Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Firefox Chrome Privacy The Internet IT

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
This discussion has been archived. No new comments can be posted.

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics

Comments Filter:
  • by Anonymous Coward

    for years. This is nothing new. Plus, PhantomJS is popular for attacking web sites.

  • I think we have that already - it's called a service or daemon
    • I try to avoid my problems, so I prefer all my daemons to be headless so we can't have any conversations.

  • There has to be an upside. So I'll ask, why are features such as this being added? What value to they bring to the computer user?
    • by Anonymous Coward

      Day-to-day computer user - i do not know. For developers, it allows for automated front-end testing.

      • I'm of the mind that these browser vendors should ship two editions of the browsers:
        - one for developers with all of the bells and whistles.
        - a trimmed down 'end user' edition with all of the developer tools removed.

        I know firefox has a version specific to developers, but the regular builds still include most of the developer tools.

        Or better yet, ship the developer tools as an addon/plugin for those who want it.

    • Re: (Score:2, Insightful)

      by MrL0G1C ( 867445 )

      I don't think Mozilla are too interested in users, they're in some fantasy land where users don't matter. Several of their recent past actions support this fact and it's led to users not being too interested in Firefox IMO.

    • What value to they bring to the computer user?

      Mozilla quite caring about users long ago. Google never cared about users in the first place.

      Now, it's just a big circle jerk. Adding more and more useless, pointless features because . . . . . because fuck you, that's why.

    • I have found it extremely useful for the automated generation of PDFs on a server. Design it in HTML, with a print-specific stylesheet, then run a Chrome instance to "print" it to a PDF file.

      Granted, this is only a problem because the libraries PHP has for PDF generation are utter garbage, completely unusable for any large-scale project.

      • I use wkhtmltopdf [wkhtmltopdf.org].

        It comes with two versions. One for pdf generation, and one for image generation. I use both quite extensively in a few projects.

        The official packages from wkhtmltopdf to not require an X server. If you build from source, you'll need to apply a patch (provided in the sources).

    • by dinfinity ( 2300094 ) on Thursday June 22, 2017 @03:40PM (#54670755)

      More reliable automated testing of web applications.
      https://en.wikipedia.org/wiki/... [wikipedia.org]

      Typically used in combination with Selenium.

  • by PopeRatzo ( 965947 ) on Thursday June 22, 2017 @02:48PM (#54670383) Journal

    While this feature sounds very useful for developers

    I'm not a web developer. Can someone explain to me how this "headless" feature is useful for developers?

    • Re:What for? (Score:4, Informative)

      by dtandersen ( 794543 ) on Thursday June 22, 2017 @02:57PM (#54670461)
      Imagine you're a developer and you want to see if your website works. You open your website in Chrome and run a few tests. As the website grows this starts to take a long time. So you automate the process by having software control the web browser. Headless mode is useful so you can run this automated process on a remote server with no monitor. Every time you check in code this automated test process runs and tests your website.
      • Re:What for? (Score:5, Interesting)

        by H3lldr0p ( 40304 ) on Thursday June 22, 2017 @03:27PM (#54670669) Homepage

        Fine. Why not just have a developer's only release for those who want to run that? Something that's more than a bit that can be flipped manually.

        These people are already have to manage different codebases for the various branches and such. Why not play it safe and keep this headless thing separated from the mainstream user?

  • ...attention.

    Because honestly, if not even the adblockers will be able to do something about that, then it's bye bye Firefox on my part - I've been a loyal "customer" for the longest time, but hey - this gives the other lesser known browsers on the market some much needed attention, are you listening "insert-unknown-up-and-coming-popular-browser-team"?

  • Is this my problem? (Score:4, Interesting)

    by nine-times ( 778537 ) <nine.times@gmail.com> on Thursday June 22, 2017 @03:14PM (#54670613) Homepage

    The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud.

    My first reaction to this is, I don't see why I should be concerned. Malware authors had the option of including a headless browser of their own to enable this, and now they can use the already-installed browser instead. So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.

    • So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.

