Button Stealer (opens in new tab)

(anatolyzenkov.com)

262 pointskickofline1y ago78 comments

78 comments

Issue with this “benign” extension is that it will be using

“host_permissions”: “<all_urls>”

In its manifest means it can basically do anything on any webpage you visit, scrape data etc.

As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous

elaus1y ago

> [...] but funnily enough require broad permissions

I don't think there is a way to implement this without said permission. You can always check out the code from GitHub and install the extension locally to avoid any malicious changes in the future.

skybrian1y ago

And that’s why it shouldn’t be in the Chrome app store at all.

As a hobbyist developer, having that kind of access in other people’s browsers is not something I want, and I’m suspicious of developers who do seem to want it. It’s like “hey, I wrote a fun game that requires root access.”

At least limit it to people who know what Github is.

4 more replies

purple-leafy1y ago

There is a way:

1) Extension could use the “activeTab” permission (would require user to click the extension once when inside the current tab to activate the extension, then the extension will run for any url they visit

1 more reply

jimvdv1y ago

If chrome permissions made sense a user could choose to activate the extension when they visit a site.

Also the extension could have no network access and have read-only access to the DOM to name a few improvements.

m3kw91y ago

hard to know if github code is the code it is being installed unless you build it from github. 1/10000 people check+install like this

resonious1y ago

It seems crazy that extensions don't have a permission for making network requests. Getting permission to access the DOM on all pages I visit is fine if there's no way to exfiltrate!

robryk1y ago

You can always exfiltrate by inserting stuff into the page's DOM that will do the exfil from the page's context.

3 more replies

emadda1y ago

Or also a permission to disable automatic updates to reduce the issue of “popular extension sold to malware corp”.

ivanjermakov1y ago

1. Wait for an extension to become popular

2. Sell it to a company with malicious intentions

3. Get ad/spy/malware in your browser

geek_at1y ago

that happened to me. I installed a plugin that would parse all pages for email addresses and store them for later reference. A few months later i started to see strange ads on pages that shouldn't have ads.

65101y ago

The permissions need to be more specific some how.

I think the correct approach is to have the option to have a function isolated from the rest of the code. Then pay a trusted party to review the functionality of the function.

In this case said function may only 1) access the html on the website, 2) find the button and 3) return only that what makes the button.

Then the permission prompt, written by the trusted party, can be something accurate like: This extension wants to copy buttons from websites.

I'm calling it DEWISOTT computing: does exactly what it says on the tin

You can go wild update your extension 1000 times per day without touching the function.

dotancohen1y ago

  > written by the trusted party

This is the weak, and expensive, link.

1 more reply

rc_mob1y ago

How is OP supposed to build the extension without doing this?

d--b1y ago

Yes they sell for quite a bit, and the buyer may not have the same idea of “fun” than the original guy.

Refusing231y ago

just like 'Grammarly' which is basically just a keylogger

MrSS1y ago

Grammarly has to be able to connect back to their online service while the button addon could be implemented in a way that it can read every website but not send antyhing anywere (in theory, the addon could of course simulate a form and send data out through that or somehow).

But yeah i tested grammarly for 5 minutes and found it crazy.

there has to be a better way getting both worlds :|

2 more replies

dougseismic1y ago

As a fellow extension developer, you'll know that remote code is extremely sandboxed by the review process and you can jump into the code easily.

Hell if you're that paranoid, sniff any remote connections with mitmproxy and generally just... understand what an extension does before you leave it on your machine.

Some extensions are just fun; this extension is wicked for me as design inspiration but yeah, salty take and hackernews PB+J

vstollen1y ago

Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

I‘ve heard that Firefox will only run signed extensions. Would you trust this process?

zinekeller1y ago

> Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

Mozilla does not manually review most extensions (only extensions which Mozilla recommended are manually reviewed: https://support.mozilla.org/en-US/kb/add-on-badges).

Chrome's policy is extensions are "reviewed periodically for compliance", but is unclear on how frequent is this periodic review (https://developer.chrome.com/docs/webstore/review-process).

doctorpangloss1y ago

My dude. Google Chrome hoovers up all your browsing history. Google knows the content of pages you visit, because you make search queries to visit them, and most sites use Google Analytics or Webmaster tools, or the sites are in their index and can be looked up by URL reported by Chrome. Google has your Gmail, YouTube, Google Drive… if it wanted to, it could access your private stuff because it has access to your email. You are whinging about a silly joke project with a hypothetical concern, when you are already granting broad permissions to all of your data.

skybrian1y ago

This is the app version of a phishing email. Give us access to everything on every website you visit, just for some eye candy.

