Relative installed shady browser extension
[Possibly solved, please look at comments]
Hey,
so recently a family member accidentally downloaded a shady browser extension called: "Easy Print" on Firefox. 30k downloads, no ratings, weird "offical" website and installed accidentally trying to buy tickets. I assume it showed something along the lines of: "Buy ticket now" and they just clicked on it (being overall inexperieced with security). Only extension installed was uBlock until then.
I won't post a link just in case, but you can easily find it by googling: "Easy Print Firefox" or "Easy Print App" for their website.
What makes this weirder is that they change the default search engine to Yahoo, which for me was always a red flag for a hijacked browser.
I uninstalled it, but am concerned that they installed something like a keylogger along with it.
Can anyone help me what this is and, especially, how I can properly teach them the basics of internet safety? Not the first time their PC/browser was filled with unwanted stuff...
Thank you and best regards!
You're correct to be concerned about unknown browser extensions, but I think you stopped a little short in your research on this one.
The extension page for this literally says that it changes the search engine to Yahoo as well as adding a Recipe Search engine to the browser, and yes there is a website for it as well as a clearly stated privacy policy on their "official" website.
https://addons.mozilla.org/en-US/firefox/addon/easy-print2/
https://easyprintapp.net/app/privacy-policy.html
IDK if the extension itself is safe or not, but just wanted to share there is more information about it than what you found.
I found these things too, but didn't know if they were important to mention here, since I don't know if providing info on changing default search engines is important here or them having a privacy policy (which I assume doesn't matter)?
Thanks though, I should've provided that info too. I just want to make sure if they have a compromised system or not, because they don't want to reset their system etc.
Assuming the extension @ku-fan is the correct extension, your relative doesn't need to be worried about it.
I took a quick look and with the permissions this extension asks for it can't do anything nefarious directly outside changing the search engine. For example, it only has access to the domain
easyprintapp.net.That doesn't mean it is entirely innocent either. Seems like the "privacy policy" popup does send some data towards that domain. If the user agrees, it sends the agent, install data and "yes". If the user disagrees it does send "no". Which means that this information is effectively always send to them as the date of the request will be the install date and the HTTP request also contains the user agent. Which is a bit sneaky of them, but mostly harmless.
The way it implements the "Easy Print" mechanism is that they have the user input the URL. The URL then is sent to
easyprintapp.net(just the URL, not the page itself) which they then parse server side and return. For which there is no good reason other than again data collection. The good news is that they can only collect the URLs the user puts in the popup for the extension.Basically, if I had to guess:
tl:dr: Mostly harmless, certainly no keyloggers or other very private information that it likely has collected.
For anyone curious how, I took a look. If you visit the Mozilla store with a different browser, there is a download file option for the extension. You then get a XPI which is basically just a zip.
The extension he found is the correct one.
Nice of you to provide the method you used and the line of argument sounds coherent too, so I believe, based on your answer and the answers of others here, my question is solved for now.
I also found the following from a user on Reddit called "babushiledet"
It's also what I assumed to be possible, because why would they send you to Yahoo out of all places otherwise?
Thanks. :)
Browser extensions are fairly well sandboxed, I doubt one would be able to install anything (like a keylogger) on the system. Though it's not impossible, but unlikely, that the extension itself was keylogging while installed.
I'd be much more worried about one schlepping all my session cookies.
Got hit with one some time back when "The Great Suspender" was a legit extension to cut down on CPU use for background tabs in chrome. At least, it was a legit extension right up until it wasn't.
https://news.trendmicro.com/2021/05/06/what-is-the-great-suspender-and-how-to-remove-it-from-your-chrome/
I'm much more circumspect about extensions now.
I think that's also why 0xSim mentioned to not install stuff you don't ABSOLUTELY need. Maybe preventing auto-updates where you can could also help.
It's much better advice than users would think.
Preventing auto updates on my phone clued me in to Facebook’s shenanigans.
Some time in 2015 when it was just starting to make headlines that Facebook is farming your data, I got an update message that said Facebook wanted access to my phone contacts. I uninstalled it then and haven’t used the mobile app since.
That's calming to hear. :P
For now I will just tell them to keep an eye on their accounts etc.
Apart from explaining people that "not clicking on links" includes flashy buttons, what should I tell them to do/not do to avoid situations like these? To be honest I wonder if there's anything I forget to mention or I'm just bad at helping them protect themselves. ^^'
The best thing to do is to correctly read and understand messages that ask you to confirm something, and to not be afraid to just click "No" or "Cancel". But even that is hard to do when everything asks you to confirm the most mundane thing, and fatigue sets in.
That, and obviously to not download & install something that you don't need.
No, it's genuinely hard to navigate the internet while avoiding its many traps, if you're not tech-savvy. That said, a decent adblocker will already remove 90% of the risks.
Edit: and keep your antivirus enabled. Just use Microsoft Defender that is bundled with Windows, never install a 3rd party antivirus. They're all crap.
Thank you very much for your time. I believe the fatigue-aspect to be important to bring into a discussion, so maybe that could help to make them more "aware".