There has been some recent online discussion about games from the Chrome Web Store requesting excessive permissions. These games are extensions for Google Chrome. To access various aspects of Chrome, certain permissions are required; for example, to allow access to the Bookmark manager to update bookmarks. The “Super Mario 2” app is offered by the developer “chromitude”, which is associated with Slice Factory, a company that develops services and browser extensions to remix Web data. The extension requests permissions which seem excessive for simply playing a game. These permissions are:
· Access to bookmarks
· Notification of new tabs being created
· Access to all URLs
To determine why these permissions are required for the game and what the extension actually does, Symantec analyzed the app. The extension consists of two parts. The first is the “Super Mario 2” game, which is a benign Flash-based game. It doesn’t access Chrome in any of the ways the permissions require.
The second part of the extension however does require additional permissions. This part runs in the background and requests two pieces of JavaScript code. The requested code is located on slicefactory.com and extensionfactory.com (Figure 1). Extensionfactory.com is a service provided by Slice Factory.
Figure 1. Background JavaScript includes
As well as logging some basic information about the time the game was installed and its last run, the code also intercepts new tabs and checks the locations of the addresses of those tabs. If the new tab being opened is going to the domain “www.lemonde.fr” then some additional JavaScript, sourced from extensionfactory.com, is inserted into that page.
This injected piece of JavaScript creates a fake toolbar, as shown in Figure 2.
Figure 2. Injected toolbar
The toolbar contains a link to install an extension. When installed, this extension provides a feed to Le Monde, displaying new news articles. The same extension is advertised on the slicefactory.com Web site, as shown in Figure 3.
Figure 3. SliceFactory advertising Le Monde extension
This additional behaviour is not disclosed when installing Super Mario 2 from the Chrome Web Store. Note at present the inserted Javascript only occurs when visiting www.lemonde.fr, but as this code is dynamic, it could change in the future.
The Super Mario 2 game has since been removed from the Chrome Web Store.
We contacted Slice Factory who stated:
“This Mario web app should never have been published with this "Le Monde" invitation. It is an experimental feature we have been testing internally, which was put in a production package by mistake.” In addition, a representative from Slice Factory mentioned the other Javascript code injected into the Mario app was necessary to send statistical data to the Extension Factory backoffice (similar to other stats scripts such as Google Analytics), but did not compromise any personal data.
Slice Factory also have published some additional games on the Chrome Web Store under the “chromitude” developer account, including:
- Tetris
- Zelda
- Platform Racing 2
- Othello
- Snake
We are currently analyzing these versions of the applications published by chromitude. These versions are not those specifically offered by the owners of the official game brands.
Uninstalling a Chrome web app can be done by opening a new tab, mousing over an app icon, clicking on the wrench icon, and selecting “Uninstall”. Uninstalling an extension can be done by selecting the Tools | Extensions menu in Chrome.
We recommend also reviewing Google's guidance regarding permissions and trusting unknown app developers.