|Malicious Chrome Extension||jollymonsa||12/17/13 9:17 AM|
Chrome Version (type about:version into your omnibox): 31.0.1650.57 m
Operating System (Windows 7/8/Vista/XP, Mac, Linux, Android, iOS): Win 7
Extensions (type Chrome:extensions into your omnibox): Window Resizer
This extension: Window Resizer by ionut-botizan.net is inserting links into the search results. This is a window resizing extension but they are tracking all data and keystrokes. checked with wireshark.
In reviews it looks like developer has posted the following:
"I could have sold the extension to someone who would have gained access to all your passwords, emails, etc without you even knowing it. I haven't done that!"
Please address this google.
|Re: Malicious Chrome Extension||†Tommy G.†||12/17/13 9:26 AM|
Thanks for posting. I have escalated this info to Google.
|Re: Malicious Chrome Extension||Gouty - Top Contributor (Gmail & Chrome)||12/17/13 9:29 AM|
I saw some recent feedback are saying something different. However I will forward this to the team to check.
Edit : one of us will forward this. :D
|Re: Malicious Chrome Extension||SarahMM||12/17/13 9:48 AM|
Thanks for sharing here - we appreciate you alerting us. Can you please share the extension id with me?
|Re: Malicious Chrome Extension||Ionut Botizan||12/17/13 9:56 AM|
The extension's ID is kkelicaakdanhinjdeammmilcgefonfh.
|Re: Malicious Chrome Extension||jollymonsa||12/17/13 10:27 AM|
That is the extension ID.
|Re: Malicious Chrome Extension||jollymonsa||12/17/13 10:40 AM|
4.4.1 subsection 4
"Ads in Chrome Apps and Extensions"
This looks and feels like a native Google experience. It was only when I one day managed to click a link and see the URI had been click-jacked that I became suspicious of what was going on. Injecting your ad into Google's own search results certainly from my seat seems like interference.
|Re: Malicious Chrome Extension||Ionut Botizan||12/17/13 11:18 AM|
I believe you agreed when you installed this extension and and gave it the permission to "Access your data on all websites".
Also, although debatable, I believe it can be considered as a form of consent the fact that you didn't disabled this feature when notified about it in the update notes. What the extension does is mentioned both in the Details/Overview pages in the Webstore and the extension's settings, in the History page (which you are notified about whenever there is an update).
|Re: Malicious Chrome Extension||Mike Behnke||1/12/14 5:48 PM|
I don't think you realize the bad press you are creating by doing this, Ionut. I was an active evangelist for your plugin, telling developers at work and at conferences and meetups about it. Now I actively tell people they should uninstall it. Messing with search results is, IMO, a line you don't cross. You knew most people would not read the updates, and while it may have been 100% above board regarding Google policy (not sure on that), it was/is a bad move to make, particularly when your audience is a bunch of developers.
|(unknown)||1/12/14 6:25 PM||<This message has been deleted.>|
|Re: Malicious Chrome Extension||Daniel Eloff||1/12/14 6:44 PM|
No! That is not even close to being clear! Don't try to whitewash this. That's bundled malware plain and simple. It's no better that half the crap internet explorer extension malware I used to clean off computers back in the day. Shame on you as both a developer and a human being. I sincerely hope Google not only bans your extension but bans you as well! I certainly would never install any software with your name attached to it, ever.
|Re: Malicious Chrome Extension||InKarC||1/12/14 6:59 PM|
my my my malware! is protected by the TOS I'm sure!
|Re: Malicious Chrome Extension||Paul Irish||1/12/14 7:22 PM|
As a followup, the Window Resizer extension is no longer in the Chrome Web Store:
Related, here was the announcement of the link inclusion: http://blog.ecosia.org/private/68462872760/tumblr_mx16gzeb711surx8u
|Re: Malicious Chrome Extension||Artnez||1/12/14 7:29 PM|
On Sunday, January 12, 2014 7:22:42 PM UTC-8, Paul Irish wrote:
If the reason for taking it down was malicious intent, I would be very helpful if existing users were notified.