      Hey, why don't we just pre-install the malware in that case? That way it won't have to install any crap on your system -- it will already be there!

      Yaz

      • Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.

        But I don't even know if it'll have that effect. If you're writing malware and you want it to be effective, you probably do

        • Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.

          Detection may be more difficult. If Chrome is your browser of choice, then having Chrome processes running on your computer won't be all that unusual. An automated process scanner and/or manually looking at a process list may not show anything out of the ordinary. So while seeing "phantomjs.exe" in your process list may set off some alarm bells, "chrome.exe" won't have the same effect.

          As well, something like PhantomJS is rarely up-to-date with the latest web technologies. Even though it's based off WebK

    • and they'll be able to click more ads before you hit your mobile data cap, because the initial download was smaller.

  • Unless the app is an actual web browser, restrict it to communication with a single domain via TLS.
    So great, Chrome is a browser. but when running as an embedded browser or headless, it should only be able to communicate with a single domain associated with the app it is running in.

    If someone really wants to make a browser app, they can bundle it with a browser engine instead of embedded WebView, or at least make it a permission request to communicate with other domains.

  • " When Focus is running in the background, we'll remind you through a notification and you can easily tap to erase your ..." https://blog.mozilla.org/blog/... [mozilla.org]

    Fell for the hyper babble I guess, thread did get me noscripts(.net).

  • This is inevitable with the current trend of having the web browser be a thick client.

    The trend is to put as much code as possible, i.e. thick client, in Javascript. Now, suppose one wants to leverage that code as middleware? Taa daa! Headless mode. We've been down this road before with client/server, thick/thin clients.

    What makes Javascript particularly impossible to reproduce is the fast moving, every changing set of libraries. This will put pressure on the business logic sitting in all the Javascript to

  • Even stupider is Firefox "policy" which now *refuses* to load Google's page because it claims the "domain certificate is misconfigured". You can't add an exception, period. In other words, there is NO WAY to browse Google with Firefox now.

    Now I may be wrong, but I think those dudes at Google know a thing or two about web stuff, so I guess using Firefox for my day-to-day stuff is now a no-go. Brilliant, Firefox, just fucking brilliant.

  • Adware is something that shows ads to you, by adding them or by replacing other ads by them. This has something to do with ads, but that is not sufficient to make this adware. If we define malware as something you would not agree to have on your computer, this is plain old malware, and I'd argue not one of the worst sorts.

    Part of me is actually happy that the ad industry is facing problems with fraudulent clicks, even if I would not want this on my own computers. (Having said that, I might want something th

  • Microsoft had a COM interface (IHtmlWebBrowser) nearly 20 years ago. When .NET came around, they offered the same headless functionality in the form of the WebBrowser object. The concept isn't new, the only thing that's new is that Chrome and Firefox are finally copying an old IE feature!

  • by Anonymous Coward

    This is exactly what we need to have a more secure OS. Make a lot of useless crap running on the background while we are playing minesweeper. Did we just forget about SMBv1 running in the background by default even on standalone workstations?

  • Correct me if I’m wrong but if I have malware on my machine that’s capable of starting up my web browser in headless mode (a.k.a. arbitrary executable), well I probably have much more serious issues to address ASAP!

    • by Anonymous Coward

      Correct me if I'm wrong

      OK

      You're wrong.

      You're corrected.

      All it takes is a 3rd-party banner-ad or something similar and usually innocuous on a normally-trustworthy website that's been hijacked to run a short piece of script to open a headless instance and have it happily continue to run and remain 'open' and 'clicking' ads long after you've closed the visible instance you were using.

      Or maybe doing something else. Depends on what the attacker wants. Maybe subscribing you to a bunch of MLP/furry/yiff-porn E/snail-mail lists and 'hook

  • Advertisers want clicks, I do not want to see their shit. So my headless firefox is allowed to click (with a separate profile because of tracking cookies and so on) and I can support the websites which cry because of my adblocker.
    If anyone objects, he should stop crying. Either they want me to load their ad or they do not want me to.

Whoever dies with the most toys wins.

Working...