Several large Swedish companies and over one million users have been affected by spying on their computers.
There are hidden code in an add-on to Google popular browser Chrome that allows information about the user’s surfing habits “delicious”.
The information refueled on to a server in United States. The owner says to DN that he resells data on browsing behavior.
DN in several articles recently revealed serious shortcomings in the IT security of businesses, governments and individuals. Often it’s carelessness and ignorance that allows servers and modems are completely open to intrusion.
Today, we tell about how closed spionkod actively invested in a popular program extensions used in Google’s browser Chrome.
Application Add-called Webpage screenshot and can be downloaded in Google Chrome webstore web store. It is marketed as a “quick and easy solution” to save screenshots of web pages. It has over 1.2 million users and have good average rating – 4.5 on a 5-point scale.
Application extensions, or “plugins” can be likened apps. They are installed in the browser, but developed by external actors.
Hidden in the program supplement, there is a spyware.
Every minute sent information about users’ browsing traffic on to a server that is registered in the United States, according Cristian Mariolini, IT expert on security Sentor MSS, who made the discovery:
– We monitor our customers’ networks for signs of hacking. A few weeks ago we found a strange pattern in the traffic of several companies. After talking with them, we found this plugin that was installed on the computers that behaved strangely, says Cristian Mariolini.
Webpage screenshot
DN has verified that there is a spyware by analyzing the Google Chrome extension’s source code, ie, the code that describes the extension works under the hood. The browser receives instructions to constantly sending away information about what websites have been visited to a server in United States. Server IP address, then its “phone number”, is registered by a private person who state an address in Israel.
The data forwarded also becomes clear when DN analyzes network traffic from a test computer with software extension installed. Every minute the information on to the server with information about all the sites we have visited. It is primarily about sajternas addresses and its title.
Several large Swedish companies have suffered from leaks of information from the program supplement, according Sentor MSS. The security company has been in contact with the companies, but want safety, do not say what it is about.
The spyware also sends data from sites that have been encrypted connections. No police report has not been made. The reason given is that the police rarely have the ability to investigate such cases.
The contents of the email and the contents of the visited sites is not sent over. However, spyware technical authority to collect such information – if those behind it wants.
DN has been in contact with the owner of the Webpage screenshot confirming that he has entered a code that sends the data about which sites users visit. The aim is to “produce statistics on surfing behavior” and sell it. He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together.
In information about programs tilll the egg it says that it uses “anonymous statistics collection “but this is not about statistics collection on programtillläggets use – but of all visits that a person does.
But you collect not just data about the use of your product extensions, but from all sites . Why?
– I would put more effort into improving program supplement, which is why I am looking for alternative funding sources, writes the developer in an email to DN.
It is also apparent that the creator of the program extension in different ways have tried to hide that information refueled on.
“Spy Code” is not in the extension’s source code from the beginning without downloaded from the internet. The address of the code is not written in plain language, but is divided into several different parts to it will be hard to find – almost like a rebus. It is not the practice in the programming context.
The spyware is activated only after a week, which means that no one suspects something fishy initially. That is probably why it has gone through various security checks. Additionally coded all browsing data so that it becomes more difficult to read.
– It is amazing that such a popular addition, this type of functionality. And it is obvious that people have too great confidence that Google has been eyeing the supplements that are available in the Chrome webstore. You have to deal with what is in the Chrome webstore in the same way as everything else downloading from the internet, with the utmost caution, says Cristian Mariolini.
How do you see the developer’s comment about the collection?
– There is no logical reason that the plugin would collect this type of intrusive data. The data are in general not anonymous, on the contrary, he gathers the even among the best it can use to identify people, namely username to email via the title of pages, says Cristian Mariolini.
It is unclear if it is a crime to collect information in this way, but it is likely a violation of Google’s rules, which states that spyware is not allowed.
DN wanted to ask several questions to Google about the circumstances surrounding the spy code. After a number of reminders, however, choose it to respond curtly, in writing: “We comment generally not isolated cases, but to make sure that Chrome users the best possible experience, we’ll remove so-called extentions (supplement) containing malware (malicious software DN’s note), or that claims to do one thing and doing another. “
Christopher Orstadius
kristoffer.orstadius@dn.se
Comment. Google’s lax attitude is untenable
Google must put its foot down on the issue of malicious software that spreads via its services. The half-measure that is today’s policy is unsustainable, writes DN’s tech editor Linus Larsson.
The Conversation of surfing habits as DN reveals today is serious. Over a million people get their traffic monitored, logged and sent to a server in United States. The author argues that only anonymous statistical information is stored. So of course it could be, but by signing each site visit revealed more than you might think: Parts of emails can leak through the subject line if you read email on the web, for example.
Moreover, the same approach could used in the more unpleasant purposes. Among the millions of monitored users, there is apparently some senior people within large corporations, government agencies and government functions. By filtering their collected materials may be behind a snooping extensions find these and engage in political or industrial espionage. Read full comment
Facts. This is how the spyware
A program extensions installed
Programs addition Webpage Screenshot marketed as a quick and easy solution to save screenshots of web pages. It has over 1.2 million users worldwide.
> After a week enabled the spyware
The spyware is not in software add-in from the beginning. It is activated only after a week in which it is retrieved from a URL on the web.
Your data traffic is stored on your computer
When you visit a website stores information about the site’s address and what it says in the title of the website (at the top of your browser). In like Gmail included mejlens title in the title bar, as well as current email address. This information is stored temporarily in your computer.
Every minute, information
Every minute disconnect the computer up to a server with the IP address that is registered in the United States. To which it sends all the data it has collected about you the last minute. The traffic is encoded in different ways so that it becomes more difficult to detect and read what it says.
No comments:
Post a Comment