Issue metadata
Sign in to add a comment
|
Security: Extension keeps auto-installing even after manually removing and reporting abuse
Reported by
sankar.c...@gmail.com,
Apr 15 2018
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The extension at https://chrome.google.com/webstore/detail/bubble-shooter/omenbmgpkbkmloombbdefdpfcclpcjdk keeps reinstalling itself, even after I have uninstalled it, reported abuse more than two dozen times. I am not even alone in this and many other users are facing this. See the reviews of the extension. It has more than 50k users and I am sure that most of them are innocent users, who do not know that this is installed in their machines. This rogue extension may be keylogging all the sensitive data that we use in websites. If I uninstall the extension and quit & restart the browser it appears magically once again. I have uninstalled all the apps and extensions in my browser to ensure that, no other rogue extension is installing this in backdoor. VERSION Version 65.0.3325.181 (Official Build) (64-bit) Operating System: Mac OS High Sierra 10.13.4
,
Apr 15 2018
If an extension is able to "reinstall itself", this typically means that the underlying operating system was already been infected with malware. What antivirus or security software do you have installed on your Mac? The current version of that extension, as distributed by the WebStore, does not do anything at all other than open the URL "http://www.onlinetopgame.com/game/aqua-bubble.html" when you click on the button in the toolbar.
,
Apr 15 2018
I am using Sophos Home as the Anti-virus/malware software. It is not reporting any issues. I have some developer tools installed (spectacle, realm browser etc.) but nothing unusual. Most of these tools are Open source software.
I tried debugging what chrome is doing on startup but I am not able to find a way to launch chrome with dtruss (sudo vs Google Chrome). When I launched chrome from terminal, I did not anything useful apart from, what I have pasted below. Is tehre any way to see what steps chrome is taking on launch and what software / files make it install this extension ? May be if I could trace that, we could find the root of the issue.
Command output:
➜ ~ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
[87667:34563:0415/183914.023415:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
2018-04-15 18:39:14.206 Google Chrome[87667:4319978] *** Owner supplied to -[NSTrackingArea initWithRect:options:owner:userInfo:] referenced a deallocating object. Tracking area behavior is undefined. Break on NSTrackingAreaDeallocatingOwnerError to debug.
2018-04-15 18:39:14.664 Google Chrome[87667:4319978] Errors logged by ksadmin: KSKeyedPersistentStore store directory does not exist. [com.google.UpdateEngine.CommonErrorDomain:501 - '/Library/Google/GoogleSoftwareUpdate/TicketStore' - 'KSKeyedPersistentStore.m:368']
KSPersistentTicketStore failed to load tickets. (productID: com.google.Chrome) [com.google.UpdateEngine.CoreErrorDomain:1051 - '/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore'] (KSKeyedPersistentStore store directory does not exist. - '/Library/Google/GoogleSoftwareUpdate/TicketStore' [com.google.UpdateEngine.CommonErrorDomain:501])
ksadmin cannot access the ticket store:<KSUpdateError:0x100502310
domain="com.google.UpdateEngine.CoreErrorDomain"
code=1051
userInfo={
function = "-[KSProductKeyedStore(ProtectedMethods) errorForStoreError:productID:message:timeoutMessage:]";
date = 2018-04-15 13:09:14 +0000;
productids = {(
"com.google.Chrome"
)};
filename = "KSProductKeyedStore.m";
line = 102;
NSFilePath = "/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore";
NSUnderlyingError = <KSError:0x1005002e0
domain="com.google.UpdateEngine.CommonErrorDomain"
code=501
userInfo={
NSLocalizedDescription = "KSKeyedPersistentStore store directory does not exist.";
line = 368;
filename = "KSKeyedPersistentStore.m";
function = "-[KSKeyedPersistentStore(PrivateMethods) validateStorePath]";
NSFilePath = "/Library/Google/GoogleSoftwareUpdate/TicketStore";
date = 2018-04-15 13:09:14 +0000;
}
>;
NSLocalizedDescription = "KSPersistentTicketStore failed to load tickets.";
}
>
,
Apr 16 2018
Curious: Do you have Chrome installed on multiple devices? If so, have you enabled sync of extensions? (If you visit chrome://sync-internals, what number do you see next to "Extensions" in the green column at the right)?
,
Apr 16 2018
If I go to, chrome://extensions then I see only one extension (which I know I installed myself, google-input-tools from google). However, when I go to, chrome://sync-internals then I see "2" as the value for "Extensions" in the green column at the right. Is this the culprit ? For some reason, uninstalling the extension does not get saved ? I have installed chrome on multiple devices (dev laptop, office laptop, etc.) in the past. But I believe that I am not signed on any of those devices now, except the one Mac OS X laptop that I am using now (and where seeing the issue).
,
Apr 18 2018
Thanks for the report. I looked at the source of that extension and there's nothing remotely interesting there. I am willing to bet that this is happening because of a program installed on your computer that force installs the extension even after you remove it. There's nothing in Chrome itself that can be fixed here but I am going to bring this up with the Chrome Web Store team so that they can investigate it. nparker@ -- do you know who can take a look at it? Thanks.
,
Apr 20 2018
This has been addressed.
,
Jul 26
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sankar.c...@gmail.com
, Apr 15 2018