As it stands, people are discovering that they're being clickjacked when the clickjacking software fails to work (thereby exposing its existence).
|Re: Malicious Chrome Extension||John Lomma||1/12/14 9:50 PM|
so uh, did yall just destroy the rain forest?
|Re: Malicious Chrome Extension||Ionut Botizan||1/12/14 11:08 PM|
The reason was it did not comply with the following:
"Ads must be presented in context with your app or clearly state which app they are bundled with. Ads must also be easily removable by either adjusting the settings or uninstalling the app(s) altogether. Ads may not simulate or impersonate system notifications or warnings."
|Re: Malicious Chrome Extension||Ionut Botizan||1/12/14 11:29 PM|
No, that's bundled adware. If I wanted to give you malware, I would have added a keylogger which you wouldn't have ever discovered (ask around; it's technically possible).
So stop whining already, uninstall the extension and move on with your life!
|Re: Malicious Chrome Extension||Ionut Botizan||1/12/14 11:48 PM|
I'm sorry to disappoint you, but you're not completely right. I was receiving emails after every update from people that read the notes, so I assumed most do the same and, honestly, I do not care much about those that were not interested in what's new (I had people asking for features that were already implemented so why would I care or lose any more time on those ignorants?).
Also, I don't see this as "messing with the search results" since those weren't altered. I haven't added, removed nor switched any of the results. The only thing that changed (and shouldn't have affected your browsing experience) was that the links were proxied through Ecosia's rather than Google's analytics servers.
And the last thing you were wrong was that I (unintentionally) broke Google's ToS and got suspended. The exact article they said I broke was:
P.S.: There is no such thing as bad publicity! :)
|Re: Malicious Chrome Extension||Thomas.H||1/13/14 12:02 AM|
Ecosia is also blocking your IP if you make to many searches/requests.
|Re: Malicious Chrome Extension||Ionut Botizan||1/13/14 12:11 AM|
That's weird! I'll ask them about that.
|Re: Malicious Chrome Extension||ajimix||1/13/14 12:18 AM|
That's how I noticed something was going wrong, Ecosia blocked my IP and I wasn't able to use Google at all. That's when I noticed that something was weird, I had to use my mobile phone with 3G to check google and search wtf was that ecosia think and then I uninstalled your extension asap.
So I assume a lot of people will be now unable to use Google for some time thanks to this ecolink shit.
|Re: Malicious Chrome Extension||Ionut Botizan||1/13/14 12:29 AM|
Are you sure they blocked your IP and it wasn't just a server downtime?
Also, did you try to access Google using another browser on your PC/Mac?
|Re: Malicious Chrome Extension||Michael Zaporozhets||1/13/14 12:31 AM|
hahaha wow. That's pretty nasty stuff.
Just serves as a reminder that just because someone is a competent developer doesn't mean they will abide by every social ethic you would expect ;).
|Re: Malicious Chrome Extension||ajimix||1/13/14 12:33 AM|
They blocked the IP, because I was getting a message saying that there were too many petitions from my IP so it was blocked.
|Re: Malicious Chrome Extension||Paweł Komarnicki||1/13/14 12:54 AM|
I think it's time Google introduces stronger reviews or option to disable auto-update of extensions :(
|Re: Malicious Chrome Extension||Costin Raducanu||1/13/14 2:25 AM|
Ca romanu', sa nu scrie el o aplicatie corecta, destinata comunitatii. Sa bage o reclama, o ciordales, ceva ...
|(unknown)||1/13/14 3:12 AM||<This message has been deleted.>|
|Re: Malicious Chrome Extension||Privacywouldbenice||1/13/14 3:18 AM|
>There is no such thing as bad publicity!
We'll see about that, scumbag.
|Re: Malicious Chrome Extension||Horia Dragomir||1/13/14 3:26 AM|
Dude - you done messed up. :-(
|Re: Malicious Chrome Extension||karnei||1/13/14 4:17 AM|
Does disabling the setting stop from proxying searches?
|Re: Malicious Chrome Extension||Ionut Botizan||1/13/14 4:25 AM|
Yes, it completely disables everything Ecosia related and it has done so right from the beginning.
|Re: Malicious Chrome Extension||karnei||1/13/14 4:27 AM|
Im asking this question because it seems to me that thats the only question that matters,. you're obviously not trying to hide this "feature' and if everything works I get to use your app for free and I get to plant a tree??? I wouldnt call this malware,. adWare maybe., sneaky proxy,.. yeah ok
|Re: Malicious Chrome Extension||karnei||1/13/14 4:31 AM|
pales in comparison to what double click does
|Re: Malicious Chrome Extension||karnei||1/13/14 4:34 AM|
I should add, In my humble opinion
|Re: Malicious Chrome Extension||Ionut Botizan||1/13/14 4:36 AM|
That's what I tried to explain, but people are quick to judge!
|Re: Malicious Chrome Extension||Scott Blevins||1/13/14 10:59 AM|
>"I could have sold the extension to someone who would have gained access to all your passwords, emails, etc without you even knowing it. I haven't done that!"
