Scott Hanselman

Can you trust your browser extensions? Exploring an ad-injecting chrome extension

October 3, '14 Comments [42] Posted in Musings
Sponsored By

My perspective on JavaScript-based browser extensions has been far too naïve until this point. We were all burned by bad toolbars or evil ActiveX add-ons in the past, so when I run IE I run it with no add-ons enabled, or very few. However, with Google Chrome and it's sync feature, as well as its rich extension store, it's easy to add a bunch of add-ons and get them synced to other machines.

I wanted to download a YouTube video recently so I installed a "U-Tube Downloader" extension. It is highly rated, seemed legit, so I added it. It puts a nice Download button next to any YouTube video. Like greasemonkey script it was there when I needed and it, and out of sight otherwise.

I installed it and forgot about it. So, put a pin in that and read on...

image

Today I was on my own site and this happened. A video slid onto my page from the right side and started playing. I was gobsmacked. I know this site, I know its code. I know my advertisers. WTH. Where is this coming from?

It's the surfing video there in the lower right corner.

newevil

First I knee-jerk emailed my advertiser asking if they were injecting this, then I pulled back and started to Inspect Element.

Looks like there's a supporting iframe, along with an injected div. That div includes JS from "vidible.tv" and the ads are picked from "panoramatech." But that's not all.

image

There's references to literally a half-dozen other ad-networks and then this, something called RevJet.

image

Search around and here's the first description of what RevJet is.

image

Whoa, ok, it's an extension. But which one? Grep for "Rev" in this folder C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Default\Extensions and I my U-Tube one.

Nicest Ad Ever

I particularly like the comment "nicest ad ever."

image

This extension also injects ads from "Yllix" when I'm on YouTube, and RevJet when elsewhere. Apparently if I set revjetoptout in my local storage, I can get around this. Very NOT intuitive. I saw no options for this extension exposing this.

image

Worse yet, every once in a while, Kim Kardashian shows up in my New Tab page. Again, there's no way for non-technical relative to figure this out. And it's pretty hard for technical me to figure it out. This is deceptive at best.

BxmVMpICUAA6lZq

Ugh.

Yes, I realize someone put work into this extension, and yes, I realize it was free. However, it wasn't clear that it was going to randomly inject ads into any website without asking. It wasn't clear that the ads were injected by this extension. There was/is no clear way for anyone without the ability to debug this to make it stop. Charge me a $1, but don't reach into webpages I visit and mess with my content without telling me.

I recommend you check out chrome://extensions/ and give each enabled one a good hard look. Consider disabling or uninstalling extensions you may have forgotten about or ones you don't explicitly trust. If you're a dev, consider reading the code within the extensions and make sure you're getting what you expect.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Friday, 03 October 2014 18:13:58 UTC
So this extension is not only showing you ads but it is also reporting which websites you browse to the ad provider. So you browse with no privay at all
Dennis
Friday, 03 October 2014 18:15:02 UTC
A colleague of mine recently had ads on our internal helpdesk site. We all thought that was pretty hilarious.
Friday, 03 October 2014 18:21:25 UTC
If you haven't already, you should post a review for the extension explaining this (assuming it's not documented in the description).

I won't install any extension that's not from Google/Chromium that has access "to all data on all websites" for this reason; injecting ads is fairly tame compared to what they could've been doing when you log in to your bank :(
Friday, 03 October 2014 18:30:44 UTC
This also happened to me with our family PC. Someone had downloaded some software which also installed something called NextCoup. Not easy to remove as this adware installs itself with multiple different names (NextCouop, NexteCoup etc).

This extension was adding ads for "Russian Brides" to Google Chrome and IE.
Friday, 03 October 2014 18:39:25 UTC
Huh, IIRC, extensions that allow you to download youtube vidya are verboten in the chrome store. Did you sideload the extension? Naughty.
Will
Friday, 03 October 2014 18:45:09 UTC
IT life was simpler without the internet - take that statement all ways people!
Ian
Friday, 03 October 2014 18:46:13 UTC
Will - Nope, got it from the store.
Scott Hanselman
Friday, 03 October 2014 18:54:33 UTC
I'm the developer of a little Chrome extension and I recently got the following mail from the RevJet guys:

Hey Dhruv,

I'd love to talk about monetizing your Chrome extension with coupon ads. Currently, we yield our extension partners anywhere from $0.50 - $1.50 per month per daily active user through our 10,000+ merchants.

Your extension looks great so I'd like to discuss this opportunity with you further. Are you available to chat sometime this week?

