Chromium suddenly starts downloading a binary blob
This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
A Debian bug that was filed at the end of May serves as a reminder that even open-source software is not immune to some of the problems of proprietary software. In this case, Chromium 43 was silently downloading a browser extension to enable the "OK Google" voice activation "feature" of the browser, which is somewhat reminiscent of the various sideloading schemes that plague downloads of "free" software, particularly on Windows. The download was a binary blob, of course, so its contents cannot be vetted in any real sense. As might be guessed, Debian developers were not amused, but it should also serve as a bit of a wakeup call to all of the free-software world.
The extension in question is called "Chrome Hotword" and the download is a native client (NaCl) shared module that includes executable content. Starting with version 43, Chromium could only be built with the extension, which would download the shared module at its first opportunity—all without user intervention or notification. Perhaps even weirder still, the extension did not show up in the usual chrome://extensions/ page. Its controls were available at chrome://voicesearch/, but users have to know it was installed and where to find that page.
To summarize, a popular open-source web browser does a surreptitious download of a program and hides the download and the existence of the program from the user. Even if the binary only does what it is purported to do, it can turn on the microphone and upload what it hears to a remote site to search for a key phrase. That description sounds a lot like one for the latest malware outbreak—or National Security Agency (NSA) eavesdropping program.
It is not (yet) clear how this came about—prosaic explanations seem most likely, in truth—but it did make its way into Debian unstable without being noticed. It was reported to the Chromium team on May 22 and fixed by adding a build option to disable the Hotword extension on June 9. The extension is still enabled by default, though, so builders who don't want that functionality need to turn it off before starting the build. By June 15, Debian had done just that and updated its version of Chromium.
There is plenty to be disturbed about here, but it seems pretty unlikely this was some deliberate scheme by Google (or the Chromium team). It would be hard to hide something like that in an open-source program like Chromium. But it is clear that the amount of independent review of the changes going into Chromium is less than what we might hope for. The value of open source is lessened if "many eyes" really turns out to be "zero eyes".
The contents of the executable should also be scrutinized, but there is no real way to do that. Even if Google is completely trustworthy with respect to what the program does (and there is no reason to believe it isn't) it is still a bit worrisome that your browser can simply execute whatever code its corporate master orders it to. Though, in some ways, that isn't terribly different from Flash or JavaScript. We are increasingly required to trust the various sites, companies, and organizations that we deal with on a daily basis on today's internet.
Given the way Chromium uses certificate pinning, a man in the middle would not have been able to deliver some other version of NaCl executable. It should be noted that locally stored root certificates for proxies and the like are not subject to pinning, though. It's a pretty far-fetched attack mechanism, since having access to install certificates locally would allow anything else to be installed at the same time. Being able to sign certificates for any site and have them accepted by all of the affected browsers would also seem to provide endless avenues of exploitation.
This incident is a little disheartening, overall. The web is a big, scary place these days; we depend on browsers that are working to protect their users. Undoubtedly Google doesn't see this executable download as a violation of that—rather it is probably seen as a nifty feature—but many outside the Googleplex quite reasonably disagree. As long as we have the source, and are vigilant about reviewing it, we can be reasonably assured of having browsers (and other programs) that do protect their users. That may, at some point, require a fork-and-rebrand effort for a browser or other open-source project if the organization developing it won't back down from some kind of anti-feature. Thankfully, that seems to be a problem for down the road—if ever.
Index entries for this article | |
---|---|
Security | Web browsers |
(Log in to post comments)
Posted Jun 18, 2015 8:18 UTC (Thu)
by ber (subscriber, #2142)
[Link] (4 responses)
Posted Jun 18, 2015 16:16 UTC (Thu)
by testsilicon (guest, #96703)
[Link] (3 responses)
Posted Jun 19, 2015 3:06 UTC (Fri)
by kokada (guest, #92849)
[Link] (1 responses)
"First and foremost, while we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording. If you go into "chrome://settings", you will see a checkbox "Enable "Ok Google" to start a voice search". This should be unchecked by default, and if you do not check it, the hotword module will not be started."
Speaking strictly from Android (using Google Now, that has a similar feature), the hotword detection is done locally. After the user does a query (that happens after the user says "Ok Google", signaling that the user wants to ask something), this data is send to Google. I think something similar happens in Chrome.
Posted Jun 19, 2015 14:18 UTC (Fri)
by jwarnica (subscriber, #27492)
[Link]
So the feature really only enables the microphone on the canned google search page, shown on (not quite) blank new tabs.
Posted Jun 19, 2015 18:05 UTC (Fri)
by ranmachan (guest, #21283)
[Link]
Posted Jun 18, 2015 13:58 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (1 responses)
This is an attitude that is starting to bug me, there is a cognitive dissonance between expectation and reality that I think should be explored, in what way is this change being discovered, investigated, fixed, deployed and commented upon by our Glorious Editor, "zero eyes" of review? Sure, this wasn't detected by some sort of code review before it was compiled but one of Debian Unstable's purposes is to build and deploy code so that it can be tested in the field and problems discovered, which this one was, if there is an expectation for something different that this issue has failed then I think it makes more sense to re-align expectations to reality than to take a negative attitude toward success.