mavamaarten1y ago

Bonzi buddy vibes

Hamuko1y ago

I'd be worried about installing these sorts of extensions in case someone decides to offer the developer a lucrative amount of money to buy it and then uses it for less-than-fun purposes. Not sure if they'd need additional permissions for it, but at least the current content script is ran against "https://*/\*" already.

koito171y ago

Is there a particular reason this uses Chrome-specific APIs instead of the standard WebExtensions API? I have considered experimenting with web extensions, but wondering what the practical limitations of the standard API are compared to the browser-specific APIs.

sn0wleppard1y ago

There's some difference but a lot of overlap in the basic functionality - Firefox is compatible with all the chrome.* API calls I use in my own extension

purple-leafy1y ago

chrome doesn’t support web extension API

creesch1y ago

Technically correct, but it is a bit more complex. The original web extension API is based on the chrome extension API. So most (there are some annoying exceptions at times) of the chrome extension API calls also work with very little adjustment on firefox. It becomes even easier when you use mozilla's polyfill library https://github.com/mozilla/webextension-polyfill

Then you can just target the promise based webextension syntax and as long as you still stick to the calls also available in chrome your extension works with very little effort in both browsers.

Safari is a different story which basically amounts to Apple being Apple and sort of supporting webextensions but in such a roundabout way that it is barely worth it for the majority of extension devs.

kickoflineOP1y ago

github: https://github.com/anatolyzenkov/button-stealer

neontomo1y ago

now add a leaderboard for most collected...

btw i had a look at the code and it seems benign. no clue if there's a way to verify the same code is in the chrome extension store.

stuffoverflow1y ago

On windows the location of chrome's extensions is "AppData\Local\Google\Chrome\User Data\Default\Extensions". You can read the source code of all of your installed extensions there. This requires you to install the extension first. It is also possible to download the crx file of any extension from the chrome web store and just unzip it to inspect the source, though i'm not sure how to do it with the official chrome. Ungoogled chromium downloads the crx file if you press "add to chrome" and then cancel.

whodev1y ago

I diff'd the chrome extension against the github repo and they are basically the same, outside of a few lines in the README.md missing and the manifest.json containing an update URL key to "https://clients2.google.com/service/update2/crx".

elitepleb1y ago

reminds me of https://adnauseam.io/ 's clicked ad view https://adnauseam.io/img/adnauseam_vault.png

erremerre1y ago

I love watching mine, and love watching the cost to advertisers. Modern problems require modern solutions!

graypegg1y ago

I love the idea but the <all_urls> access is a bit scary.

This could be recreated in a bookmarklet ideally, though it would require saving the button html snippets into a file that you'd have to make downloadable with some Blob weirdness.

coalio1y ago

I worked on something similar before that serves the same purpose, except that it steals css/scss and it's not an extension but rather a CLI tool, you can find it in github as coalio/rfscss

kmoser1y ago

Does it store the HTML/CSS for creating the buttons so you can easily repurpose them (which would be quite useful), or are they stored as images (which would be fun but less useful)? If the latter, how difficult are they to extract from the page that shows them all?

sweca1y ago

This sounds like a great way to find inspiration for UI UX designs

josefritzishere1y ago

Why would you intall this? Who wants a collection of buttons?

odo12421y ago

Is there a Firefox version?

jer0me1y ago

“It's fun, useless, and free!”

impure1y ago

ICH WILL MEINE 5€!

rgbrgb1y ago

cool! i want this for safari please. is that an easy port?

peanut_worm1y ago

cute idea but im not installing this malware lol

ape41y ago

In addition to all the security concerns mentioned, you don't really need it. You can google or ask a chatBot to make you custom button.

j / k navigate · click thread line to collapse

78 comments

purple-leafy1y ago

Issue with this “benign” extension is that it will be using

“host_permissions”: “<all_urls>”

In its manifest means it can basically do anything on any webpage you visit, scrape data etc.

As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous

elaus1y ago

> [...] but funnily enough require broad permissions

I don't think there is a way to implement this without said permission. You can always check out the code from GitHub and install the extension locally to avoid any malicious changes in the future.

skybrian1y ago

And that’s why it shouldn’t be in the Chrome app store at all.

At least limit it to people who know what Github is.

4 more replies

purple-leafy1y ago

There is a way:

1 more reply

jimvdv1y ago

If chrome permissions made sense a user could choose to activate the extension when they visit a site.

