All about Google Chrome & Google Chrome OS

29 Dec 12 Google to scan Chrome extensions, bans auto-install

Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser.

Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions.

Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data.

Google has responded in two ways, one of which is a new service “To help keep you safe on the web” that will see the company “analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious.”

Changes are also coming in the forthcoming version 25 of the browser, which will no longer allow extensions to install without users’ knowledge. That’s currently possible because Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”

“Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”

Chrome 25 will therefore remove the auto-install feature, replacing it with a new system that presents the Windows Vista-esque screen below when extensions try to ingratiate themselves with the browser.

A new dialogue box in Chrome 25 will ask users if they want to install extensions

Hi! I’m the ghost of Windows Vista! Would you like to install this extension?

As ever, Google’s blog posts and support notice on the changes position them as responsible enhancements that show, yet again, Google is doing the world a favour.

A more critical analysis could consider the announcements in light of malware found in Google Play and take Google’s decision to more aggressively curate the Chrome Web Store as an admission it needs to devote more attention to this stuff, lest Chrome and other Google products become malware-ridden quagmires that users don’t trust. ®

Article source:

Tags: , , ,

28 Dec 12 Chrome 25 blocks sneaky add-ons

Computerworld - Google on Friday said Chrome 25, now in development, automatically blocks browser add-ons installed on the sly by other software.

The measure mimics what rival Mozilla did for Firefox over a year ago.

Auto-blocking has already appeared in Chrome 25 for Windows on the “dev” channel — Google’s least-polished public version — which debuted last month. By the browser’s semi-regular release schedule, Chrome 25 will reach the final “stable” channel, and thus the bulk of users, in the second half of February 2013.

According to Peter Ludwig, a Chrome product manager, Chrome 25 will automatically disable any browser extensions silently installed by other software. Extensions previously installed by third-party software will also be barred from running.

Chrome users can switch on such extensions manually, or remove them from the browser and their PC.

Although Ludwig never used the word “security” in his Dec. 21 blog post, the change’s provenance was clear.

“[Silent installation] was originally intended to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application,” Ludwig explained. “Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgment from users.”

Google was more than a year behind rival Mozilla in banning extensions installed behind users’ backs. In Aug. 2011, Mozilla said Firefox 8 would automatically block browser add-ons installed by other software. Firefox 8 shipped three months later.

Add-ons bundled with third-party software had been a problem for Firefox users, who complained loudly when they found mysterious extensions on their computers.

A toolbar installed in Firefox alongside Skype, for example, caused so many crashes in Jan. 2011 — 40,000 in only one week — that Mozilla blocked the add-on after calling the Internet phone company a “repeat offender.” In 2009, Microsoft silently slipped an add-on into Firefox that left browser users open to attack.

Google has also made other moves this year to lock down extensions. As of Chrome 21, which launched last July, the browser will not accept add-ons installed directly from websites, but only from the Chrome Web Store. Previously, any website could prompt a Chrome user to install an extension.

“Online hackers may create websites that automatically trigger the installation of malicious extensions,” Google noted in a Chrome Help page that explained the new rules. “Their extensions are often designed to secretly track the information you enter on the web, which the hackers can then reuse for other ill-intended purposes.”

That security measure has not been foolproof, however, as a Facebook-theme scam detailed by Webroot last week illustrated: The rogue add-on was placed on the Chrome Web Store, even though Google had said on the same Help page that, “We have started analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious.”

Chrome 25′s dev version for Windows can be downloaded from Google’s website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer, or subscribe to Gregg’s RSS feed Keizer RSS. His e-mail address is

More: Browser Topic Center

Read more about Internet in Computerworld’s Internet Topic Center.

Article source:

Tags: , , , , ,

27 Dec 12 Google Acts Against Malicious Chrome Extensions

Google Chrome Extension

Google’s latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions.

Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist.

While many of the extensions are accidentally installed by users who were tricked into downloading it, many were installed without the user’s knowledge by other dodgy applications using Chrome’s auto-install feature. To address that problem, Google has removed auto-installs in the latest version of Chrome.