This is a truly reprehensible statement and it shows a complete and utter disregard for privacy and decency. That's akin to someone saying, "I could have beat up an old man and taken his wallet from him but I didn't- all I did was trick him into sending all his personal information to me and trick him into endorsing me without his knowledge."
Just because you could have done something worse, doesn't mean you get a pass for the horrible thing you did do. The fact that you use that type of defense means you don't understand, or don't care, why people are upset- and that's what makes this so bad.
You should be ashamed.
|(unknown)||1/14/14 12:37 AM||<This message has been deleted.>|
|Re: Malicious Chrome Extension||Ben O'Hear||1/14/14 12:44 AM|
The bit which is of bigger concern is the suspected keylogger:
I'm getting the feeling that this was a misunderstanding, but could you please confirm that the extension was not logging all keystrokes (bank passwords, cc numbers etc).
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 12:45 AM|
Dude, last time I checked, I owned Window Resizer. It was mine. Also, last time I checked, I was living in a free world, where I can sell my property to whoever I want to.
I never said I would collect your data and sell it, I just said I could sell my property to one of those that showed interest in buying it. What the buyer does with it shouldn't be my concern.
And what's that about comparing something legal like selling my own property and ads supported software with crimes like beating people and committing fraud? Is your moral compass really that messed up?
Oh, I understand perfectly why some people are so upset, but I don't care anymore. People too lazy to think for themselves are none of my concerns.
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 12:50 AM|
NO, of course it wasn't! The original post is complete BS.
That isn't even the reason the extension got suspended; it was because it failed to make it clear in the context of the ads which was the extension that enabled them.
Anyone who still has the extension installed can view the source code by looking in their /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh
The only thing it was doing was proxying clicks on search results through Ecosia's analytics servers instead of Google's.
|Re: Malicious Chrome Extension||jollymonsa||1/14/14 1:56 AM|
As the person that recognized this and started this thread...wow. You are every bit of what I had hoped wouldn't be developing an extension. Your comment about selling others information and it being of no consequence. What planet is this your on? Oh and BTW its called hijacking. Straight up guy, you act like a jerk here also. I'm glad Google banned your app, it was a clear violation and huge security risk as you yourself admitted "why would I care what someone else does with your information"...its called stream of commerce and you better HOPE TO GOD they don't do anything malicious with it.
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 2:20 AM|
Dude, what you're doing can be easily classified as perjury and/or calumny!
I never said I would sell someone else's information, I said I could sell my extension! After someone buys the extension and I transfer the ownership to them, it is not my problem what they do with it, be it collecting your private info or anything else.
|Re: Malicious Chrome Extension||Jim Collinson||1/14/14 4:08 AM|
Is this the court of Google? What planet are you on?
You are doing a fine job of doing that to yourself — you really don't need anyone to help.
|(unknown)||1/14/14 4:12 AM||<This message has been deleted.>|
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 5:06 AM|
I live on a planet where, supposedly, people tell the truth and don't falsify affirmations in order to affect other people's image.
As far as I'm concerned, I have always spoken the truth, whereas jollymonsa has knowingly lied about the facts and deliberately altered my comments when quoting me in order to make it sound bad.
|Re: Malicious Chrome Extension||jollymonsa||1/14/14 7:46 AM|
You said exactly...I could sell my property to one of those that showed interest in buying it. What the buyer does with it shouldn't be my concern... It was a few threads back in case you forgot.
Your app passed uri information to an unknown source. Your app inserted ad links. You got caught and now your pissed. Don't jack ppls privacy without letting them know and this wouldn't have happened. I've seen many extension toss a new window open when they auto update with all that's changed. That wouldn't have been so bad now would it have?
|Re: Malicious Chrome Extension||SarahMM||1/14/14 10:16 AM|
This thread is getting a bit heated - please remember this is a support forum where folk come to learn and troubleshoot. It may be better for you to agree to disagree.
|Re: Malicious Chrome Extension||gorhill||1/14/14 10:56 AM|
> they are tracking all data and keystrokes. checked with wireshark
Could you please be more specific re. "keystrokes". I looked at the code and for the version of the code I checked, nowhere in there do I see "keystrokes" being "tracked". Maybe I am missing something -- it's not like I know all about extensions: so *exactly* where in the code did you see that "keystrokes" are "tracked"?
