fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Removes Privacy-Focused ClearURLs Chrome Extension

Google Removes Privacy-Focused ClearURLs Chrome Extension

Google has mysteriously removed the popular browser extension ClearURLs from the Chrome Web Store.

ClearURLs is a privacy-preserving browser add-on which automatically removes tracking elements from URLs. According to its developer, this can help protect your privacy when browsing the internet.

Extension removed from Chrome Web Store

ClearURLs is a web browser add-on available for both Google Chrome and Mozilla Firefox tasked with removing tracking bits from the URLs.

Many websites have superfluously long URLs with the extra parameters that have no functional value but are simply used for tracking purposes. This can especially apply to links present in newsletters, for example:https://example.com?utm_source=newsletter1&utm_medium=email&utm_campaign=sale&some_other_tracking_bits=…

Interestingly, Google search result URLs are no different.

When clicking on an image search result, for example, Google does not immediately send you to the original URL of its webpage, but rather an intermediary URL which redirects you.https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.bleepingcomputer.com%2F&psig=AXXXXXYAWa
&ust=1616XXXXXXX&source=images&cd=vfe&ved=0CXXXXe-p3XXX

The extra parameters in the URL above (vedcd, etc.) are simply tracking bits and referrers used for analytics.

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

Google search results may incorporate tracknig elements too, like many websites across the web

ClearURLs is designed to filter out such tracking parameters from URLs and enhance the user’s privacy online.

Should all links be stripped of such extraneous tracking data, they would end up looking rather minimal in length, comprising only of the essential bits

However, in a mysterious move by Google last night, users saw ClearURLs disappearing from the Chrome Web Store with its page throwing a 404 (not found) error message.

ClearURLs Chrome extension removed

“Yes, ClearURLs were blocked by Google 7 hours ago.”

“The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google’s business model.”

“ClearURLs has made it to its mission to prevent tracking via URLs and that’s how Google makes money. I think that ClearURLs now has so many users that it is unwelcome for Google and they would like to see the addon disappear permanently,” said Kevin Roebert, the developer behind ClearURLs.

The developer appealed to Google against the blocking of the extension and heard from Google. 

In a copy of the email shared by the developer, Google claims that the description of the extension is “too detailed” and in violation of Chrome Web Store rules.

“The mention of all the people who helped to develop and translate ClearURLs is against Google’s rules because it could ‘confuse’ the user. Ridiculous,” continued Roebert.

Google also stated that the description of the extension did not mention it contained certain features, such as the settings import/export feature, logging functionality, and a donation button which was misleading.

Google also claimed in the email that the extension unnecessarily requires the clipboardWrite permission.

ClearURLs requires the clipboardWrite permission
Source: BleepingComputer

“But that’s not true, and I’ve had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now.”

Roebert had initially refuted Google’s claim stating that clipboardWrite had a legitimate need in the application for writing clean links via the context menu into the clipboard.

However, when asked for further clarification on the matter, Roebert shared some insights with BleepingComputer.

“As it turned out, this is actually not necessary anymore since a few versions, because I switched to another method of copying to the clipboard.”

“So the permission was still a relic from an earlier version of ClearURLs,” Roebert told BleepingComputer in an email interview.

But, the developer also expressed that some suggestions made by Google in their email response were contradictory.

“The description of ClearURLs is said to be misleading because it is too detailed and describes irrelevant things.”

“What exactly is irrelevant about the description was not communicated to me by Google. So it is hard for me to fix this.”

Interestingly, this suggestion by Google contradicts their another suggestion in the same email to the developer, which reads the description of the functions lacks detail. 

“Here Google says that the description of the functions of the addon is not detailed enough and therefore deceives the user.”

Roebert is referring to the aforementioned functions: ‘Donate, Badges, Logging, Export/Import’.

“This almost reads like a joke. No user seriously cares about during installation if there is a way to donate, a badged indicator, a log for debugging, or a function to save and restore settings.”

“The task of the addon is to clean URLs, I described these functions and not that there is also a donate button. But Google wants that these ‘important’ functions are also described because otherwise the users are ‘deceived.’ I have now added this to the description,” the developer further told BleepingComputer.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

Users cite concerns from RCE flaw to “antitrust”

This development quickly started making rounds on public forums, including Y Combinator’s HN.

Whereas some users criticized Google’s decision to remove the extension, citing “antitrust” concerns, others pointed out that ClearURLs extension had previously contained an arbitrary code execution flaw.

One of the users commented that it was rather hard to believe that a company like Google would be concerned enough by this “itty bitty extension” to have an impact on its business model or that these were the grounds to remove it from the web store, thereby scrutinizing what the extension’s developer has claimed.

But, other commentators stood by concerns that Google’s vast influence over Chrome development, its extensions or web standards could be problematic and indicative of the company monopolizing the space.

Users cite concerns including “antitrust” and security flaws
Source: Hacker News

Meanwhile, another commentator alleged that last they had checked, the ClearURLs extension had a security issue:

“I’d love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list.”

“Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device,” yet another user commented.

Multiple users also suggested that this move had reinforced their loyalty to using Mozilla Firefox as their choice of web browser.

BleepingComputer has reached out to Google before publishing this article and we are awaiting their response.

In the meantime, Chrome users can download and manually install the ClearURLs extension from the project’s GitHub releases page.

Microsoft Edge users can also download the extension from the Edge Add-ons store.

Roebert has also released a newer version 1.21.0 with the proposed updates expected to appear on both Mozilla and Edge stores, pending a review.

Update 24-Mar-21 9:30 AM ET: Added statement from ClearURLs developer, Kevin Roebert.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us