No More Auto-Installs
Google originally included the auto-install feature to allow applications to install an additional Chrome extension during its own installation process. This was intended to simplify the installation process so that users didn’t have to add the extension manually afterwards. 

“Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users,” Peter Ludwig, a product manager at Google, wrote on the Chrmoium blog

Chrome (version 25 for those counting) will now block an application trying to auto-install an extension Google and display an alert informing the user about the new extension and list some of the things it can do (such as “Access your data on all Websites” and “Read and modify your bookmarks”).

Chrome 25 also automatically disables any extensions that were previously installed using the auto-install feature. If the user wants to re-enable the extension, the browser will display a one-time prompt explaining what each extension wants to do before allowing them to be turned back on. 

Stopping Malicious Extensions
Google also appears to have a new service which analyzes “every extension that is uploaded to the Web Store and take down those we recognize to be malicious,” according to the support pages for the Chrome Web Store. There isn’t a lot of information about the service at this time, so it’s not known whether Google is using an automated scanner similar to Google Bouncer checking app in Google Play (or if Bouncer itself is handling both markets).

Google has recently cracked down on extensions. Back in July, Google changed Chrome so that users could only install extensions found in the Chrome Web Store, and not from third-party sites. 

Article source:

Tags: , , , , ,

22 Dec 12 Google disables silent extension installs to Chrome

Updated 22 Dec, 2012, 5:33 pm IST

16 Jun 12 Chrome Web Store Launches In Six More Countries With Offline …

The Chrome Web Store has just received several updates. These are not major changes, and upon first glance you might not see the difference, but these are changes worth knowing about, especially if you’re a developer, you like offline apps, or you live in Turkey, Ukraine, Egypt, Saudi Arabia, Morocco or the United Arab Emirates. If you live in one of these six countries, the Chrome Web Store is now available in your country, which means you can enjoy all the extensions and apps it has to offer. This also adds a substantial audience to existing apps in the store.

If you work with offline apps, or have developed one, you’ll be happy to know the Chrome Web Store now has a new section dedicated entirely to offline apps. Offline apps are apps that work regardless of your Internet connection, and the addition of this category means it’s now easier to find these apps among the huge available selection.

The last change in the Chrome Store has to do with usage stats, and is aimed at developers who would like to have better insight into their apps’ performance. Developers can now view a graph which can help them get a better understanding of how well their app is doing, for example how many times it’s been viewed, installed, etc. The data can be easily exported and downloaded as a CSV file. According the the Chrome development team, this is only the beginning for this feature, and we’ll see more capabilities added to it in the future.

Do these updates change your Web Store experience?

Source: Chromium Blog

Article source:

Tags: , , , , ,

16 Jun 12 50 essential Chrome tips

Behind its no-frills, stripped-down exterior, the Google Chrome browser hides a wealth of useful features and functions.

Read on to discover some tips and tricks you can make use of to unlock the power of Chrome. Oh, and chip in with your own in the comments at the bottom.

1. Pin tabs

Pinned tabs shuffle along to the left-hand side of the screen, take up less room and in some cases (e.g. Twitter), they glow if there’s an update to the page. They also keep their places whenever you start up Chrome in the future. Right-click on a tab title to access the pin tab option.

50 essential Chrome tips: pinned tabs

2. Log out with incognito mode

Like most browsers, Chrome has an incognito mode that disables history logging. Open up an incognito window whenever you want to quickly check how a site — such as your Facebook page or Google+ profile — looks to someone who isn’t signed in as you. If you’re using Windows, Control+Shift+N opens a new incognito window.

3. Browse files

Chrome offers a rudimentary file explorer — try typing ‘C:’ into the omnibox and hitting Enter to look around.

4. Search by site

All the usual Google operators apply in the Chrome omnibox. Type ‘site:’ followed by your keywords to restrict a search to a particular website, for example.