I mean if this had fallen through the cracks and been discovered by an end user in Debian Stable 8 maybe that would indicate a review failure but something being wrong in a test system seems appropriate to me, we can never not make mistakes but we can detect, fix and learn from them after the fact.
Posted Jun 23, 2015 2:27 UTC (Tue)
by jebba (guest, #4439)
[Link]
./chromium/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_/hotword-x86-64.nexe
Posted Jun 18, 2015 14:24 UTC (Thu)
by fuhchee (guest, #40059)
[Link]
The latter follows partly from the former.
Posted Jun 18, 2015 15:45 UTC (Thu)
by cry_regarder (subscriber, #50545)
[Link]
If the code is so obfuscated that that isn't tractable, then I would take it as a strong signal that something nefarious is present.
Posted Jun 18, 2015 22:14 UTC (Thu)
by josh (subscriber, #17465)
[Link] (1 responses)
Unlike Flash and other plugins, Native Client is sandboxed. Barring a sandbox-escape bug in NaCl (which would be a critical security bug in Chrome), the extension in question could not run arbitrary code on the system.
Posted Jun 23, 2015 11:03 UTC (Tue)
by nix (subscriber, #2304)
[Link]
Posted Jun 18, 2015 22:18 UTC (Thu)
by JohnLenz (guest, #42089)
[Link]
https://projects.archlinux.org/svntogit/packages.git/comm...
Posted Jun 18, 2015 22:49 UTC (Thu)
by gilbert (guest, #81446)
[Link] (1 responses)
In addition as one of the chromium developers mentions, concerning other distributions with chromium+nacl, all nacl executables are sandboxed, so this is much like navigating to any nacl webpage (except that hotword automatically gets microphone permission which is not really so great itself):
The aspect of this "incident" that I find disheartening is LWN jumping onto the security overhype bandwagon so quickly without fully rationalizing the problem.
p.s. I am the maintainer of the Debian chromium package.
Posted Jun 23, 2015 11:06 UTC (Tue)
by nix (subscriber, #2304)
[Link]
Posted Jun 19, 2015 14:40 UTC (Fri)
by flussence (subscriber, #85566)
[Link] (4 responses)
NetSurf looks mighty appealing right now...
Posted Jun 25, 2015 7:03 UTC (Thu)
by oldtomas (guest, #72579)
[Link] (3 responses)
The problem is not the bad intentions of the makers. I assume the best intentions from the Mozilla and the Google folks involved. Still, their vision is skewed by the POV of their "companies", and by the shiny and the technically interesting (which I sympatize tooroughly with).
I think this needs some counterweight to stay viable and socially useful (IOW to "keep them honest), that's all.
Posted Jun 25, 2015 22:03 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
"Out of the frying pan, into the fire" is the English version of the saying.
Cheers,
Posted Jun 27, 2015 2:42 UTC (Sat)
by dashesy (guest, #74652)
[Link] (1 responses)
Posted Jun 29, 2015 8:41 UTC (Mon)
by jezuch (subscriber, #52988)
[Link]
> "Getting out of a ditch only to fall into a pit" is the Persian version.
In Poland it's "Out from the rain to under the downspout".
Posted Jun 24, 2015 14:04 UTC (Wed)
by ber (subscriber, #2142)
[Link]
It would be interesting to research this issue further, e.g. how many groups are there
that do some review of Chromiums code base. Wikipedia provides a list of chromium derivatives. A newcomer from Germany is Iridium Browser which claims a focus on privacy and security.
Posted Jun 25, 2015 23:39 UTC (Thu)
by scientes (guest, #83068)
[Link]
Posted Nov 18, 2016 2:31 UTC (Fri)
by anarcat (subscriber, #66354)
[Link]
Google's explanation says that the "hotword" module in question was not enabled by default. Their points and reaction seem to be reasonable, so we should still thank Google for providing a good Free Software webbrowser alternative. If this was a slip by Google (which is quite likely), it shows that that peer review enabled by Free Software is important. A good example of how the Debian folks being thorough are contributing to the IT world.
Enabled by default or not?
Enabled by default or not?
Enabled by default or not?
Enabled by default or not?
Enabled by default or not?
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
https://code.google.com/p/chromium/issues/detail?id=50092...
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Wol
Chromium suddenly starts downloading a binary blob
Chromium suddenly starts downloading a binary blob
Given what I know today, it is a good example of Free Software review by the Debian people and it explains why this is important for IT-security.
Good example of FS enabled Review and Iridium Browser
Correction
It is interesting to note that this mostly harmless issue (disabled by default in Debian) was fixed quickly while the more serious phone home bug still hasn't seen any progress after over a year of exposure...
I have resolved to adding the following to my that is not all
/etc/hosts
, probably a good practice anyways:
127.0.1.1 www-google-analytics.l.google.com stats.l.doubleclick.net clients1.google.com
It is fascinating to see that I *still* have to have doubleclick.net in my hosts file...