Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80
From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
They've been using Content Shell from Google... (Score:2, Informative)
for years. This is nothing new. Plus, PhantomJS is popular for attacking web sites.
Re:Unclick the checkbox. (Score:5, Informative)
Re: (Score:2)
The problem is it's a way to keep the people with the compromised machines from becoming aware that they have compromised machines.
Re: (Score:2)
The people who use the convenience of a fully-scripted browser to trick adservers into thinking humans clicked the ads, are probably not going to opt to forego that convenience.
To use an absurdly extreme example, you're saying, "bank robber, you could simply deposit money into the bank and then make normal withdrawals instead of robbing." You should expect most bank robbers to decline your suggestion, and I think the people who comm
Re: (Score:2)
I don't trust checkboxes, anyway. I hardly trust anything anymore -- open source or not.
Firefox has a checkbox for offline storage that reads, "Tell me when a website asks to store data for offline use". The problem is, the browser will only inform you if the data being saved is larger than a specific amount, and the browser allows data to be written in small chunks. As a result, if you enable this feature, the browser will happily save lots of offline data without ever informing you, let alone asking yo
Re: (Score:1)
If it's using up my clock cycles, memory, and bandwidth without my consent then it's malicious, no matter how minor the impact may be.
Re: (Score:1)
This attitude is why apps become more bloated over time. Why optimize when your users can be forced to upgrade?
That's off-topic, though. I don't care if it doesn't have much impact, if software is doing something without my consent, and for it's own benefit at my expense it's malware, no matter how small that expense. Sadly, though, by that definition most software is malware.
god bless OCD (Score:2)
Headless mode? (Score:1)
Re: (Score:1)
I try to avoid my problems, so I prefer all my daemons to be headless so we can't have any conversations.
OK, we know the downside... (Score:2)
Re: (Score:1)
Day-to-day computer user - i do not know. For developers, it allows for automated front-end testing.
Re: OK, we know the downside... (Score:2)
I'm of the mind that these browser vendors should ship two editions of the browsers:
- one for developers with all of the bells and whistles.
- a trimmed down 'end user' edition with all of the developer tools removed.
I know firefox has a version specific to developers, but the regular builds still include most of the developer tools.
Or better yet, ship the developer tools as an addon/plugin for those who want it.
Re: (Score:2, Insightful)
I don't think Mozilla are too interested in users, they're in some fantasy land where users don't matter. Several of their recent past actions support this fact and it's led to users not being too interested in Firefox IMO.
Re: (Score:3)
What value to they bring to the computer user?
Mozilla quite caring about users long ago. Google never cared about users in the first place.
Now, it's just a big circle jerk. Adding more and more useless, pointless features because . . . . . because fuck you, that's why.
Re: (Score:2)
Wait. That's not how it goes...
Re: (Score:3)
I have found it extremely useful for the automated generation of PDFs on a server. Design it in HTML, with a print-specific stylesheet, then run a Chrome instance to "print" it to a PDF file.
Granted, this is only a problem because the libraries PHP has for PDF generation are utter garbage, completely unusable for any large-scale project.
Re: (Score:2)
I'll keep that in mind. We've had good enough results with Chrome so far that I don't think immediately jumping ship is necessary, but I suspect we might hit performance issues as we scale up. Chrome is not exactly a lightweight even in headless mode.
Re: OK, we know the downside... (Score:2)
I use wkhtmltopdf [wkhtmltopdf.org].
It comes with two versions. One for pdf generation, and one for image generation. I use both quite extensively in a few projects.
The official packages from wkhtmltopdf to not require an X server. If you build from source, you'll need to apply a patch (provided in the sources).
Re:OK, we know the downside... (Score:4, Informative)
More reliable automated testing of web applications.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Typically used in combination with Selenium.
What for? (Score:3)
I'm not a web developer. Can someone explain to me how this "headless" feature is useful for developers?
Re:What for? (Score:4, Informative)
Re:What for? (Score:5, Interesting)
Fine. Why not just have a developer's only release for those who want to run that? Something that's more than a bit that can be flipped manually.
These people are already have to manage different codebases for the various branches and such. Why not play it safe and keep this headless thing separated from the mainstream user?
That will give other browsers some much needed... (Score:2)
...attention.
Because honestly, if not even the adblockers will be able to do something about that, then it's bye bye Firefox on my part - I've been a loyal "customer" for the longest time, but hey - this gives the other lesser known browsers on the market some much needed attention, are you listening "insert-unknown-up-and-coming-popular-browser-team"?
Is this my problem? (Score:4, Interesting)
The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud.