Best,

<Redacted>
Senior Manager of Developer Relations
RevJet.io, a Sierra Labs, Inc. Company
3415 S Sepulveda Blvd #1250
Los Angeles, CA 90034
<redacted>@revjet.io
http://www.revjet.io/

This is how it they do it.
Dhruv Vemula
Friday, 03 October 2014 19:11:21 UTC
Ironically, the "Foxish" RSS extension that I am (was) using to track this blog was the extension giving me Kim Kardashian.
Eric Nielsen
Friday, 03 October 2014 19:46:21 UTC
Wow, that's really underhanded.
Tom McKearney
Friday, 03 October 2014 19:55:55 UTC
This is how "free" software works ;) If it's not open source then free = ads (or other type of "monetization").
Friday, 03 October 2014 20:11:56 UTC
Nice job doing some digging on this Scott. Its understood that this is the sort of thing you get with free software, but this is impressively shady. Interfering with a users experience on sites is the issue I have, most users will not understand nor will they take the time to figure out that that add is not being displayed by the site they are on. Here is slightly misleading quote from http://www.revjet.io/.


Zero disruption to user experience
Search ads and display ads are unnoticeable by your users.

Affiliate links (coupons) are delivered through a small, non-intrusive notification box on the top right corner of the browser window, which can be closed by the user anytime.
Friday, 03 October 2014 20:47:29 UTC
Patrick. I need to continue to dig. There are (it appears) SEVERAL ad libraries in this Extension, I wonder if he's rotating them.
Scott Hanselman
Friday, 03 October 2014 23:19:19 UTC
I highly recommend Ghostery to filter all privacy invasions on the browser, it might make the use of these kind of extensions tolerable again.
elhernan
Friday, 03 October 2014 23:34:48 UTC
Instead of using extensions for simply downloading videos, give savefornet a try, just as 'ss' to the start of the domain name, so ssyoutube.com/someamazingvideo . saves you giving access to extensions with hidden agendas
Saturday, 04 October 2014 00:45:24 UTC
Ugh. Pretty sleazy stuff. Scott, thanks for reporting this and raising awareness!
Saturday, 04 October 2014 10:00:11 UTC
I had a very similar experience with another extension called "Awesome Screenshot: Capture & Annotate". If you use it I advise you to remove it immediately. I wrote a review, reached to the the developer and reported them to Google (they are injecting ads on Google search results) but the extension is still there.

If you're interested I did a write up about it.
Gabriel Weyer
Saturday, 04 October 2014 10:06:38 UTC
1-2 weeks ago an online game site which I regulary visit suddenly started to display ads. The site is free so I thought that the owner wanted to make some money with it. But then a few days later I saw similar ads on other sites. When there were ads for other companies on amazon I knew that these have to come from somewhere else.
It turned out it was the addon "RSS Live Links". I used that addon for years and it never displayed ads before. But now I uninstalled it and use a similar addon. No more ads anymore.
Saturday, 04 October 2014 13:09:42 UTC
Why is it that I received the email of this post on feedblitz, but this blog entry is not yet updated on your home page ? Curious.
Santosh
Saturday, 04 October 2014 13:21:04 UTC
You can also review extension und look the source of extension, before installing it.
I use this extension for this purposes https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin
burgua
Saturday, 04 October 2014 14:33:28 UTC
Ars Technica did some digging on this a while back, apparently Advertisers are outright buying extensions to swap in advertising code and push it out via autoupdate.


Also, they did a look at how other browsers handle their add-on ecosystem
It appears to be the classic trade between human and automated curation.
Chris Dewan
Saturday, 04 October 2014 15:15:02 UTC
Searched for "Rev" in my extension folder. Turned up a JSON file with hits on AdRevolution, RevenueMax, and a good dozen+ others. "Jackpot!" thinks I. Searched the extension ID on the store...

Oh. That's just Disconnect.me >.>
Grady
Saturday, 04 October 2014 15:36:58 UTC
I actually wrote a blog post about this issue recently myself - focusing on my personal experiences with Chrome extensions that have gone rogue. In other words, extensions that were perfectly legitimate when I installed them, but then at some later point automatically updated themselves and introduced malware. Not only introducing advertising (where the malware is quite noticeable), but some secretly send your browsing history to a third party, and you don't even know unless you are like me and notice weird traffic in Fiddler and start investigating. My blog post is here for those interested: http://chrisa.wordpress.com/2014/08/25/chrome-extensions-going-rogue/
Saturday, 04 October 2014 17:12:59 UTC
I love the tools that have been developed for Chrome, and I used to use it as my backup browser and developer tool. Recently I uninstalled it when I noticed that there were about half a dozen instances of Chrome running in the task manager and no Chrome browser windows open on my machine.