5. View background tasks

Chrome is powerful enough to have its own task manager. Hit Shift+Esc to see what’s running in the background (typically extensions and offline caching tools), alongside your open tabs, and how much CPU time and memory space each one is taking up.

6. Hide extensions

If you want to clean up the toolbar but don’t want to uninstall all your extensions, you can hide them instead (right-click, Hide button). This can come in very handy for extensions that work mainly in the background.

7. Change version

As well as the stable version, Chrome is available in three more versions, which get increasingly more cutting edge and less stable — Beta, Dev and Canary. Visit the Chrome Release Channels page to switch between them.

8. Use the keyboard

There’s a wealth of keyboard shortcuts that make Chrome easier and faster to use, but here we’ll just mention two of the most useful — Ctrl+click to open up a link in its own tab and Ctrl+W to close the current tab.

9. Add desktop shortcuts

Right-click on a web app on the New Tab page and choose ‘Create shortcut’ to add a link to it from the Start menu, desktop or taskbar.

10. Check memory usage

Enter ‘chrome://memory’ into the address bar to see where all of your RAM is going. Try ‘chrome://chrome-urls’ to see the other diagnostic shortcuts that are available.

11. Drag links

If you find clicking on links somewhat old hat, try dragging them to the omnibox or the tab bar.

12. Visualise bookmarks

Add bookmarks to the bookmarks bar, then remove their names in the Bookmarks Manager to be left with a row of compact favicon shortcuts.

50 essential Chrome tips: remove names from bookmarks

13. Edit most visited sites

If there’s a thumbnail on the ‘Most visited sites’ page you no longer want to see, click the cross in the top right-hand corner of the image to replace it with the next most visited site in Chrome’s list.

14. Rearrange apps

Click and drag an app on the Apps page to change its position — drag to the far right to create a new page of apps.

15. Go full screen

See more of the web in full-screen mode — F11 toggles it on and off.

16. Change History

Head to chrome://chrome/history and you can remove specific pages from your browsing record via the check boxes and the ‘Remove selected items’ button.

17. Enlarge text

If your eyesight is poor or you’re using a huge monitor, you can increase the default text size via Settings Web content Font size.

18. Forget everything

Clear everything in Chrome’s memory by hitting Ctrl+Shift+Del, ticking all of the boxes (from history to cookies), selecting ‘the beginning of time’ as the timespan and clicking ‘Clear browsing data’.

19. Change the theme

Like Gmail, Chrome comes with a range of official and unofficial themes — click ‘Get themes’ on the Settings page to browse the selection.

20. Go further back

Click and hold on the back button to see a list of recently visited pages for the current tab.

21. Jump tabs

Hit Ctrl+ to jump to that tab in Chrome — Ctrl+2, for example, will open the second tab from the left.

22. Go offline

Keep emailing even when your online connection is down with Offline Gmail from the Chrome Web Store. Google promises more offline apps are on the way.

50 essential Chrome tips: offline Gmail

23. Analyse pages

Right-click on a web page and choose ‘Inspect element’ to see the HTML, CSS, JavaScript and other resources it’s made up from.

24. Import data

Chrome can import bookmarks, browsing history and more from Internet Explorer and Firefox via the Import bookmarks and settings option on the Bookmarks menu.

25. Remote desktop

There’s a beta Chrome Remote Desktop app in the Chrome Web Store that lets you access your other machines that have Chrome running. Follow the on-screen instructions to set it up.

26. Pick up where you left off

Rather than opening a set URL or the New Tab screen when you start Chrome, you can opt to relaunch the same tabs that were open when you shut it down — visit the Settings page under ‘On start-up’.

27. Send to phone

The Chrome to Phone extension available in the Chrome Web Store is developed by Google and can send links and other information straight to your Android device. You’ll need to install the mobile app too.

28. Stay in sync

Sync some, all or none of the following by signing into Chrome with your Google account: apps, bookmarks, extensions, auto-fill data, passwords, open tabs, omnibox history, themes and settings.

29. Do your sums

Type a calculation into the omnibox to see the result in the suggestions without even hitting Enter.