My first reaction to this is, I don't see why I should be concerned. Malware authors had the option of including a headless browser of their own to enable this, and now they can use the already-installed browser instead. So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.
Re: (Score:2)
So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.
Hey, why don't we just pre-install the malware in that case? That way it won't have to install any crap on your system -- it will already be there!
Yaz
Re: (Score:2)
Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.
But I don't even know if it'll have that effect. If you're writing malware and you want it to be effective, you probably do
Re: (Score:2)
Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.
Detection may be more difficult. If Chrome is your browser of choice, then having Chrome processes running on your computer won't be all that unusual. An automated process scanner and/or manually looking at a process list may not show anything out of the ordinary. So while seeing "phantomjs.exe" in your process list may set off some alarm bells, "chrome.exe" won't have the same effect.
As well, something like PhantomJS is rarely up-to-date with the latest web technologies. Even though it's based off WebK
Re: (Score:2)
and they'll be able to click more ads before you hit your mobile data cap, because the initial download was smaller.
I have an idea (Score:2)
Unless the app is an actual web browser, restrict it to communication with a single domain via TLS.
So great, Chrome is a browser. but when running as an embedded browser or headless, it should only be able to communicate with a single domain associated with the app it is running in.
If someone really wants to make a browser app, they can bundle it with a browser engine instead of embedded WebView, or at least make it a permission request to communicate with other domains.
And I just installed Firefox Focus (Score:2)
" When Focus is running in the background, we'll remind you through a notification and you can easily tap to erase your ..." https://blog.mozilla.org/blog/... [mozilla.org]
Fell for the hyper babble I guess, thread did get me noscripts(.net).
Thick Clients (Score:2)
This is inevitable with the current trend of having the web browser be a thick client.
The trend is to put as much code as possible, i.e. thick client, in Javascript. Now, suppose one wants to leverage that code as middleware? Taa daa! Headless mode. We've been down this road before with client/server, thick/thin clients.
What makes Javascript particularly impossible to reproduce is the fast moving, every changing set of libraries. This will put pressure on the business logic sitting in all the Javascript to
Even stupider (Score:2)
Even stupider is Firefox "policy" which now *refuses* to load Google's page because it claims the "domain certificate is misconfigured". You can't add an exception, period. In other words, there is NO WAY to browse Google with Firefox now.
Now I may be wrong, but I think those dudes at Google know a thing or two about web stuff, so I guess using Firefox for my day-to-day stuff is now a no-go. Brilliant, Firefox, just fucking brilliant.
Re: (Score:2)
You really should check if you are being MITM'ed.
That's not adware (Score:2)
Adware is something that shows ads to you, by adding them or by replacing other ads by them. This has something to do with ads, but that is not sufficient to make this adware. If we define malware as something you would not agree to have on your computer, this is plain old malware, and I'd argue not one of the worst sorts.
Part of me is actually happy that the ad industry is facing problems with fraudulent clicks, even if I would not want this on my own computers. (Having said that, I might want something th
Headless browsers have been around for 20 years! (Score:2)
Microsoft had a COM interface (IHtmlWebBrowser) nearly 20 years ago. When .NET came around, they offered the same headless functionality in the form of the WebBrowser object. The concept isn't new, the only thing that's new is that Chrome and Firefox are finally copying an old IE feature!
Useless bacgkround processes... (Score:1)
This is exactly what we need to have a more secure OS. Make a lot of useless crap running on the background while we are playing minesweeper. Did we just forget about SMBv1 running in the background by default even on standalone workstations?
Sounds scary but required malware could do worse! (Score:1)
Correct me if I’m wrong but if I have malware on my machine that’s capable of starting up my web browser in headless mode (a.k.a. arbitrary executable), well I probably have much more serious issues to address ASAP!
Re: (Score:1)
Correct me if I'm wrong
OK
You're wrong.
You're corrected.
All it takes is a 3rd-party banner-ad or something similar and usually innocuous on a normally-trustworthy website that's been hijacked to run a short piece of script to open a headless instance and have it happily continue to run and remain 'open' and 'clicking' ads long after you've closed the visible instance you were using.
Or maybe doing something else. Depends on what the attacker wants. Maybe subscribing you to a bunch of MLP/furry/yiff-porn E/snail-mail lists and 'hook
Why not? (Score:2)
Advertisers want clicks, I do not want to see their shit. So my headless firefox is allowed to click (with a separate profile because of tracking cookies and so on) and I can support the websites which cry because of my adblocker.
If anyone objects, he should stop crying. Either they want me to load their ad or they do not want me to.