WTHOT: new thing: unexpected browser window pop-ups

[Dave Labrecque]

I'm thinking that a browser extension would have been installed on that particular browser (local to that particular machine). Whereas, Dave found that, on a completely different machine, his logon, on that same application, still had the same issue - whereas his mother's, on that same application, on that same 'different' machine, did not. So, to me, that seems to indicate that the issue is something particular to the account that he has logged into, rather than a browser extension - or even something on his machine.

As a result, Dave, I think the issue must be coming to you, each time, from whatever you have logged into - and probably is something you have (inadvertently) chosen that your mother has not. An examination of the differences between your setup and hers on that same remote application might tell you what it was.

Sounds right. Next time I'm back in Tucson...

Then there's the new wrinkle: I think I've seen in happen using Firefox on my machine, too. Somewhat confounding, no? Maybe I need to confirm that before we get too hopeless.

[cgrafx]

Sounds right. Next time I'm back in Tucson...

Then there's the new wrinkle: I think I've seen in happen using Firefox on my machine, too. Somewhat confounding, no? Maybe I need to confirm that before we get too hopeless.

Hi Dave,

You've described two different things

1. browser redirect in chrome on your home computer also happening on your moms computer when logged into your chrome account.

2. browser redirect in chrome and also in firefox on your home computer.

These are two different attack vectors.

1. would be some form of extension or hack of chromes cloud preferences. This should not affect firefox, or any other browser on your computer.

2. would be a change to your dns or proxy settings on your computer. This would affect all internet traffic on your computer, but should not affect your moms computer. (unless its a change in proxy settings in chrome itself)

[Dave Labrecque]

Right? Thus my disclaimer re: confirming the Firefox thing before I/we get too invested in that "vector," as you say.

The latest: it hasn't happened in a couple days. Have to wonder if my recent Malwarebytes scan, which found and quarantined a bunch of PUPs, killed it. That would seem surprising, since the last scan I ran a couple weeks back found/quarantined a bunch of PUPs, too, yet didn't cure the issue at that time.

It also occurs to me that I may have enabled some real-time browser protection options in Malwarebytes recently. So maybe that's the ticket.

[Ian Alexander]

I'm thinking that a browser extension would have been installed on that particular browser (local to that particular machine). Whereas, Dave found that, on a completely different machine, his logon, on that same application, still had the same issue - whereas his mother's, on that same application, on that same 'different' machine, did not. So, to me, that seems to indicate that the issue is something particular to the account that he has logged into, rather than a browser extension - or even something on his machine.

As a result, Dave, I think the issue must be coming to you, each time, from whatever you have logged into - and probably is something you have (inadvertently) chosen that your mother has not. An examination of the differences between your setup and hers on that same remote application might tell you what it was.

Good point, John. A browser extension doesn't fit all the evidence.

[John Ludlow]

Dave, I'm kind of disappointed that the problem went away (for my curiosity, not for you). I was going to suggest that you install the Brave browser, and then login and see whether that behavior changed. Ah, well...

One thing that came to mind (too late...) is that different ads would be coming to your Google profile than your mother's. If one of them contained a slow re-direct then it would happen to you, but not to her - even on the same machine. Maybe now that ad has finished its tenure. Brave might have helped sniff that out because it's probably the safest browser, privacy-wise, without having to do anything yourself, for things like that.

[Dave Labrecque]

Good point, John. A browser extension doesn't fit all the evidence.

I hasten to point out (in all its uselessness at this point) that when one operates Chrome sync'd to a given google account, that user's extensions load automatically. So, I contend that the extension theory still holds promise. Assuming I hallucinated the Firefox Event of '21.

It's pretty cool to be able to open simultaneous Chrome windows under different accounts, each having its own collection of extensions active.

[Dave Labrecque]

One thing that came to mind (too late...) is that different ads would be coming to your Google profile than your mother's.

This assumes that the trouble-making extension was referencing Google's database of my preferences. But it could just as easily (or easierly?) been using some other database, like the one its paying clients enjoy being a part of. I'm just throwin' stuff against the wall, here. The windows that popped up did seem to be for vendors selling stuff related to where I was actually trying to go.

I would hope Google would vet anybody paying for access to their data on me. But who knows, right?

[John Ludlow]

I hasten to point out (in all its uselessness at this point) that when one operates Chrome sync'd to a given google account, that user's extensions load automatically. So, I contend that the extension theory still holds promise. Assuming I hallucinated the Firefox Event of '21.

It's pretty cool to be able to open simultaneous Chrome windows under different accounts, each having its own collection of extensions active.

I guess I don't think of something temporary like that as an extension - since it doesn't become resident locally on the browser for longer than the one use. But, maybe in the meantime, they've inherited the extension concept and then modified it. Might have been easier to re-use that code and functionality. But it would certainly fill the bill for explaining why yours and your mother's account experience are different. From the way you describe it, it's essentially code that is downloaded every time you login that disappears when you close the browser. If they load code just for you, they can certainly load advertisements just for you.

And, I doubt that Google vets every ad. that appears in one of their applications. I don't think that actual human beings are involved in that process. I can imagine them programmatically watching every ad. in realtime for content though. I haven't ever taken out an ad. from Google. But, from what I have gleaned, it doesn't involve putting on a suit and talking to an agent. Whoever might have put one over on them temporarily. Or - it's also possible that the functionality you have chosen (which is downloaded) happens to be located somewhere else that requires a re-direct.

[Dave Labrecque]

From the way you describe it, it's essentially code that is downloaded every time you login that disappears when you close the browser. If they load code just for you, they can certainly load advertisements just for you.

FWIW, opening a Chrome browser window for any account is pretty instantaneous, so my guess is that the extensions are installed and kept on the local computer rather than downloaded each time. This article seems to confirm that. Or maybe I'm taking your statement too literally.

Or - it's also possible that the functionality you have chosen (which is downloaded) happens to be located somewhere else that requires a re-direct.

I'm pretty sure that's how it works. It usually takes several seconds for the pop-up window to populate with content, all the while the words, "Redirecting, Please Wait..." displaying at the top of the window. Way different than a typical Google-sanctioned experience, I think. Seems to have the tell-tale, clunky tells of an illegitimate actor. Not unlike the way we recognize email fraudsters because of their bad grammar or poorly implemented, stolen logo graphics.

[John Ludlow]

Yeah - I see. The extensions then sort of become a group of libraries that are available for the use of whoever is using the machine and needs it - but aren't necessarily used at all. So, your mom's machine now has a copy of whatever it is that got downloaded for you that she just doesn't use. More sophisticated than the usual extension (in which whatever extension has been installed becomes 'the way it' is for whoever uses that browser thereafter).