Blog on chrispederick.com

November weather in California really sucks

Post from November 14th, 2017 at 3:44pm

Web Developer for Firefox 2.0 is now live. This is a complete rewrite of the extension as a WebExtension so that it is now compatible with the new Firefox Quantum release: addons.mozilla.org/en-US/…

Enjoying some supervised outdoor time

Link from September 15th, 2017 at 5:13pm

“Removing the white bars in Safari on iPhone X.” http://stephenradford.me/removing-the-white-bars-in-safari-on-iphone-x/

Post from September 11th, 2017 at 6:50pm

Things that BART workers tell you: “There’s a naked man and feces everywhere that way so you may want to go around.”

Post from August 31st, 2017 at 5:01pm

The best TV shows to “help ease the mental fatigue of 2017”. Detectorists tells you this is great: hollywoodreporter.com/…

Post from August 16th, 2017 at 7:10pm

An incredibly detailed breakdown of the Web Developer for Chrome compromise by Proofpoint: proofpoint.com/us/threat-insight/post/…

Post from August 3rd, 2017 at 4:33pm

Web Developer for Chrome Compromised: a blog post detailing what exactly happened yesterday. https://chrispederick.com/blog/2017/08/03/web-developer-for-chrome-compromised/

Web Developer for Chrome Compromised

 August 3rd, 2017  Chrome, Web Developer, Work

On Wednesday, August 2nd at 6:30 am PDT I discovered that Web Developer for Chrome had been compromised and a new version 0.4.9 had been uploaded to the Chrome store that contained malicious code. I immediately disabled the extension in the Chrome store and regained control of the developer account associated with the extension. At 8:40 am PDT I uploaded a new version 0.5 that removed the malicious code.

Please make sure that you update to version 0.5 of the extension as soon as possible. I am still looking into exactly what the malicious code was doing, but it is strongly advised that if you had Web Developer for Chrome installed that you change your password to any site that you logged into on Wednesday, August 2nd as a precaution, particularly Cloudflare which looks as though it may have been explicitly targeted. It has also been suggested that Cloudflare users revoke their API key if they visited the Cloudflare dashboard yesterday as this may have been compromised as well.

Note: The Firefox and Opera versions of the extension were entirely unaffected.

I sincerely apologize for this incident and the pain and frustration it has caused.

Timeline Of What Happened

Tuesday, August 1st

9:25 am PDT: I receive an email saying that Web Developer does not comply with Chrome store policies and needs to be updated. I could make excuses about how I am extremely busy at work or I seem to constantly be logged out of my Google account so having to log in is not unusual, but the reality is that I am a bloody idiot and blindly logged into my developer account after clicking on a link in the email. To add to my stupidity, the developer account did not have two-factor authentication turned on. At the time, I do not realize what I have just done and simply save the email to look into in more detail when I have more time.

Wednesday, August 2nd

6:30 am PDT: I wake up to a number of tweets and emails from users reporting unusual logging and adware coming from Web Developer. I realize that this is tied to the email from the day before and immediately change my developer account password. I log in to the developer dashboard and see that a version 0.4.9 has been uploaded by someone other than myself and immediately unpublish the extension from the Chrome store.

8:40 am PDT: I create a new version 0.5 from a code branch that I had been actively working on to fix bugs in the extension and upload that to the Chrome store.

9:15 am PDT: The new version 0.5 goes live in the Chrome store.

Fallout

With the compromised version of the extension now replaced in the store, I have been working on replying to everyone who tweeted or emailed me advising them to upgrade to version 0.5 ASAP. I have also informed Google of what happened, although there is not an obvious right way to report this and thus far I have not heard from them.

I changed the password for the developer account immediately upon discovering the issue, but I have also now enabled two-factor authentication on that account so that an attack of this nature is far harder in the future.

I am also continuing to look into the impact of the malicious code as are others with far more security knowledge than myself, which is incredibly appreciated.

Someone has created a Gist that shows the malicious code that was added to the extension and is decoding and discussing exactly what the code is trying to do.

I also received an email from a security officer of an ISP in the Netherlands who says that the malicious code looks to use a date-based domain to request URLs and they have graciously registered the domains for the next week of dates in an attempt to block the requests from happening.

My extension does not seem to be the only one that was targeted in this way and the developers of the Copyfish extension have written their own blog post detailing what happened to them which appears to be very similar to my experience.

I will continue to update this post with more information as I have it and once again I sincerely apologize for the disruption and distress that this has caused.

Update: Proofpoint has posted an incredibly detailed breakdown of the compromise.

Post from August 2nd, 2017 at 4:12pm

Version 0.5 of Web Developer for Chrome is now live which removes the compromised code. Please update immediately.

Sponsor

Donate

All the work on chrispederick.com is distributed for free, but your donation allows me to continue my development and any amount is greatly appreciated.

 Donate

© 2003–2018  Chris Pederick