A MILLION Chrome users' data was sent to ONE dodgy IP address A team of security researchers have found malware in a popular Chrome extension which may have sent the browsing data of over 1.2m users to a single IP address. ScrapeSentry credits its researchers with uncovering "a sinister side-effect to a free app [...] which potentially leaks [users'] personal information back to a single …
But oh no, you can't have the power to revoke permissions to apps in (unrooted) Android, which is increasingly ludicrous as time goes by, especially given the popular demand for the feature.
That remains one of Android's hugest fails and irritates the hell out of me whenever something like this pops up, which is hardly infrequent.
This post has been deleted by its author
Since the only way to be sure you're not running any malicious code is to only run software written by yourself (and that includes the compiler itself in case you're wondering), it's quite clear any real-world use of computing will carry some amount of risk of running buggy and/or malicious code - so better get used to it. On the other hand, the idea that there is some magic code of "sensible behaviour" that will keep you out of trouble (as opposed to merely change the risks a little, depending on how much of an idiot you otherwise are) is ludicrous beyond belief and so is any outfit thinking they're dispensing "valuable advice" by spouting that sort of drivel. It's the IT equivalent of thinking that the advice to "drink lots of water" will keep you cancer-free...
Since the only way to be sure you're not running any malicious code is to only run software written by yourself (and that includes the compiler itself in case you're wondering), it's quite clear any real-world use of computing will carry some amount of risk of running buggy and/or malicious code - so better get used to it.
Utter sophistry - not all software is as trusted as other software. The gpg signed and verified RPMs downloaded from CentOS - trusted. The random browser plugins downloaded from google - not trusted.
Despite not trusting all sources of software, I can still do useful things with a computer without having to have written every line of it myself. This doesn't mean that I "just get used to it" and accept software from any source..
I wouldn't go that far. Signing of the packages just means that the payload has arrived intact, whether that payload happens to include a backdoor, or some other form of malicious code, is another matter entirely. And since Red Hat / CentOS is built in the US while trying to get cozy with the government, I wouldn't be too surprised if the NSA slipped a little something extra in there in order for the software to be approved for use.
My trust is hard earned, and if being paranoid keeps me safe, so be it.
How are people expected to opt out? If this was obvious then the fact data was being collected would have also been obvious. That it isn't points to a process that is obfuscated from view and quite probably unnecessarily convoluted.
Am I the only one to get a Hitchhiker guide-esque mental image of the instructions on how to opt out being kept in the bottom of a locked cabinet stored in unused lavatory within an unlit cellar with the door carrying the sign 'beware of the leopard'?
I actually use(d) this - it made sending complete page screenshots of sites in development for review really easy! I did notice a few things when it was enabled (e.g. some pages never finished loading) - what exactly do chrome extensions have access to? Do they have access to saved browser passwords?
They always assume the provider is somehow in a privileged position.
Rule 1 of computer security: everyone and everything is untrustworthy by default.
Rule 1a: But you can trust us. Because we're xxxx and we'll never do you any harm. We'll never add an upgrade that soaks your Internet connectivity as if it was free and limitless (Microsoft), install payware that you neither need, want, or might interact badly with other software (Adobe/Oracle), repeatedly clobber the Kerberos setup that you entered into our own software expressly to improve security (Mozilla Foundation), or tell you to install Trusteer Rapport - presumed malware by default - "to improve security" without giving any real idea of what it actually does (any bank you care to mention).
Yes, there comes a point where you do have to take things on trust but it should always be at the behest of the operator who is free to block anything they wish if they are not convinced it is beneficial. If you want to call that insecure go ahead: I'll simply point you to all those organisations with "secure" password policies that mean 80% of users have their password written on a piece of paper under their keyboard.
Exactly... Chrome/Android apps already have a reputation for abusing auto-updates to foist adware and malware.
The Android (and Chrome?) permission system is a complete joke, too. Updates can grab additional permissions within a group - approx location -> precise location for example - without notice to the user.
"The extension apparently allowed users to capture screenshots and save them for later editing"
Why would an extension that does nothing other than replicate the "print screen" key be popular? When it comes down to it, security is a numbers game. As mentioned by others above, unless you only use things you've written yourself, there's always some risk that you'll end up unknowingly running some malicious software. The more useless shit you install, the more likely that becomes. The moral of the story is not to read all the entirely accurate and well thought out user reviews before you install it, but simply not to install piles of functionless shit in the first place. This malware may have been removed now, but no doubt the people who used it still have browsers crammed full of toolbars and other crap and are no more secure than they were before.
Same people who don't know the difference between Print Screen and Alt + Print Screen. ;) Or that Windows has a snippet tool (for those who can't manage key commands or who just want to copy a specific selection)
As tech savvy as these newer generations are, there is a plethora of the populous (Young and Old) who still barely understand the actual technology.
I don't use Chrome except on mobile (never did like the platform tbh), but I use a handful of extensions with other browsers. Mostly ad & cookie tracking blocking, but also Google translate, tinyURL, etc... I will rejoice when I can completely dump Adobe and Java, but I keep them on manual for now.
This issue was well known in WordPress ... WordPress!!! ... forums a few months back. Of course, a bunch of those people stuck their heads in the sand. And they hold the keys to a bazillion websites.
If the Chocolate Factory actually produced poisoned chocolate, billions would've died by now. But it's only privacy at stake...
Sit back and enjoy the trainwreck :D
...is that you can ALREADY take a screen shot by pressing the 'print screen' key on your keyboard; you don't NEED a plug-in, add-on, or anything else, aside from some form of image editor to paste it into, in order to manipulate it, or do whatever it is you want to do to it.
A million-plus users data? Ouch.
And that's why you use an image editor to crop the image. Oh, I can see the attraction in a one-stop cure-all for screencaps, but wtf, use common sense, and don't use something for which there's already a solution present, even if it takes a little bit more time and effort!
> And that's why [blah, blah, blah, blah, blah, ...]
Roger, for most people it is customary to stop digging when in a hole.
You made assumptions, in the absence of actual knowledge, which turned out to be wrong--just admit that you said something stupid as we all do from time to time, make a mental note to be more careful next time, and move on. Instead of plowing onwards like that and looking pretty silly.
Really? At the risk of feeding the trolls, you're dead wrong. On every windoze machine I've used, hitting print screen captures what's on the screen as a bitmap rendering to the clipboard. Using, for example, paint shop pro, in the past I have successfully produced a new image (ctrl+v) showing that very rendering. All I had to do then was crop the resulting bitmap image to my satisfaction, and presto, one screencap. I encourage you to try it for yourself.
Your slice of humble pie is on the shelf by the door.
Roger! You've already been advised to stop digging any further, yet full steam ahead, you continue regardless!
Reread the comments you are replying too. They explain it clearly (Hint: off screen)
"Really? At the risk of feeding the trolls, you're dead wrong. On every windoze machine I've used, hitting print screen captures what's on the screen as a bitmap rendering to the clipboard. Using, for example, paint shop pro, in the past I have successfully produced a new image (ctrl+v) showing that very rendering. All I had to do then was crop the resulting bitmap image to my satisfaction, and presto, one screencap. I encourage you to try it for yourself."
This thing grabs the webpage, not the screen. This doesn't just save cropping - it means that if a webpage is so big as to require scrolling, you don't need to take screenshot, scroll down, take next screenshot, scroll down, take next screenshot etc.etc. and then finally crop and merge the whole collection of images.
"Your slice of humble pie is on the shelf by the door."
*cough*
This is one of the reasons I got out of IT support - people not actually doing what they were recommended to do. It just got too repetitive.
Jesus wept, the reason you "got out of IT support" is that you don't seem to understand IT, English or logic. Keep digging.
If you take a render of the webpage, you get the entire content of the page. When you "print screen", you get the contents of the screen, which contains (at most) the browser's viewport, a sub-set of the webpage.
This post has been deleted by its author
most people are not going to run their internet connection through Wireshark or Snort and log/parse the resulting data. I expect everything I run to want to send data to the software provider and yet I don't do this. I would also have to be an accomplished cryptographer to be sure I understood what was being sent much of the time.
There was a time when I had a Honeywall between my LAN and the Internet, the logs made interesting reading, not so much the outgoing but the incoming connections. I expect the outgoing logs would be far more interesting now.
A web browser has to access the Internet a local application doesn't, therefore I have a software firewall that detects egress and I just block every application that seeks to connect to the Internet.
With a web browser it cannot determine a plugin from the parent application, although it does list the IP addresses an allowed application connects to.
It is tedious doing lookups on these addresses though. It might be time to look at Honeywall Roo again and build on what is already there. Would the average consumer care though if presented with a warning telling them that their privates are being exposed? They might just think the benefit of the free application is worth the cost.
Commercial entities are legion for they are many. If you cant read the source code it cannot be trusted to connect to the Internet. It really is that simple.
That doesn't parse... Everyone gets the same internet, so why do they need to know that stuff? And if there is anything that needs to be changed to support specific users / locations, well, that is what feedback systems are for. At most, I could see them wanting the language code so that they know what translations to focus on.
But what would make sense is that they are out of cash and are selling this information to advertisers without the users' permission.
This extension's don't give a shit attitude to privacy and malware has been known about for well over a year. Interesting they claimed they'd discovered it :p
Hasn't everybody got tired of Google Chrome's spy shit??!! I certainly have, and don't use it anymore!!!! Doh!! I block Chrome cookies religiously on all my browsers - I'm sure a competitor will exceed their wayward ways, but then, I'm sure I can find an alternative by then too!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
