Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Google Sounds Chrome Browser Hijack Alarm

Chrome users also face subtle attacks, including Chrome extensions that inject unwanted advertisements.

10 Famous Facebook Flops
10 Famous Facebook Flops
(Click image for larger view and slideshow.)

Have you ever installed a free software bundle, only to discover that an included application has hijacked your browser settings to reset your default homepage and redirect all of your web traffic through an advertiser-controlled domain name system and search engine?

If so, you're not alone. "Settings hijacking remains our number one user complaint," said Linus Upson, Google's VP of engineering, in a blog post on Friday.

That's despite Chrome -- for both Windows and Mac OS X -- sporting a feature designed to liberate browsers from hijacked settings. "To help keep your browser settings under your control we added a 'reset browser settings' button to Chrome's settings page in October," said Upson. Many Chrome users, however, apparently aren't aware of the feature, which is accessible via the "show advanced settings" link on the browser's settings screen.

Accordingly, "Chrome will be prompting Windows users whose settings appear to have been changed if they'd like to restore their browser settings back to factory default," Upson said. To make that happen, the hijacking alert screen will include the reset button.

Resetting settings is the best starting point for recovering from any browser-hijacking software installation. "I've lost count of the number of times that friends and family have asked me to take a look at their PC 'because it's acting funny', only to discover that their browser has been meddled with by something like Babylon Toolbar, CoolWebSearch or Conduit Search," said security expert Graham Cluley in a blog post.

"Browser-hijacking software like these are often bundled with third-party applications, and can be installed at the same time if the user isn't careful, changing your browser's homepage, displaying irritating hard-to-remove pop-up adverts, or redirecting search queries and displaying sponsored links -- all with the intention of earning more revenue for the people behind them," said Cluley.

Resetting settings is a bit of a nuclear option: All search engines -- including saved ones -- will be reset, the homepage will disappear, all default startup tabs will be wiped, and cookies and site data deleted. All installed apps, extensions, and themes will also be disabled, although they can be set to start again at launch, by default, via the settings menu.

[It's boom times for security startups. Check out 20 Security Startups To Watch.]

After a browser hijacking, however, even a settings reset might not be enough to nuke the underlying scamware. "Resetting your browser's settings does not necessarily mean that you have succeeded in removing the adware which messed with your settings in the first place -- these typically survive rebooting, and the hijack could occur again," Cluley said.

For anyone facing serial hijacking episodes -- even after attempting to reset their settings -- Google's Upson recommends that they visit the Chrome help forum for advice about how to completely excise the offending software.

While the campaign to roll back browser hijackings continues, Chrome users have also been facing an ongoing security threat in the form of scam browser extensions. Jason Ding, a research scientist at Barracuda Labs, warned in a blog post Monday that a group of malicious extension developers -- formerly registered with Google under the developer name of "www.playook.info," but now using the name "www.konplayer.com" -- in recent weeks sneaked 12 Chrome extensions onto the Chrome Web Store.

The extensions, which have been collectively installed by more than 180,000 Chrome users, inject advertisements for 44 different websites -- including chrome.plantsvszombies.com, bejeweled.popcap.com, and myhappygames -- into affected browsers. The group behind the extensions likely earns a referral commission for every user that visits one of the websites that it's advertising.

How did the Chrome security team miss the fact that these extensions are being used to spam whoever installs them with unwanted advertisements, and does Google plan to nuke the 12 extensions? A Google spokesman didn't immediately respond to an emailed request for comment. But Barracuda's Ding noted that the Konplayer group, rather than including the advertising-network-summoning JavaScript in their extensions, employed a measure of stealth by setting their extensions to download obfuscated JavaScript from www.chromeadserver.com. While that site includes the word "chrome" in its URL, it's likely controlled by the Konplayer group.

Security experts have long sounded security warnings about Chrome extensions.

Felix "FX" Lindner, head of Recurity Labs in Berlin, for example, has warned that because Chrome extensions can inject JavaScript directly into Chrome, which is written in JavaScript, they offer would-be attackers enormous malicious potential.

Accordingly, users should beware granting permissions to any Chrome extension. For example, Ding said that each of the 12 recently discovered spamming Chrome extensions requires users to grant them the "your data on all websites" permission before they can be installed "so that the ads can be injected to any websites the users browse."

"Chrome users have to learn to protect themselves," Ding said. "...be very careful if you intend to install Chrome extensions -- even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Federal
50%
50%
Federal,
User Rank: Apprentice
8/18/2014 | 6:03:22 PM
The latest version of this exploit blocks access to settings (so you can't reset)
The latest version of this exploit blocks access to settings (so you can't reset).  It's still an extension, though, so there's a workaround to fix it.  Power down the chromebook then power it back on.  The extensions take a second or so to load and the load doesn't take place until you log in.


Enter your password after the restart but have one finger on the ESC key before you hit enter to log in.  Keep hitting ESC for a few seconds after you click enter to log in.  You have to catch the browser before it loads its settings and extensions but it's pretty easy to do. Now you'll have stopped the browser from loading the extension that sets your session to "anonymous" blocking all access to settings. From here, it's easy to go to settings and either disable the offending extension or just reset the browser settings.
Howard Fried
50%
50%
Howard Fried,
User Rank: Apprentice
2/7/2014 | 9:40:02 PM
Ads do pay the bills, but use some tact
As David mentions, the reality is most of the internet is paid for with ads...so...the real question is, how can you make money with ads, and not be totally obnoxious, annoying and intrusive?

My team is hard at work on a product that intends to be graceful, mostly hidden, and always seek your consent to show ads and offers. Watch for a release later this year of a new kind of browser safety extension (free) from avira.com
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/5/2014 | 9:56:26 AM
Re: Ads and security
I miss the days of when using an "alternative" browser like Chrome or Firefox meant there was nothing to fear as nobody made viruses for anything but IE. I imagine Apple users feel the same way. 
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
2/5/2014 | 9:12:30 AM
Re: Ads and security
Ads still pay the bills, unless you operate like NPR
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/4/2014 | 4:50:27 PM
Favorites?
Does resetting wipe out favorites along with cookies, tabs, etc?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/4/2014 | 4:05:47 PM
Ads and security
There's a fundamental problem here: Ads, as content injected from a third-party domain, represent a threat vector. Playing whac-a-mole with malicious extension providers is one approach. Blocking ads entirely is another.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.