That was enough to cause me stress and I'm pretty tech savvy. I expect my browser vendor to protect me as a consumer at least as much as they help the developer community, to which I belong. Google Chrome exposes me to unnecessary risk and until they bring some security back, it won't run on my machines.
Saturday, 04 October 2014 17:23:54 UTC
Thanks for the pointer, I haven't run into this particular problem, but I have run into extension related issues, and I cleaned up a few extra ones just now.

A great way to test if a problem is cause by an extension is ctrl-shift-N to open incognito mode. By default, no extensions are allowed in incognito mode, so unless you've specifically allowed them, that will "clean off" all extensions.

You can continue to do the binary search thing by checking the box for half of them, opening incognito mode, rinse, repeat. It's quite a bit easier and less disruptive than restarting, especially if you have a bunch of existing tabs open you want to keep track of.

For me, I've hit a problem playing video more than once. Last time it was an issue with automatic HTTPS, filtering, and a CDN that couldn't deliver video (on TreeHouse). Incognito worked fine.

Just now, Amazon Prime won't stream normally, but it's fine when going incognito.

In my case, HTTPS Everywhere caused problems with both. It would be nice if websites allowed all their content as HTTPS.

-Colin
Colin Dabritz
Saturday, 04 October 2014 22:37:41 UTC
FYI: If you want to audit what your extensions are doing, check out the "Chrome Apps & Extensions Developer Tool" (by Google). It has a "behavior" link for each app/extension that lets you monitor what the app/extension is doing to websites.

https://chrome.google.com/webstore/detail/chrome-apps-extensions-de/ohmmkhmmmpcnpikjeljgnaoabkaalbgc?hl=en
felt
Sunday, 05 October 2014 12:07:56 UTC
There is a Software Removal Tool for Chrome (by Google, currently in beta and Windows only). It supposed to detect unwanted components that "for example, showing you unusual start-up pages, toolbars or pop-up ads that you can’t get rid of". It didn't find anything on my pc, but it would be interesting to know if it would've found any of your malwares.
Sunday, 05 October 2014 20:58:44 UTC
I am completly fed up with Chrome on every platform. I stopped using it on iOS (unusable because they ignore iOS specific features like back-swipe etc.) Developer Tools are way behind the usability of Firefox and Safari and Google simply doesn't care about the "Too many tabs problem". Safari 8 (Yosemite) is they way to go.

There are dozens of "infected" Google extensions. Sometimes I feel like using IE6 on Windows XP. But on the other hand: Chrome without extensions isn't a good idea either. Plus there are only few extensions that survived more than a week.

If Google won't present something innovative soon, they will get into trouble. Even if I am not one of those highly paid Google UX-Experts, I could design a better UX in a few days.

Google's ignorance with Chrome's UX and the messy extensions is really frightening.

Me
Sunday, 05 October 2014 22:56:33 UTC
Google Play's security policies is big mark for on part. They don't really do any vetting before publishing their extensions and apps. It's like they gave up due to the massive amount of work they have to do.

Mozilla's extensions go through a much more rigorous vetting process. That's why it takes so long to publish and update addons to Mozilla sites. But I much prefer it.
John P
Monday, 06 October 2014 05:52:00 UTC
Just wondering - isn't it possible for a browser extension to capture keystrokes and report cookies to the advertiser's site, either accidentally or maliciously? I've been reluctant to install browser extensions because I don't understand the security model well enough to know if there are protections against this type of behavior.
Rich Moss
Monday, 06 October 2014 09:04:26 UTC
Some extensions track your usage and in some cases, send your tracking data unsecured:
Here's an example from the "Awesome screenshot" extension which I had to fix using my hosts file: https://gist.github.com/mvirkkunen/89f61a06819530e48b53

My hosts file currently includes the following:
127.0.0.1 ssl.google-analytics.com
127.0.0.1 cdn.extensionanalytics.com
127.0.0.1 pixel.getpaidfordata.com
127.0.0.1 tags.crwdcntrl.net
127.0.0.1 s.sitebeacon.com
127.0.0.1 collector.dataferb.com
127.0.0.1 lb.crdui.com
127.0.0.1 t.crdui.com
127.0.0.1 s821.crdui.com
127.0.0.1 s1821.crdui.com
Andrew Young
Monday, 06 October 2014 14:17:28 UTC
Adding to @Andrew Young's comment, I've discovered http://winhelp2002.mvps.org/hosts.htm which provides a replacement HOSTS file that blocks ads, banners, tracking, etc. from thousands of "bad" websites. So far, so good.