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 11:17 AM|
Yes, I said I could sell "my property", by which I meant the extension, not your private data, like you implied. (You said it 4 threads above: "Your comment about selling others information and it being of no consequence")
Yes, my app inserted ad links and I am not pissed at all, because that is not something I tried to hide. I am pissed, as I said before, by you trying to misrepresent the reality just because you don't like the fact that I used ads to support the extension.
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 11:23 AM|
Can you or someone else post an official response to the initial post of this thread? I think people need to know which of those claims are true and the real reason behind the suspension of my extension.
|Re: Malicious Chrome Extension||jollymonsa||1/14/14 1:10 PM|
How is this not tracking user submitted data?
- I log into google or not, either way I type a search string into the search box.
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 2:10 PM|
FYI, the search results are coming from Google, without any interference from anyone; the only thing that's changed is what happens after you click on one.
But, yes, you are right! The search terms are forwarded as a URL parameter when you do click on a link. If that means keylogging to you, then you are absolutely right! You got me now and I'm so embarrassed!... :))
...And there I was, wondering how hundreds of people started thinking I was logging all their keystrokes, including passwords, credit card numbers, etc.
P.S.2: "I am not willy-nilly about who knows what about me." Rest assured, no one knows anything about you. You're just an anonymous nobody whose "two girls, one cup" search on Google got logged on some tree-planting program's servers.
|Re: Malicious Chrome Extension||gorhill||1/14/14 2:36 PM|
I understand there was no key logger as many people worried given the content of the original post.
However, your were more than just inserting ads, as jollymonsa said, and as I just verified, you were redirecting the search query of the user to http://www.ecosia.org when the user *clicked* on a link in the result page.
For example, I entered the term "anticonstitutionellement", and this request was sent out when I clicked the top link:
This is a request generated when I clicked a link in the result page, *after* the ads have been inserted in the result page. This is more than just "inserting ads", it resembles more snooping on the user.
I can see why the extension was removed from the Chrome store.
|Re: Malicious Chrome Extension||jollymonsa||1/14/14 3:03 PM|
1. I had actually stated this very closely on the 17th of December.
2. Yup I do read the TOS because G presented me with a window that told me to do so as I was agreeing by using their services. Honestly had you done the same I think I might have disabled the links or contributed money to a "paid" version (had that been an option). I spend a lot of money on software. I need to know the ramifications of things I am agreeing to.
3. I'm not important. Not trying to be. I would however prefer to understand who sees what of mine. I don't think I am that different from many ppl in that regard.
@SarahMM is right, you just prefer to attack me personally here so whatever. BTW it was a good extension.
|Re: Malicious Chrome Extension||gorhill||1/14/14 3:20 PM|
> that is not something I tried to hide
I just want to add a technical note to what I posted above.
The redirection to http://www.ecosia.org/ when a user clicked on a link in the result page was no doubt deliberately obfuscated: the URL of the link was changed *only* once the user had clicked on the link, not before, in which case this would have allowed the user to see that we was being redirected to http://www.ecosia.org/ prior to click on the link (by hovering the mouse cursor over the link).
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 10:38 PM|
This is the exact same thing Google does. Perform a search then click a link, but don't release the mouse button. Instead, drag the mouse to some empty space and then release. You'll see the link has changed. This is so that the users can see the URL where they end up when they hover over a link.
|Re: Malicious Chrome Extension||Ionut Botizan||1/14/14 10:55 PM|
That is "the ad". If you'd read the whole story, you'd know what it is all about. The extension does not insert ads, it converts the search results to affiliate links. I've been saying this from the beginning, but no one seem to care. So yeah, when you click on a link you are taken to an Ecosia server and then redirected to the destination.
I said this in a previous post both here and on HN: the extension is proxying the links through Ecosia's analytics servers instead of Google's.
You are welcomed to feel outraged now!
|Re: Malicious Chrome Extension||Ionut Botizan||1/15/14 3:17 AM|
Ok, you guys won and I and the other 230.000 users that still have no problem using the extension are wrong! :)
I have removed the so called malicious EcoLinks and sent it back for review. Have fun _safely_ resizing stuff!
|Re: Malicious Chrome Extension||gorhill||1/15/14 5:31 AM|
It's just amazing how you refuse to see the problem.