30. Search elsewhere

On the Settings page under Search, you can set the omnibox search to query sites such as Facebook, or Wikipedia by default.

31. Make more room

Drag out the edges of any text input box to give yourself more room to express yourself.

32. Save to Google Drive

Chrome doesn’t have this option yet — in the meantime, set the default download location to a folder being synced by the Google Drive desktop client.

50 essential Chrome tips: Google Drive download location

33. Zoom

Use the Ctrl button in conjunction with your mouse’s scroll wheel to zoom in and out.

34. See more suggestions

Increase the number of suggestions offered below the omnibox with a command line switch. Create a shortcut to chrome.exe with the ‘-omnibox-popup-count=’ start-up switch afterwards.

35. Find in page

Hit Ctrl+F and type your text to find keywords in a page — matches are highlighted in yellow on the right-hand scrollbar.

36. Highlight to search

Highlight a word or phrase and on the right-click menu you’ll find an option to use the selection as a query for a Google search in a new tab.

37. Reopen a tab

If you’ve just closed a tab you didn’t mean to, right-click on the tab bar and choose Reopen closed tab to bring it back.

38. Switch between Google accounts

Use the ‘Add new user’ button on the Settings page to sign in using another Google Account. You can then quickly switch between them by clicking on the user icon in the top-left corner.

39. Experiment

Enter ‘about:flags’ in the omnibox to see some experimental Chrome features you can try out, covering everything from geolocation APIs to gamepad support.

40. Paste and go

With a link on the clipboard, right-click on the omnibox and choose ‘Paste and go’ to visit it. If a link isn’t detected, the option becomes Paste and search.

41. Find recent bookmarks

The Bookmark Manager creates an automatic list of recently bookmarked links if you can’t remember which folder you saved your new favourite YouTube video to.

42. Get nostalgic

Click the globe icon (or padlock icon) on the far left of the omnibox to check when you first visited the current site. A cache clear-out or browser reinstall will reset this data.

50 essential Chrome tips: how long you've been frequenting a site

43. Disable spellcheck

If you don’t like Chrome correcting you on your spelling, you can disable the feature under the Languages heading on the advanced settings screen.

44. Print from anywhere

Activate Google Cloud Print on your current PC with Chrome installed and you can access that computer’s printers from every other Chrome browser you sign into.

45. Pan around

Click the mouse scroll wheel on a blank part of a web page to then pan around the site by moving the mouse.

46. Send feedback

You can let the Google Chrome team know about a bug via the ‘Report an issue’ link on the Tools menu. A screenshot can be included automatically.

47. Manage handlers

Visit Content settings (under Privacy on the Settings page), then click ‘Manage handlers’ to change the applications used to handle email and calendar links inside Chrome.

48. Speak to type

On any text box marked with a microphone icon, click the icon to speak to type, assuming you have a working microphone attached.

49. Use the jump list

If you’re running Chrome on Windows 7, right-click on the taskbar icon to access its jump-list — from here you can open recently closed tabs and most visited sites.

50. Enjoy your music

Right-click on an MP3 file in Windows and choose Open With Google Chrome if you want to quickly hear a tune without the hassle of opening up iTunes or Windows Media Player.

Article source:

Tags: , , , , ,

13 Jun 12 Chrome Web Store Gets New Developer Features

The Chrome Web Store is one of the nicer things about Google’s browser that really gives it an edge over the competition. Mozilla will be launching its own Firefox app store soon and Windows 8 has the Metro app store. Google is going to have to kick it up a notch to stay ahead.

In the spirit of staying ahead, Google has announced three new features hitting the Chrome Web Store today. The new features should benefit both the consumer and the developer in creating and delivering content across the Web.

The Chrome Web Store is now available in six additional countries – Turkey, Ukraine, Egypt, Saudi Arabia, Morocco and the United Arab Emirates. Consumers in these countries can now start to download apps. The bigger benefit, however, comes in the form of developers from these countries being able to sell apps on the Chrome Web Store to a global audience.

