Account got hi-jacked

einsteinK · October 13, 2015, 7:14am

[quote] Your item notifier

https://chrome.google.com/webstore/detail/roblox-news/mcbmbnhkgdmmpolgihlblaglpefaicbp [/quote]

Why don’t I trust that last one that only got released 2 weeks ago…

Master3395 · October 13, 2015, 7:59am

The last one i don’t trust, because there’s no visible source.

[
    {
        "description": "treehash per file",
        "signed_content": {
            "payload": "eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJpY29uLnBuZyIsInJvb3RfaGFzaCI6IkdqWnVraW1uZy1JVEhRRTlNQm5FYVRpNmxUMUVFM3dzeGptc0hiV0NVMncifSx7InBhdGgiOiJsb2dvLnBuZyIsInJvb3RfaGFzaCI6ImNyZjBvNi04OXZWTEF6TmNEbEdHakpOUldmTTFKZG9WNDRqcmJOYnVlTDQifSx7ImNhbm9uaWNhbF9qc29uX3Jvb3RfaGFzaCI6IjljY3o3eUR2TURKamV6ZHF6d2I4bWdMS2ZiaVRqZFdMelQzTXJjLUFmN2ciLCJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IjB3QS1jV0piY2VaaDlPN09MSGlHd29RcWw5N0tEUWpaNUM1aTNGUk5aUUEifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJtY2JtYm5oa2dkbW1wb2xnaWhsYmxhZ2xwZWZhaWNicCIsIml0ZW1fdmVyc2lvbiI6IjAuNSIsInByb3RvY29sX3ZlcnNpb24iOjF9",
            "signatures": [
                {
                    "header": {
                        "kid": "webstore"
                    },
                    "protected": "eyJhbGciOiJSUzI1NiJ9",
                    "signature": "jndB3wiGjbk_SbfdyfTjZrDqw7s8QalpUZB4txA2GBkgO66RXvKvxx4QTTGGCxqStiroe3LstqBDN3n2GXLPTqDIH7xzDn2z-dRHDfp3YUpfvvXjNeZTe0e1PoGyUWVRUqTkCuA_wo93K71EqMb2e0ZvnQ1KHKuf4JO0kGzDH-DaGXc9Xe6xq63e5m118VpIxYbfpT7iPhPhmCsHPjAYtgWP_Pc_g9Vdgop6PQFU4faUrqJhdwk3Am8Hm792835RrE5fOnys-a3UQe9R5lT4png4KhCnDAfsqA6WMz9vYzxrtdv7srlSIWSMgWINeAHZmXPMFkQewtE_cQPmVJYsPw"
                },
                {
                    "header": {
                        "kid": "publisher"
                    },
                    "protected": "eyJhbGciOiJSUzI1NiJ9",
                    "signature": "gDMzba_ukP4_iqyWoqObZm-Gdbt90n46YuF0Y6obW74EFZ46iwJHHzpvaVML4g0y29Wk_Fm_9kAGG-braFGAf4x368DzGLv5e6EO1Smx8zdSdoNMlYzohOCNVGRtnWCXFrpv3I3Ty68iTGBp7GarGB2A5Ol3Kn-uh2tEbidOnxU"
                }
            ]
        }
    }
]

einsteinK · October 13, 2015, 8:49am

[quote] The last one i don’t trust, because there’s no visible source.