Also the extension could have no network access and have read-only access to the DOM to name a few improvements.

m3kw91y ago

hard to know if github code is the code it is being installed unless you build it from github. 1/10000 people check+install like this

resonious1y ago

It seems crazy that extensions don't have a permission for making network requests. Getting permission to access the DOM on all pages I visit is fine if there's no way to exfiltrate!

robryk1y ago

You can always exfiltrate by inserting stuff into the page's DOM that will do the exfil from the page's context.

3 more replies

emadda1y ago

Or also a permission to disable automatic updates to reduce the issue of “popular extension sold to malware corp”.

ivanjermakov1y ago

1. Wait for an extension to become popular

2. Sell it to a company with malicious intentions

3. Get ad/spy/malware in your browser

geek_at1y ago

65101y ago

The permissions need to be more specific some how.

I think the correct approach is to have the option to have a function isolated from the rest of the code. Then pay a trusted party to review the functionality of the function.

In this case said function may only 1) access the html on the website, 2) find the button and 3) return only that what makes the button.

Then the permission prompt, written by the trusted party, can be something accurate like: This extension wants to copy buttons from websites.

I'm calling it DEWISOTT computing: does exactly what it says on the tin

You can go wild update your extension 1000 times per day without touching the function.

dotancohen1y ago

  > written by the trusted party

This is the weak, and expensive, link.

1 more reply

rc_mob1y ago

How is OP supposed to build the extension without doing this?

d--b1y ago

Yes they sell for quite a bit, and the buyer may not have the same idea of “fun” than the original guy.

Refusing231y ago

just like 'Grammarly' which is basically just a keylogger

MrSS1y ago

But yeah i tested grammarly for 5 minutes and found it crazy.

there has to be a better way getting both worlds :|

2 more replies

dougseismic1y ago

As a fellow extension developer, you'll know that remote code is extremely sandboxed by the review process and you can jump into the code easily.

Hell if you're that paranoid, sniff any remote connections with mitmproxy and generally just... understand what an extension does before you leave it on your machine.

Some extensions are just fun; this extension is wicked for me as design inspiration but yeah, salty take and hackernews PB+J

vstollen1y ago

Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

I‘ve heard that Firefox will only run signed extensions. Would you trust this process?

zinekeller1y ago

> Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

Mozilla does not manually review most extensions (only extensions which Mozilla recommended are manually reviewed: https://support.mozilla.org/en-US/kb/add-on-badges).

Chrome's policy is extensions are "reviewed periodically for compliance", but is unclear on how frequent is this periodic review (https://developer.chrome.com/docs/webstore/review-process).

doctorpangloss1y ago

skybrian1y ago

This is the app version of a phishing email. Give us access to everything on every website you visit, just for some eye candy.

mavamaarten1y ago

Bonzi buddy vibes

Hamuko1y ago

koito171y ago

sn0wleppard1y ago

There's some difference but a lot of overlap in the basic functionality - Firefox is compatible with all the chrome.* API calls I use in my own extension

purple-leafy1y ago

chrome doesn’t support web extension API

creesch1y ago

Then you can just target the promise based webextension syntax and as long as you still stick to the calls also available in chrome your extension works with very little effort in both browsers.

kickoflineOP1y ago

github: https://github.com/anatolyzenkov/button-stealer

neontomo1y ago

now add a leaderboard for most collected...

btw i had a look at the code and it seems benign. no clue if there's a way to verify the same code is in the chrome extension store.

stuffoverflow1y ago

whodev1y ago

elitepleb1y ago

reminds me of https://adnauseam.io/ 's clicked ad view https://adnauseam.io/img/adnauseam_vault.png

erremerre1y ago

I love watching mine, and love watching the cost to advertisers. Modern problems require modern solutions!

graypegg1y ago

I love the idea but the <all_urls> access is a bit scary.

This could be recreated in a bookmarklet ideally, though it would require saving the button html snippets into a file that you'd have to make downloadable with some Blob weirdness.

coalio1y ago

I worked on something similar before that serves the same purpose, except that it steals css/scss and it's not an extension but rather a CLI tool, you can find it in github as coalio/rfscss

kmoser1y ago

sweca1y ago

This sounds like a great way to find inspiration for UI UX designs

josefritzishere1y ago

Why would you intall this? Who wants a collection of buttons?

odo12421y ago

Is there a Firefox version?

jer0me1y ago

“It's fun, useless, and free!”

impure1y ago

ICH WILL MEINE 5€!

rgbrgb1y ago

cool! i want this for safari please. is that an easy port?

peanut_worm1y ago

cute idea but im not installing this malware lol

ape41y ago

In addition to all the security concerns mentioned, you don't really need it. You can google or ask a chatBot to make you custom button.

j / k navigate · click thread line to collapse