One of the nice things about the Chrome Web Store is that some developers allow their apps to work offline. A major problem arose in the form of not knowing which apps worked offline though. To combat this, Google has added a special collection called “Offline Apps.” Developers can easily add their apps to this collection by adding the offline_enable flag to their app’s manifest file.

The final feature is for developers only and it’s a good one at that. The developer dashboard now features a graph that shows you how many times an app has been viewed versus the number of installations. In typical Good Guy Google fashion, developers can already view up to 90 days of history via the graph. That history will probably be increased in the future according to Google.

Chrome Web Store Gets New Developer Features

Like I said, these features benefit both the consumer and the developer. While Mozilla and Microsoft still have some work to do on their respective app marketplaces, Google has the head start. That puts them into the enviable position of being able to immediately respond to any potential innovations implemented by the competition.

Article source:

Tags: , , , , ,

09 Jun 12 Chrome OS offline: Can you really use a Chromebook without the cloud?

Google’s Chrome OS Chromebooks are great for cloud-based computing — but what happens when you have a Chromebook with no cloud? Can Chromebooks actually work offline, or do they turn into pretty paperweights when the Internet goes off?

These are important questions to consider. Chrome OS, after all, is a platform built around the Web. But whether it’s on a plane or while visiting Uncle Jed’s country cottage, we all encounter times when Internet access isn’t available.

I haven’t seen Uncle Jed lately, but as part of my two-week Chrome OS experiment, I wanted to see how Google’s newly refreshed cloud platform really performed offline. So I took a deep breath, hyperventilated a little, and shut off the Wi-Fi and 3G on my Chromebook for a few hours.

Here’s what I found.

Chrome OS offline: The Google app situation

The first thing that struck me in testing Chrome OS offline is just how far Google has come. When I started exploring Chrome OS a year and a half ago — using Google’s prerelease Cr-48 test notebook — offline functionality was practically nonexistent. Even with the launch of the first commercial Chromebook last summer, the picture was pretty bleak.

These days, using Chrome OS offline is almost a good experience. And most of the remaining gaps are set to be filled soon.

Right now, for example, you can get full offline access to Gmail; all you have to do is install the free Offline Google Mail app onto your Chromebook and complete a simple one-time setup. Then, anytime you’re offline, you just open the Offline Google Mail app and you’re good to go.

The offline Gmail interface looks a lot like the tablet Gmail interface. It allows you to read and search through your email, archive messages, and compose new messages or responses. Anything you do is synced to the cloud the next time you connect; the process is automatic and transparent.

Google Docs isn’t quite as good of a situation, but it’s getting there. Right now, Docs has partial offline access: You can view all of your saved documents and spreadsheets, but you can’t edit anything or create anything new. That’s obviously a problem, but it won’t be for long: Google says full offline Docs support for Chrome will be launched within the “next several weeks.”

Odds are, we’ll see full offline Docs support by the end of the month; remember, Google’s annual developers’ conference takes place June 27 through 29. That’d be a logical time for something like this to be unveiled. In the meantime, I’ve been using offline Gmail or the offline-ready Scratchpad note-taking app to fill the void (Scratchpad comes preinstalled on Chromebooks, and it even syncs to Docs when you’re online).

One minor annoyance I discovered is that Docs’ offline mode works only with files saved in the Google Docs format. I happen to have a lot of Microsoft Word and Excel files stored in my Docs account; while the regular online version of Docs allows me to view them, the offline version does not. Google Docs does make it easy to convert files into the Docs format when you’re online, at least — so if you’re planning to use Docs offline and have a lot of Word files floating around, that’s something worth thinking about in advance. (It’s also worth noting that offline Docs access requires a one-time initial setup; you can find the option in the gear dropdown menu at the top-right corner of the Docs app.)

Like Docs, Google Calendar currently has partial offline support. With Calendar, you can browse and view any calendars connected to your account and RSVP to existing invitations. (Like with Docs, too, you have to complete a one-time initial setup to enable offline access.) At the moment, however, you can’t create new events or invitations while working offline. A Google spokesperson tells me full offline Calendar support is in the works, but unfortunately, there’s no firm timeframe for that launch just yet.