[ { "description": "treehash per file", "signed_content": { "payload": "eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJpY29uLnBuZyIsInJvb3RfaGFzaCI6IkdqWnVraW1uZy1JVEhRRTlNQm5FYVRpNmxUMUVFM3dzeGptc0hiV0NVMncifSx7InBhdGgiOiJsb2dvLnBuZyIsInJvb3RfaGFzaCI6ImNyZjBvNi04OXZWTEF6TmNEbEdHakpOUldmTTFKZG9WNDRqcmJOYnVlTDQifSx7ImNhbm9uaWNhbF9qc29uX3Jvb3RfaGFzaCI6IjljY3o3eUR2TURKamV6ZHF6d2I4bWdMS2ZiaVRqZFdMelQzTXJjLUFmN2ciLCJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IjB3QS1jV0piY2VaaDlPN09MSGlHd29RcWw5N0tEUWpaNUM1aTNGUk5aUUEifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJtY2JtYm5oa2dkbW1wb2xnaWhsYmxhZ2xwZWZhaWNicCIsIml0ZW1fdmVyc2lvbiI6IjAuNSIsInByb3RvY29sX3ZlcnNpb24iOjF9", "signatures": [ { "header": { "kid": "webstore" }, "protected": "eyJhbGciOiJSUzI1NiJ9", "signature": "jndB3wiGjbk_SbfdyfTjZrDqw7s8QalpUZB4txA2GBkgO66RXvKvxx4QTTGGCxqStiroe3LstqBDN3n2GXLPTqDIH7xzDn2z-dRHDfp3YUpfvvXjNeZTe0e1PoGyUWVRUqTkCuA_wo93K71EqMb2e0ZvnQ1KHKuf4JO0kGzDH-DaGXc9Xe6xq63e5m118VpIxYbfpT7iPhPhmCsHPjAYtgWP_Pc_g9Vdgop6PQFU4faUrqJhdwk3Am8Hm792835RrE5fOnys-a3UQe9R5lT4png4KhCnDAfsqA6WMz9vYzxrtdv7srlSIWSMgWINeAHZmXPMFkQewtE_cQPmVJYsPw" }, { "header": { "kid": "publisher" }, "protected": "eyJhbGciOiJSUzI1NiJ9", "signature": "gDMzba_ukP4_iqyWoqObZm-Gdbt90n46YuF0Y6obW74EFZ46iwJHHzpvaVML4g0y29Wk_Fm_9kAGG-braFGAf4x368DzGLv5e6EO1Smx8zdSdoNMlYzohOCNVGRtnWCXFrpv3I3Ty68iTGBp7GarGB2A5Ol3Kn-uh2tEbidOnxU" } ] } } ] [/quote]

And we’re 100% sure it communicates with a webserver to “download news”

Wsly · October 13, 2015, 10:52am

I’m still surpised by the amount of people using these “notifiers” plugins that can, and this is even clearly labeled on installing these extensions, “Read and modify your data on www.roblox.com” and sometimes even “Read and modify your data on all websites”. Did common sense or at least checking the source became a thing of the past?

X_Z · October 13, 2015, 7:33pm

You should really check an extensions source code to see if there isn’t anything suspicious.

Everesty · October 13, 2015, 10:43pm

I don’t know why you guys are talking about the news plugin being an issue?

External Media

“You can’t view the source, the only file is the data/verified_contents.json file! [size=1]and a icon, logo, and manifest[/size]”
There’s a few issues with that argument.

First, and foremost, let’s compare the contents of that specific extension with socrative’s:

External Media

For those that don’t know, socrative is marketed as a teaching tool. I don’t have a better way to explain it, but I felt I’d mention that just to make the point it is expected by tons to be trustworthy.

Upon analyzing the differences between the extension that was being criticized earlier and socrative’s, there’s very little differences between them. Both have a “cryptic” verified_contents.json file, some images, and a manifest.json. Let’s take a look at the manifest (which is what describes the extension and what the extension should be allowed to do)

// "Roblox News" { "update_url": "https://clients2.google.com/service/update2/crx", "name": "Roblox News", "version": "0.5", "manifest_version": 2, "description": "Roblox news, guides and tips", "app": { "urls": [ "http://www.baconminer.com/" ], "launch": { "web_url": "http://arbirator-robloxnews.blogspot.com/" } }, "icons": { "128": "logo.png" } }

// "Socrative Student" { "update_url": "https://clients2.google.com/service/update2/crx", "name": "Socrative Student", "short_name": "Socrative", "author": "MasteryConnect, Inc.", "description": "Socrative Student Chrome App", "version": "2.0", "manifest_version": 2, "app": { "urls": [ "http://b.socrative.com/student/", "http://b.socrative.com/login/student/" ], "launch": { "web_url": "http://b.socrative.com/login/student/", "container": "tab" } }, "icons": { "16": "student-16.png", "128": "student-128.png" } }

If you take a look at them, they’re also similar in their manifests. One point I’d like to specifically show off is that they both have “app” fields which both contain “launch” fields that lead to a web url. You know what that means? Both of the extensions open a webpage upon being clicked on.

While I’m at it, the aforementioned verified_contents.json file is just a file chrome uses (probably inserted automatically by the chrome webstore) to make sure that no malicious applications on your computer messes with the extension’s contents.

So, all-in-all, the “Roblox News” extension isn’t harmful in it’s current state. All it does is open a web page when you click on a button. The “verified_contents.json” file is just a security measure Google has put forth to verify nothing has messed with the contents of the extension on your computer (be it a malicious program or otherwise).

Edit: Also, the roblox news plugin’s manifest doesn’t tell chrome it needs to access roblox.com, therefore it can’t (not to mention there’s nothing in the extension to do so). I felt I’d clear that up in this tl;dr also.

[size=1]also i’d like to note there’s no official documentation i can find on the verified contents file, just some superuser/stackoverflow questions talking about issues with it. if i’m wrong (about anything, for that matter) please don’t hesitate to yell at me[/size]