distribution to the masses, at least for
| certain types of apps.
|
| And those apps aren't useless, they do important but
| security-sensitive things like banking, things us
| developers need to do too sometimes.
|
| It's a different world than hacking around on your
| Raspberry Pi or an old phone, and I think it _should_ be
| different. Treating these situations the same muddies the
| issues.
| jimvdv wrote:
| If chrome permissions made sense a user could choose to
| activate the extension when they visit a site.
|
| Also the extension could have no network access and have
| read-only access to the DOM to name a few improvements.
| purple-leafy wrote:
| There is a way:
|
| 1) Extension could use the "activeTab" permission (would
| require user to click the extension once when inside the
| current tab to activate the extension, then the extension
| will run for any url they visit
| lofaszvanitt wrote:
| And that is so annoying noone would do it.
| m3kw9 wrote:
| hard to know if github code is the code it is being installed
| unless you build it from github. 1/10000 people check+install
| like this
| d--b wrote:
| Yes they sell for quite a bit, and the buyer may not have the
| same idea of "fun" than the original guy.
| vstollen wrote:
| Are (updates to) extensions from the Chrome and Firefox store
| usually vetted before publication?
|
| I've heard that Firefox will only run signed extensions. Would
| you trust this process?
| zinekeller wrote:
| > Are (updates to) extensions from the Chrome and Firefox
| store usually vetted before publication?
|
| Mozilla does not manually review most extensions (only
| extensions which Mozilla recommended are manually reviewed:
| https://support.mozilla.org/en-US/kb/add-on-badges).
|
| Chrome's policy is extensions are "reviewed periodically for
| compliance", but is unclear on how frequent is this periodic
| review (https://developer.chrome.com/docs/webstore/review-
| process).
| 6510 wrote:
| The permissions need to be more specific some how.
|
| I think the correct approach is to have the option to have a
| function isolated from the rest of the code. Then pay a trusted
| party to review the functionality of the function.
|
| In this case said function may only 1) access the html on the
| website, 2) find the button and 3) return only that what makes
| the button.
|
| Then the permission prompt, written by the trusted party, can
| be something accurate like: _This extension wants to copy
| buttons from websites._
|
| I'm calling it DEWISOTT computing: _does exactly what it says
| on the tin_
|
| You can go wild update your extension 1000 times per day
| without touching the function.
| dotancohen wrote:
| > written by the trusted party
|
| This is the weak, and expensive, link.
| 6510 wrote:
| The programming notary should be expensive per line.
|
| If a function gets certified and a decent description it
| can be published for other developers to further scrutinize
| and use the same.
|
| With user.script or greasemonkey scripts it is kinda
| expected to read the script before use. Short scripts are
| easier to check.
|
| Funny example
|
| https://userscripts-mirror.org/scripts/show/179526
|
| If the potentially dubious part can be isolated the notary,
| the publisher, the other developer and the user can easily
| review it. It seems much better than the current installing
| black boxes?
| resonious wrote:
| It seems crazy that extensions don't have a permission for
| making network requests. Getting permission to access the DOM
| on all pages I visit is fine if there's no way to exfiltrate!
| robryk wrote:
| You can always exfiltrate by inserting stuff into the page's
| DOM that will do the exfil from the page's context.
| aembleton wrote:
| Should have a seperate permission to modify the DOM. This
| extension only needs to read the DOM.
| teruakohatu wrote:
| Yes, a network access and DOM write permission should be
| one and the same. I think the reason it isn't done is
| because there are so many ways to leak data over a
| network. If the extension can trigger a DNS lookup
| somehow, it can exfiltrate data.
|
| Android used to have a network permission but Google
| removed it.
| beeboobaa3 wrote:
| > Android used to have a network permission but Google
| removed it.
|
| That's because google is in the ads business and wants
| apps to always be able to exfiltrate data to google
| (google analytics, google ads, etc) & display ads without
| needing additional permissions.
|
| Having a network permission means there is an incentive
| for apps to _not_ have the network permission which means
| they can 't load ads. And Google wants you to look at
| their ads.
| gtsteve wrote:
| I would hope that high value target sites such as banks
| would implement CSPs to prevent that or make it more
| difficult though.
| pigeonhole123 wrote:
| You can save the data and exfiltrate through a site
| without CSP
| pastage wrote:
| I block all external resources on my pages, but sure it
| works well in most places! It think the default policy
| should be block on most pages.
| emadda wrote:
| Or also a permission to disable automatic updates to reduce
| the issue of "popular extension sold to malware corp".
| ivanjermakov wrote:
| 1. Wait for an extension to become popular
|
| 2. Sell it to a company with malicious intentions
|
| 3. Get ad/spy/malware in your browser
| geek_at wrote:
| that happened to me. I installed a plugin that would parse
| all pages for email addresses and store them for later
| reference. A few months later i started to see strange ads on
| pages that shouldn't have ads.
| rc_mob wrote:
| How is OP supposed to build the extension without doing this?
| peanut_worm wrote:
| cute idea but im not installing this malware lol
| ape4 wrote:
| In addition to all the security concerns mentioned, you don't
| really need it. You can google or ask a chatBot to make you
| custom button.
| graypegg wrote:
| I love the idea but the <all_urls> access is a bit scary.
|
| This could be recreated in a bookmarklet ideally, though it would
| require saving the button html snippets into a file that you'd
| have to make downloadable with some Blob weirdness.
| odo1242 wrote:
| Is there a Firefox version?
| rgbrgb wrote:
| cool! i want this for safari please. is that an easy port?
| kmoser wrote:
| Does it store the HTML/CSS for creating the buttons so you can
| easily repurpose them (which would be quite useful), or are they
| stored as images (which would be fun but less useful)? If the
| latter, how difficult are they to extract from the page that
| shows them all?
| josefritzishere wrote:
| Why would you intall this? Who wants a collection of buttons?
___________________________________________________________________
(page generated 2024-07-23 23:08 UTC)