Chrome OS offline: The other offline options

Beyond those Google-service basics, there are hundreds of third-party Chrome apps that work perfectly fine offline. Google has even created a section of its Chrome Web Store dedicated to apps with offline capabilities; I counted nearly 900 items in it this morning. (You can always tell if an app is offline-friendly by looking for the gray lightning bolt symbol anywhere in the Chrome Web Store.)

The offline apps include everything from games (Angry Birds, Solitaire, Pac-Man) to news and sports (NYTimes, 365Scores) and general utilities (a Gmail-synced to-do list, scientific calculator, audio transcription tool). You can even read e-books offline with Google’s own Play Books app.

Chrome OS offline: The real deal

Android Power TwitterAt this point, the notion of a Chromebook becoming a paperweight when offline is simply misconstrued. Once full offline Docs support arrives (which, again, is set to happen in a matter of weeks), the number of significant holes remaining will become very slim. Full calendar-editing functionality is still pending, and that’s a bummer — but it hardly constitutes paperweight status.

Chrome OS may be a cloud-based platform, but these days, Google’s Chromebooks remain perfectly capable when they’re away from the cloud.

For much more on Google’s newly revamped Chrome OS and Chromebook experience, check out the rest of my two-week Chrome OS experiment:

Article source:

Tags: , , , , ,

03 Jun 12 Google Chrome Tabs Let Malware Sneak Into Businesses

Google Drive: 10 Alternatives To See
(click image for larger view and for slideshow)

Google Chrome users: Watch your sync habits. The browser’s ability to synchronize tabs across different computers could be used by a malicious attacker to eavesdrop on personal or corporate communications.

The tab-synchronization capability appeared last month in the latest version of the Google Chrome browser, and allows users to synchronize their open browser tabs across devices. As a result, users can log into any version of the Google Chrome browser–on home PCs, work PCs, or mobile devices–and access their saved tabs.

Unfortunately, the same would go for malware. “Consider the following scenario: The user is signed in to Chrome on both work and home computer. … The home computer gets infected by a malware. Now all of the work synced data (such as work-related passwords) is owned by the malware,” said Rob Rachwald, director of security strategy at Imperva, in a blog post.

“We name this kind of threats BYOB for ‘Bring Your Own Browser,’” he said. “While BYOD creates challenges of mixing work data and personal end points, BYOB does exactly the same–but it’s more elusive as there’s no physical device involved.”

Furthermore, IT departments could have difficulty successfully spotting and blocking malware that infiltrates the enterprise in this manner, especially given the number of attacks that could be launched from an infected home PC. “Even if the malware gets disinfected on work computer, the malware is able to infect over and over again–as the root cause of the infection–the home computer–is outside of the reach of the IT department,” Rachwald said.

Two Ways In

Google didn’t immediately respond to a request for comment about the feasibility of this attack, or steps that users could take to mitigate this type of threat. To be sure, this is a theoretical attack; no such Chrome-targeting malware campaign has been seen in the wild. But malware could potentially piggyback into a corporate environment, using Chrome tabs, in two ways.

The first exploit technique would be if “the malware changes the homepage or some bookmark to point to a malware-infection site on the home computer,” said Rachwald. “Settings are synced to your work environment. When you open your browser at work, you get infected with some zero-day drive-by download.” In this scenario, attackers could instruct the malware to keep attacking the corporate network, and even vary the attack being used, in an attempt to evade defenses. This would be difficult for a business to stop with complete reliability.

“Even if the malware gets disinfected on work computer, the malware is able to infect over and over again, as the root cause of the infection–the home computer–is outside of the reach of the IT department,” he said.

Another potential attack vector would be if the malware installed a rogue Chrome extension, and such extensions have appeared on the official Chrome Web Store in the past. As Google notes, “anyone can upload items to the Chrome Web Store, so you should only install items created by people you trust,” and by reviewing the ratings and reviews for an extension to help deduce whether it’s reliable. Google quickly removes any malicious Chrome extensions, once they’re spotted. But until that happens, any malicious extension is able to operate with impunity.

“Chrome extensions are evil,” noted Felix “FX” Lindner, head of Recurity Labs in Berlin. That comment came during a talk he delivered at Black Hat Europe earlier this year, in which he highlighted how Chrome extensions can be used by an attacker to inject JavaScript directly into the browser. What’s more, any users who sign into Chrome on a different workstation will have their extensions automatically installed on the current PC. As a result, a malicious extension installed at home could easily appear on a workplace PC, creating a vulnerability similar to the one that Rachwald highlighted.

Why are malicious Chrome extensions so dangerous? “If you have an extension installed, it has … pretty much omnipotent control over your Chrome browser,” said Lindner, speaking by phone. “Google tries to prevent the extension from accessing your extension manager, but we’ve found ways to do it. Google fixed them, but I’m pretty confident that there are other ways.”

Preventing users from installing Chrome extensions is nearly impossible. For starters, while the IT department can issue its own Chrome build, and set it to block extensions, you can install and run your own installation of the browser on any PC for which you have permission to write to the home directory–no administrator rights required.

Security defenses also won’t spot malicious extensions. “This all being JavaScript and HTML, the corporate antivirus is not going to catch it–on top of the fact that you’re downloading the extension via SSL from Google’s Web store,” said Lindner. “Unless corporate [IT] breaks SSL for you, they’re not going to see it anyway.

Since the browser’s preferences are handled with JavaScript, a malicious extension could automatically–and without a user being aware–install and run arbitrary code in the browser. For example, the extension might unleash a Trojan application that recorded everything the user did, or open a malicious website in the browser. Furthermore, if this extension was first installed at home, it would automatically get pushed to work when the user logged in there.

Attackers aren’t the only concern for Chrome users, as the Google tab synchronization feature could also be used during digital forensic investigations. “Imagine there’s a case against you at work, and they do forensics, and they get all of your accounts at home,” said Lindner.

But the bigger picture, he said, is that users should consider the security implications of synchronizing information between Chrome tabs or even between Google services. “I’m really not sure who would want to: a) give all this information to Google, and then, b) actually sync it onto every single machine they’re using,” Lindner said. “So much for defense. But maybe I’m the wrong person to ask–I don’t even have a Google account. Wrong religion.”

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Article source:

Tags: , , , , ,

21 May 12 PIXELS: Localised Chrome Web Store

GOOGLE has launched a localised version of its Chrome Web Store, which offers apps made by local developers. Best accessed via Google’s own speedy Internet browser Chrome, the store is located at the link

A Google staff showing off the localised Chrome Web Store apps

(2) Attendees of the DiGi CyberSAFE Programme launch in Terengganu

(3) MOL Global PR and Communications manager Shyla Sangaran with the new look Friendster

(4) Creative Advances’ CEO Rohizam Md Yusoff (second from left) and chief marketing officer Joanna Liao (third from left) at the launch

The Chrome Web Store apps are classified under Business Tools, Education, Entertainment, Games, News Weather as well as Social Communication, among others. Some of the local apps available are from AirAsia and Maybank, as well as popular Malay tech portal

According to Sajith Sivanandan, country manager of Google Malaysia, the Chrome Web Store has expanded into more than 30 countries and more
than 200 million people around the world are using the Chrome browser.

“A check with GS Statcounter indicates that Chrome is used by 44 per cent of desktop Internet users in the country. With the launch of a localised Web Store here, we hope to see tens of thousands of local apps on the Chrome Web Store for Malaysians in the future,” says Sivanandan.

He adds that Google also has plans to heighten the awareness of Chrome Web Store among local developers here.

Chrome Web Store also offers extensions and themes for customising a user’s web browsing experience. One of the extensions is PrayOnTime, which displays the Islamic prayer times for the user based on his location. Themes, on the other hand, offers changing backgrounds on the Chrome browser for a personal touch.


2. Online safety awareness

DIGI Telecommunications held a series of workshops at its Community Broadband Centres located around Terengganu recently to raise awareness on online child safety.

The workshops are part of the DiGi CyberSAFE Programme.

Jennifer Neal, DiGi’s head of Eastern Region said as a leading enabler of Internet in the country with over five million active mobile Internet subscribers, the company feels responsible to educate communities around the country to ensure that they have a safe, family-friendly Internet experience.

“While we encourage local children and communities to explore the wonders of the Internet, we also need to equip them with practical knowledge on how to stay safe online. DiGi will continue to work closely with the Ministry of Education, CyberSecurity and Childline to raise awareness of this important issue.”

This Terengganu leg of the programme marks its first outreach to communities in the east coast of Peninsular Malaysia. The programme that kick started in Klang Valley in November 2011, has since reached 2,300 students, teachers and parents from 117 schools in the Klang Valley, Putrajaya, Selangor, Negri Sembilan, Johor and Malacca.

Through DiGi CyberSAFE Programme’s partnership with Childline Malaysia, children are also provided with access to the 15999 Childline, a 24-hour telephone helpline for children to call should they encounter online threats.

For more information on the DiGi CyberSAFE Programme, visit


3. Redesigned Friendster targets hip gamers

MOL Global has unveiled a new-look Friendster, with new features and a strong focus on games.

Ganesh Kumar Bangah, MOL’s group chief executive officer, says the new Friendster is positioned as a social discovery and gaming platform that also offers rewards to users.

“We currently have four million unique active visitors every month and we are targeting to increase this number to 10 million a month by year end,” Ganesh says.

Friendster offers high quality social games with a library of 56 titles along with tools for connecting, chatting, playing and competing with other players. It also leverages on MOL Global’s strength in online payment services to offer

Friendster Coins payment system for users to buy items within a game and pay for other content, as well as allow developers to monetise their apps.

“I do not agree with the opinion that Asian gamers and app users do not like to pay for their contents. At MOL where Asia is our strongest market, we even have ‘whales’ who spend over RM1,000 a month for their games, and on average we earn between RM150 and RM200 per month per user,” Ganesh says.

At the launch, Ganesh also highlighted two spin-off media products that are based on the Friendster brand, which is the Friendster iCafe and Friendster hotspot.

The Friendster iCafe is a cybercafe management system which integrates cybercafe computers, customers, accountings and billing needs into one, while the Friendster hotspots allow retailers to add free WiFi infrastructure to enhance customer experience.

In Malaysia, Friendster hotspots has helped outlets such as Starbucks, Old Town White Coffee, Kenny Rogers Roasters and Papa John’s offer WiFi connectivity to their customers.

Through the Friendster local developer programme, developers can make use of Friendster’s comprehensive application programming interface to build, test and deploy games to Friendster’s players.

“I hope to see more local developers develop games for the 4.5 million active Friendster users,” expresses Ganesh.


4. SOTA gets new brand identity

CREATIVE Advances Technology has announced a new brand identity for its online travel portal in line with its objective of making travel packages worldwide more accessible to everyone online.

SOTA is now known as Smart Online Travel Assistant.  There’s not only a change in the logo but a new look and feel.

The new look is aimed at presenting SOTA as a more consumer-focused online travel portal, moving from the initial focus of providing an online platform for the sellers in the travel industry to one that focuses on reaching the buyers in the travel market.

The revamped travel portal,, comes with  improved  navigation and seamless user experience for the travel buyers. The portal also incorporates other value-added features such as tips for travellers, recommendations on travel bargains as well as weather forecasts and calendars for smarter planning.

The rebranding exercise  includes a media blitz between May and October via print and online media channels.

A mid-year school holiday promotional travel campaign was also launched during the announcement of the new brand. The campaign runs from May 17 to 31and features attractive travel packages to destinations such as Bali, Phuket, Osaka and Australia.

Article source:

Tags: , , , , ,