Best part is, it renders nefarious browser extensions pretty much useless - stops the monetization path for those extensions dead in its tracks.
Marty T
Monday, 06 October 2014 15:41:31 UTC
FVD Downloader (Also for downloading videos) doesn't show anything visible to the user but adds some js tracking code and cookies. The extension works great, but be aware if using it.
Max
Monday, 06 October 2014 18:06:54 UTC
We treat this like a nuisance and move on, but this really is immoral behavior. We, the software development community, need to speak more strongly about this. I applaud Mr. Vemula's post showing us the email from RevJet. Many software engineers are creative and entrepreneurial so we tend to think that advertising companies are legitimate businesses, and they weren't serving malware right? Yet we rightfully feel incensed when this happens. That should be a call to action, not apathy! It isn't acceptable to solicit developers to do this without notifying their customers, and it isn't acceptable to create an add-in then use it as a backdoor later on. If this was a physical store we would call the BBB about it and we would stop patronizing them. Yet here we have no real recourse here. The developers of that add-in will likely do it again, and again.

At least: let us not be silent and accepting about it. Discuss this, name names, and shame those who behave this way.
Monday, 06 October 2014 20:51:45 UTC
Google has a "Chrome Apps & Extensions Developer Tool" that you can use to audit extensions and see what they are up to. I used it to find and remove extensions doing bad things. Check it out:

http://blog.chromium.org/2014/06/see-what-your-apps-extensions-have-been.html
Monday, 06 October 2014 22:36:55 UTC
I like keep my browser clean. Absolutely hate those annoying extensions / programs that play with the web content / search providers etc.

The only extension, apart from some authentic Google extensions like Google cast, Google docs, Google keep etc., I use is AdBlock Plus! It is a boon for mankind. God bless the developers!
Prabodh
Tuesday, 07 October 2014 01:09:08 UTC
Just wait till Verizon starts injecting ads like other ISPs will be doing...
Tuesday, 07 October 2014 01:13:32 UTC
First - good catch. I get nervous about every program added to any of my systems. What is nice about web browser extensions is that they are relatively easy for someone with tech knowledge to find out where something came from - but I feel even less secure about actual programs.

The one that infuriates me is secret changing of information. I installed Skype on my workstation and if you do not look closely Microsoft will change your default web settings to Microsoft's favorite choices. Skype really has nothing to do with the web, but because it is a "free", the folks in Redmond need to sneak something in on the deal.

Same thing happens with Java, Acrobat Reader and just about every other "free" product. If you didn't pay for it then YOU are the product they are selling. If you cannot figure out how they are doing that then you should be concerned.

--Monty
Tuesday, 07 October 2014 05:13:23 UTC
In another example of "you are the product" trickery - the Windows 10 Preview is sending all of your keystrokes back to Microsoft to log what you are doing. There is no such thing as "free".

http://www.theregister.co.uk/2014/10/07/windows_10_data_collection/
Tuesday, 07 October 2014 08:08:05 UTC
"and I my U-Tube one" - amen :) That's a line you can throw into any conversation, ideally in a slow and mysterious voice.

Lovely article, I'll check my extensions right away.
Simon
Wednesday, 22 October 2014 08:18:59 UTC
It's probably worth pointing out that Chrome have been taking steps in the last 18 months to combat exactly this problem. First they made it very difficult to install extensions from outside the Chrome Web Store so they could vet extensions. Then they changed their T&Cs (http://blog.chromium.org/2013/12/keeping-chrome-extensions-simple.html) to not allow any extensions that do more than one thing specifically to allow them to remove extensions that claim to do one thing but also inject ads, which they started enforcing in July 2014.

The problem I think that many extensions start off clean and then in a subsequent update add in the ad injecting code and they have a mostly automated vetting process from what I can tell. That being said most of these extensions use third party code for the ad injecting so it should be relatively easy for the automated processes to detect these and remove them. You could probably report this extension and that should hopefully trigger a manual review and removal of the extension for breaching the T&Cs.

It's also worth pointing out that this isn't restricted to just chrome. Crossrider's (http://crossrider.com/developers) business model is based on this. They provide a cross browser extension building sdk which under the hood injects ad serving code into all extensions built with their sdk.
David
Monday, 27 October 2014 13:08:26 UTC
Thanks for this info! Found your page when searching Google for ads by revjet. Your description helped me to find the culprit among my Chrome extensions (Foxish RSS diplay).

Without reading your article, I would have continued to look for the problem on my server (I discovered the inserts while I was in the admin area on one of my sites where it totally messed up the display of items).

And thanks also to other visitors for the many useful comments.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.