The ads were supposed to be tagged as "Ecolink". The links I am talking about were *not* marked "Ecolink".
|Re: Malicious Chrome Extension||gorhill||1/15/14 5:36 AM|
Being redirected to encrypted google from encrypted google is not the same as being redirected to a web site I had no idea existed along with the user's unencrypted query and whatever else was encoded in that URL. I'm sure you understand very well the issue, you just don't want to admit this was wrong.
|Re: Malicious Chrome Extension||Ionut Botizan||1/15/14 6:01 AM|
I don't refuse to see that problem. I already admitted that the reason for the suspension was not making it clear that those links were also modified by my extension (read my previous posts).
However, you fail to understand that *all* the links in the results were converted to *ads* and there was no difference between how they worked, except the fact that some had an icon added to them because those were links to Ecosia's partners sites.
As for the clicked links, it's the same mechanism as Google uses except Google sends just a query ID because they already know the query. Search the same thing with the extension disabled and you'll see that it will take you to
Anyway, think about it this way: if I'd really wanted to track users' data without they knowing it, don't you think I could have made an AJAX request in the background with that, so they wouldn't ever find out? (cross site XHR are allowed within Chrome extensions) And if I wanted to be really sneaky about it, don't you think I could have left the links untouched and just intercepted the request headers before they were sent to the final destination URL to spoof the referer?
And finally, that is not "what jollymonsa said", because he claimed that the query was never sent to Google but to Ecosia, who returned results which were ads based on his search query, which is completely false.
|Re: Malicious Chrome Extension||Ionut Botizan||1/15/14 6:05 AM|
You should have known it existed and disabled that behavior if you'd be paying just a little attention at what happens on your screen. When the extension was updated to include those links, there was an update message saying "Added EcoLinks to Google pages" with a link on "EcoLinks" taking you to the settings page where you could learn more about it and disable it if you chose to do so. (And yes, I already admitted that the opt-out thing was not the best choice, so don't start with that)
|Re: Malicious Chrome Extension||gorhill||1/15/14 8:28 AM|
> you fail to understand that *all* the links in the results were converted to *ads* and there was no difference between how they worked
This conversation is going nowhere. Sigh. This is *exactly* what I reported above and what others have reported before me... To be clear, I never installed the extension from the store, I just downloaded it from your server to make my own conclusions from investigating the code after I read about all this elsewhere. My conclusions: key logger = no; deception and privacy violation = yes. This is it, I've nothing else to add.
|Re: Malicious Chrome Extension||Eric Wallin||1/16/14 7:14 AM|
What I think the "outrage" is all about is that people feel like you violated the users' trust. They stated purpose of your product has nothing to do with proxying users' traffic or redirecting anything, yet that appears to have been happening.
That being said, including Ecosia is a thoughtful gesture, however automatically opting-in users is the violation of trust I'm talking about. If, during the install, you asked the user "Can I help out a great cause by redirecting your search traffic through Ecosia?" and allow them to opt-in, that would completely change the dialog with your users. Instead, users feel like you pimped out their private searches in order for you to support your own personal cause.
If the Google terms allow it, I suggest re-adding the Ecosia stuff, and simmply ask the user if they will let you redirect their traffic to support that cause, then move on.
Personally, I did not appreciate experiencing the Google problems that I did, and was a bit irate when I discovered that your extension was the cause of it. YES, I could have read the notes / terms of service / whatever, but seriously, nobody has time to do that for every single thing they install or use.
I did go into the settings and removed the Ecosia setting, however I think Google has uninstalled the extension after it was removed. I no longer have it listed in my installed extensions and I do not recall uninstalling it.
Aside from the Ecosia problems, it has been quite useful to me. I hope you keep updating it.
|Re: Malicious Chrome Extension||Ionut Botizan||1/21/14 8:12 AM|
I have completely removed the offending code from the extension and re-published it a week ago, but its status is still "Pending Review".
Can you give an estimate on how long it usually takes for an extension to be reviewed and re-published after being taken down?
|(unknown)||2/6/14 2:13 PM||<This message has been deleted.>|
|Re: Malicious Chrome Extension||SarahMM||2/7/14 7:57 AM|
Sorry for my delayed response. Does it still say pending? Unfortunately the webstore is out of scope for the forum, so best to check in the developer FAQ here for how to best contact them.