Firefox and Chrome extensions that block add-on management
A new breed of malicious browser extensions uses techniques to make the removal of these extensions more difficult to users and administrators.
Malwarebytes revealed in a blog post how these extensions block user access to the add-on management page of the browser and therefore removal from within the browser.
The Chrome extension Tiempo en colombia en vivo was available on the official Chrome Web Store but was distributed mostly on third-party websites.
The browser extension monitors open tabs while it runs. If the user opens chrome://extensions/, it will redirect the request to chrome://apps/?r=extensions automatically. This is done so that the user cannot remove the extension as it is not listed on the apps page.
The Firefox add-on FF Helper Protection shows similar traits. It monitors open tabs for the string about:addons to close the tab automatically if it is found.
Both extensions have in common that they prevent users from accessing the add-on management interface of the browser.
Removing the extensions
Chrome users have no option to remove the extension while Google Chrome is running. While it is possible to run Chrome with the --disable-extensions startup parameter, you won't get access to the extensions then in Chrome. You can open chrome://extensions, but no extensions are listed.
This leaves you with removing the extension from the profile folder instead. The location of the profile folder depends on the operating system. Here are the default locations:
- Windows 7, 8.1, and 10: C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Extensions
- Mac OS X: Users/NAME/Library/Application Support/Google/Chrome/Default/Extensions
- Linux: /home/NAME/.config/google-chrome/default/Extensions
Extensions are listed with IDs. You may be able to identify the offending extension based on the modification date. If that is not possible, open each folder and load the manifest.json file in a text editor.
If you are still unsure, use trial and error instead. Move all Chrome extensions to another folder and test each individually by moving them back to the Extensions folder and running Chrome.
Firefox users have it a bit easier. You can start the browser in Safe Mode to launch it with all extensions disabled. You still get access to these extensions so that you may remove them from about:addons.
The easiest way to start Safe Mode is to hold down the Shift-key while starting Firefox.
Select "Start in Safe Mode" and go to about:addons afterward. Locate the malicious extensions and click on the remove button next to it to uninstall it from the browser.
Related articles
- Another Chrome extension horror story: coinhive and domain registration
- Chrome has a massive copycat extensions problem
- Malwarebytes for Firefox extension
- Mozilla changes review process for FirefoxÂ
Funny how we don’t have that problem with legacy add-ons in Waterfox and Basilisk. Mozilla did its job and cleared them (signed them) as not being malicious and they bothered to do a good job of it.
With the advent of Firefox 57+, it seems that Mozilla is losing its grip on reality. I won’t say anything about Chrome since I don’t like it from the ground up.
Isn’t it possible to use Chrome’s built-in task manager to end the process for the malicious extension (and thus regain access to the chrome://extensions/ page)?
I can’t believe its that hard to get rid of an unwanted Chrome Extension. So this article caused me to write a little utility to make it easier.
https://github.com/glcjr/ChromeExtensionRemover
download the deploy.zip file.
Note that I worked on it this afternoon for about an hour and tested it by downloading a few extensions and deleting them with it. So there could be bugs.
“The easiest way to start Safe Mode is to hold down the Shift-key while starting Firefox” does not work with my Linux distro.
This does work:
1. Close all Firefox instances.
2. Open a terminal and run “firefox -safe-mode” (without “).
That brings up the dialogue shown in the article.
I always hated that Mozilla removed the individual window for addons manager, and they changed it to open in-content.
And it’s shame that none of the addon developers have created any properly working addon that opens the addon manager in an individual window. Add-ons Manager Dialog Returns was abandoned and broken years ago. Classicish Add-on Manager is also abandoned and buggy.
You might want to consider switching to one of the available forks vosie. Either Basilisk which I’m using, or Waterfox are viable propositions and neither of them phone home with telemetry data to Mozilla on startup.
Martin has an article on Basilisk here: https://www.ghacks.net/2017/11/17/pale-moon-team-releases-first-version-of-basilisk-browser/ (it’s been updated several times since then).
Here’s Martin’s Waterfox review: https://www.ghacks.net/2018/01/07/waterfox-56-0-2-security-update-released/ (Waterfox in now on version 56.0.3).
One thing I’ve noticed myself with Waterfox though is that if you checkmark the option to clear the cache on shutdown, sites take a long time to load when you restart it again. By “long time”, I mean 20 minutes or more even if the site is local.
But both create their own directories and work independently of Firefox so worth a try at least.
UPDATE on my previous post re: Waterfox.
The problem with sites loading too slowly appears to be due to an incompatibility between certain addons and multiprocess in Waterfox.
It was suggested to me on the Github forum to install Mozilla’s Compatibility Reporter to check which addons are compatible with multiprocess (a.k.a. e10s) and which aren’t. Anyone using either Basilisk or Waterfox can install it from here: https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
In Waterfox which is based on Firefox 56, users can disable multiprocess in the prefs/general menu. Legacy extensions will subsequently function properly.
If however multiprocess has been enabled, then expect crashes, slow site loading etc., with addons which aren’t compatible. The Compatibility Reporter lists these via a button on the toolbar.
Hope this info is useful to someone.
Let me guess, you are on Windows 7.