Spyware on a Chromebook

Acer Chromebook
Credit: Acer

I think Chromebooks are great. They are cheap, fast laptops that can satisfy the computing needs of many users, if not for their primary computer, then as a secondary one. They are very secure and Chrome OS self-updates better than any other operating system. They startup and shutdown quickly, are lightweight, have no viruses, are great for sharing, and, if you shop around, you can find one that runs Android apps.

Given all that, their best attribute may be that, because Chromebooks require no care and feeding, end users can't screw them up.

Or so I thought.

Recently, I ran across a Chromebook running what a reasonable person might consider spyware.

The Chromebook is owned by a non-technical person who asked me to look at it because the browser home page no longer showed their bookmarks. More technically, the Bookmarks bar was not being displayed. This happened after the Chromebook owner had to answer a bunch of questions from Chrome, questions they didn't understand and couldn't remember.

Malicious software often gets installed by tricking end users and, although I didn't it see it for myself, I'm pretty sure that's what happened here.

I was about to look for the Chrome settings regarding the Bookmarks bar, when I noticed a couple other things were off.

The new tab page opened to a website that I had never heard of, rather than to a blank page. Also, there was a new extension icon, one that I didn't recognize. Hovering the mouse over the extension icon, produced a pop-up about a speed test.

The Chromebook owner, a total non-techie, does not know what browser extensions are. Knowing this person, I am confident they did not install a speed test extension on purpose.

Fortunately, like any Chrome extension, it was was easy to find and delete. Removing it restored everything to normal operation. 

I didn't record the name of the extension at the time, but later looked for speed test extensions in the Chrome web store with a similar icon. As shown below, there are at least four of them.

chrome.webstore.speedtests Michael Horowitz

Some speed test apps in the Chrome web store

When installing, Chrome warns that each of the extensions above can "Read and change all your data on the websites you visit." Pretty much the very definition of spyware.

speedtest.install.warnings Michael Horowitz

Chrome warnings, in Windows 7, when installing the "Your Speed Test Now" extension

On top of this, they can also "Manage your apps, extensions and themes." What exactly does that mean? According to Google, it means the extension "can enable, disable, uninstall or launch themes, extensions, and apps you have installed."

Uninstall and disable other extensions? Are you kidding me? Why does Chrome even allow this? Web browsers do not allow a page on one website to interact with a page on another. Why does Chrome let an extension from Developer A disable or uninstall one from Developer B? 

Perhaps worse, is that Chrome does not warn, at installation time, about the modification to the New Tab page. This is inexcusable.

And here's a sentence I never expected to write. When it comes to extensions modifying the New Tab page, Chrome on Windows is more secure than Chrome on Chrome OS.

The warning shown below, "Is this the new tab page you were expecting?" was displayed on Windows 7 and Windows 10, when I installed one of the four speed test extensions, but never displayed on Chrome OS (version 55, stable channel, with a build date of January 7, 2017). Sadly, you don't have to click on the "Keep changes" button. The default behavior, on Windows at least, is to keep the modified New Tab page. 

newtabwarning.windows10 Michael Horowitz

Chrome warning on Windows after installing an extension that changed the New Tab page 

While Chrome does not warn you when an extension changes the New Tab page, each of these speed test apps does clearly mention it.

Your Speed Test Now says "Your Speed Test Now changes your current new tab page and new tab search functionality ... The Your Speed Test Now™ extension offers convenient web search and quick links to performance tips from the Chrome New Tab page."

Get Speed Tester says "Get your speedtest instantly from your home and new tab page! With the Get Speed Tester™ New Tab extension, you can quickly test your Internet connection speed ... The Get Speed Tester™ extension offers convenient web search and quick links to performance tips from the Chrome New Tab page."

Easy Speed Test Access says "Get your speedtest instantly from your home and new tab page! With the Easy Speed Test Access by SaferBrowser New Tab extension, you can quickly test your Internet connection speed ... The Easy Speed Test Access extension offers convenient web search and quick links to performance tips from the Chrome New Tab page." 

And finally, Internet Speed Pilot says "Get your speedtest instantly from your home and new tab page! With the Internet Speed Pilot™ New Tab extension, you can quickly test your Internet connection speed ... The Internet Speed Pilot™ extension offers convenient web search and quick links to performance tips from the Chrome New Tab page." 

So, when the New Tab page opens at search.searchgst.com, you asked for it.

DEFENDING

There are some Defensive Computing steps to protect against potentially malicious Chrome extensions.

The best defense is only available on Chrome OS -- Guest Mode. When logged on to a Chromebook as a Guest user, there are no extensions and you can't install any either (the Flash plugin is available though). Guest mode on a Chromebook is great for online banking.

Another approach is Incognito mode. Google's documentation on this fails to mention that, by default, no extensions are allowed to run in Incognito mode. You have to allow each extension individually and when you do, the yellow warning shown below is displayed.

chrome.ext.in.incognitomode Michael Horowitz

A Chrome extension that is allowed to run in Incognito mode

Another option is to start Chrome with a parameter that tells it not use extensions this time around. On Windows, you can copy the normal Chrome shortcut, rename it and then modify the Target by adding " --disable-extensions" at the end, without the quotes.

Then too, you can use another browser, even on a Chromebook. Those that are capable of running Android apps support Firefox.

YET AGAIN

Later that same day, I was looking at an instance of the Chrome browser running on a Windows 7 machine used by another non-techie. The list of installed extensions included one called Search Manager.

chrome.searchmanager.ext Michael Horowitz

Confident this person too had been tricked into installing something, I removed the extension and haven't heard a complaint since from the user.

How invasive is Search Manager? I started to install it on a different machine and got the four warnings below. 

searchmanager.install.warning Michael Horowitz

Like the speed test apps, it too can "Read and change all your data on the websites you visit" and "Manage your apps, extensions and themes." In addition, it wants to "Change your search settings to srch.bar" and "Read and change your bookmarks."

Change bookmarks? Are you kidding me? This would let a bookmark for bankofamerica.com be changed to a malicious site with a scam name such as bankofamericaonline.com. 

It feels like Internet Explorer and Windows XP all over again. Sad.

Search Manager also impinges on the New Tab page and is up-front about it saying "You can easily switch between Bing, Google and Yahoo search engines directly from the new tab page. Your search engine selection will let you search from both address bar and the new tab page, and allows you to quickly choose your preferred search engine ...."

BLAME

Whose the bad guy here?

To me, its Google. The warnings about these extensions are clearly insufficient. They confuse non-techies and fail to emphasize the potential danger. Google employs nothing but techies, so it comes as no surprise that there is a language barrier when they try to communicate with people not familiar with the terminology, let alone some basic concepts.

The warning that an extension can "Read and change all your data on the websites you visit" should not be small and a faint gray. It needs to be big and bold and red. After all, that's what spyware does.

The same goes for the warnings about changing bookmarks and disabling other extensions. And, there needs to be a warning every time the New Tab page is modified by an extension. 

Extensions that request these permissions should be manually reviewed by someone at Google before they are allowed into the Play store.

I don't know that any of the extensions mentioned here are actually malicious or spying. I have neither looked at their source code nor examined the data they send home. The point, however, is that they could be malicious, yet they are playing within the rules Google created. And that's on Google. 

- - - -  

UPDATE Jan. 25, 2017. Two related blogs from Malwarebytes Labs: 

Forced into installing a Chrome extension  by Pieter Arntz Nov. 29, 2016

Rogue Google Chrome Extension Spies On You  by Jérôme Segura Jan. 26, 2016

- - - - 
Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon