Spy warning on the Chrome extension "webpage screenshot"

[SweX 871]

Swedish newspaper DN had this story about the Chrome extension "webpage screenshot" today, so I made a rough translation of the important bits from the article.....

 

According to the article it will send data each minute about what websites you have visited to a server in the U.S., even from secure connections. It does not collect content from visited websites or content from emails, but it has capabilities to do that if the "dev" want to. The "dev" says to DN that the purpose with collecting all this is to build up statistics on browsing behaviours and sell it because it has a high commercial value, and he point out that it's not data from individuals that is interesting but browsing behaviours as a whole.

 

The code that makes the spying possible is not present in the extension's source code at first, but gets downloaded from the Internet some time after install, and the spying begins around 1 week after install. Which could be one reason to why the extension passed the security checks.

 

Original: hxxp://www.dn.se/nyheter/sverige/hemlig-kod-spionerar-pa-svenskars-surfvanor/

 

Translated: https://translate.google.com/translate?sl=sv&tl=en&js=y&prev=_t&hl=sv&ie=UTF-8&u=http%3A%2F%2Fwww.dn.se%2Fnyheter%2Fsverige%2Fhemlig-kod-spionerar-pa-svenskars-surfvanor%2F&edit-text=&act=url

 

The extension at the google store (don't install it):

https://chrome.google.com/webstore/detail/webpage-screenshot/ckibcdccnfeookdmbahgiakhnjcddpki?hl=sv

 

[privacy]

The notice you see about having access to your history and website data is automatically generated because Webpage Screenshot uses chrome extensions api. Be sure that it doesn't look at your private data!
A researchers from UC Berkeley tested and review the source code of this extension.

 

For your own privacy, Webpage Screenshot Capture will not send anything to any server.

 

hxxp://mac.softpedia.com/get/Internet-Utilities/Webpage-screenshot-for-Chrome.shtml

 

Edit: The above link doesn't work anymore, but I remember that the Developer name at Softpedia was "Amina" which is beginning of the first name Aminadav Glickshein.

Edited April 10, 2015 by SweX

[rugk 397]

Now it seems as it was deleted...

A few minutes ago I could access it in the Chrome store, now it only displays an error. ("Item not found. This item may have been removed by its author.")

Edited April 8, 2015 by rugk

[SweX 871]

 

Now it seems as it was deleted...

A few minutes ago I could access the Chrome store, now it only displays an error. ("Item not found. This item may have been removed by its author.")

Yeah very good...

Edited April 10, 2015 by SweX

[SweX 871]

Popular Chrome extension turns out to be Spyware!

 

If an extension is listed for Chrome and has a decent rating, it is surely safe to install, right? Maybe not. In today’s world spying has become a common activity. That does not mean though that it is any more acceptable. A Chrome extension known as Webpage screenshot collects private information about its users and shamelessly sells it to a third party. What is astonishing is that the extension has an excellent rating of 4.5 stars and has been downloaded by 1.2 million users worldwide. This highlights the lack of awareness among customers as to what such programs actually do behind the scenes.

 

According to the founder of the CSIS Security Group, Peter Kruse:

“To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.”

 

Google’s security check usually filters out malicious extensions from the chrome library, which is probably why the original software does not act like spyware at all. After a week however, it downloads additional components/code and commences the spying program. This way, the spyware part of code evades the scanners. Once activated, the spyware component collects sensitive information about the user and transmits it to the ip address: 64.34.175.88, located in New York, USA.

 

 

hxxp://blog.emsisoft.com/2015/04/10/popular-chrome-extension-turns-out-to-be-spyware/

Edited April 10, 2015 by SweX

[SweX 871]

 

Where is this extension coming from?

The extension homepage is located at this address webpagescreenshot[.]info, with the following registrant information:

Registrant Name:Danny Gembom

Registrant Organization:

Registrant Street: Rehovot POB 80

Registrant City:Rehovot

Registrant State/Province:

Registrant Postal Code:38819

Registrant Country:IL

Registrant Phone:+972.542290258

 

It also features an email address, which makes use of the domain bubbles.co.il.

This domain gives us more detailed information:

person: Aminadav Glickshein

address: Nof Ayalon P.O.B 6

address: D.N. Shimshon

address: 99785

address: Israel

phone: +972 8 9790049

e-mail: AminadavG AT gmail.com

 

 

How does Webpage Screenshot behave?

We will present shortly the main events that occur when this extension is installed:

1. The user installs the extension from Google Chrome Web Store.

2. A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features.

3. Once the extension has activated its private data collecting ability, the sensitive information that can be used to identity an individual is transmitted in the United States at the following IP address: 64.34.175.88 (Serverbeach, New York, USA).

4. The analyzed IP address gives us a number of subdomains related to this service:

 

webpagescreenshot[.]info

c.webpagescreenshot[.]info

ch.webpagescreenshot[.]info

s1.webpagescreenshot[.]info

ww.webpagescreenshot[.]info

che.webpagescreenshot[.]info

ftp.webpagescreenshot[.]info

www.webpagescreenshot[.]info

cheg.webpagescreenshot[.]info

youtube.cwww.webpagescreenshot[.]info

ywww.webpagescreenshot[.]info

youtube.cowww.webpagescreenshot[.]info

yowww.webpagescreenshot[.]info

youtube.comwww.webpagescreenshot[.]info

youwww.webpagescreenshot[.]info

youtwww.webpagescreenshot[.]info

youtuwww.webpagescreenshot[.]info

youtubwww.webpagescreenshot[.]info

 

 

https://heimdalsecurity.com/blog/webpage-screenshot-leaks-private-data-million-users/

[rugk 397]

 

A Chrome extension designed for the taking and annotation of screenshots has been found to be leaking sensitive data from its 1.2 million users, reports SC Magazine.

The extension, named Web Screenshot, had been given a 4.5 rating from users, unaware that it contained code that was scraping personal data and sending it back to a central US server.

Google pulls Chrome screenshot extension, after it leaks personal data - WeLiveSecurity.com

Edited April 11, 2015 by rugk