Extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service, a researcher said.

The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads, John Tuckner of SecurityAnnex reported. The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions.

Intentional weakening of browsing protections

Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include advertisers. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep, a company that bills itself as "the world's most reliable and cost-effective Web scraping API." Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request.

“This seems very similar to the scraping instructions we saw while watching the MellowTel library in action,” Tuckner wrote after analyzing the MellowTel code. “I believe we have good reason to think that scraping requests from Olostep are distributed to any of the active extensions which are running the MellowTel library.”

MellowTel’s founder, for his part, has said the purpose of the library is “sharing [users’] bandwidth (without stuffing affiliate links, unrelated ads, or having to collect personal data).” He went on to say that the “primary reason why companies are paying for the traffic is to access publicly available data from websites in a reliable and cost-effective way.” The founder said extension developers receive 55 percent of the revenue, and MellowTel pockets the rest.

Despite the assurances, Tuckner said the extensions that incorporate MellowTel pose a risk to users who install them. One reason for this is that MellowTel causes extensions to activate a websocket that connects to an AWS server that collects the location, available bandwidth, heartbeats, and status of extension users. Besides the privacy erosions, the websocket also injects a hidden iframe into the page the user is currently viewing that connects to a list of websites specified by the Amazon Web Services server. There’s no way ordinary end users can determine what sites are being opened in the invisible iframe.

Tuckner wrote:

Shouldn't there be some protections to stop this from happening? How can you so easily load unintended content inside of any website?

Well, normally there are protections to prevent this. Common web server security headers like Content-Security-Policy and X-Frame-Options should stop this from happening. However, remember that the library requested declarativeNetRequest and access be added to the manifest if it isn't already? Those permissions allow for modification of web requests and responses as they are being made. The library dynamically modifies rules that will remove security headers from web server responses and then claims to add them back after the web page has loaded.

“This weakening of all web browsing can open users up to attacks like cross-site scripting that would generally be prevented under normal conditions,” Tuckner went on to write. “Not only are your users unintentionally becoming bots, but their actual web browsing is more vulnerable as well.”

MellowTel is also problematic because the sites it opens are unknown to end users. That means they must trust MellowTel to vet the security and trustworthiness of each site being accessed. And, of course, that security and trustworthiness can change with a single compromise of a site. MellowTel also poses a risk to enterprise networks that closely restrict the types of code users are permitted to run and the sites they visit.

Attempts to reach MellowTel representatives were unsuccessful.

Tuckner’s discovery is reminiscent of a 2019 analysis that found browser extensions installed on 4 million browsers collected users’ every movement on the web and shared them with customers of Nacho Analytics, which went defunct shortly after Ars exposed the operation.

Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.

Tuckner said in an email Wednesday that the most recent status of the affected extensions is:

• Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.
• Of 129 Edge extensions incorporating the library, eight are now inactive.
• Of 71 affected Firefox extensions, two are now inactive.

Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is here.

Read full article

Comments

Washington, DC—From a distance, the gathering looked like a standard poster session at an academic conference, with researchers standing next to large displays of the work they were doing. Except in this case, it was taking place in the Rayburn House Office Building on Capitol Hill, and the researchers were describing work that they weren’t doing. Called "The things we’ll never know," the event was meant to highlight the work of researchers whose grants had been canceled by the Trump administration.

A lot of court cases have been dealing with these cancellations as a group, highlighting the lack of scientific—or seemingly rational—input into the decisions to cut funding for entire categories of research. Here, there was a much tighter focus on the individual pieces of research that had become casualties in that larger fight.

Seeing even a small sampling of the individual grants that have been terminated provides a much better perspective on the sort of damage that is being done to the US public by these cuts and the utter mindlessness of the process that's causing that damage.

“It’s no way to do science," one of the researchers told us.

Targeting diversity and more

While many of the scientists were perfectly willing to identify themselves at the event, more than one asked us not to name them in any coverage. Another noted that, while she wasn't concerned about retaliation from the federal government, she was at a state university in a state with a Republican governor and so could still face problems. As a result, we're not identifying any of the scientists we talked to in this article.

With a few exceptions, most of these scientists could only surmise why their research was cut. A couple of them were funded by programs that were meant to increase minority participation in the sciences and so were targeted as DEI. Another was at Harvard and saw his materials science research into new refrigerants canceled, ostensibly because Harvard hadn't cracked down hard enough on campus antisemitism ("ostensibly" because the government has also issued a series of demands that have nothing to do with antisemitism).

In their rush to terminate grants, each agency settled on a single form letter that told researchers that their work was being defunded because it no longer reflected agency priorities. A number of said researchers surmised that they lost their support because, at the time the grant was initially funded, many federal agencies required attempts to, as the National Science Foundation termed it, "broaden participation." This left them at risk of falling afoul of the new administration's anti-DEI efforts.

A few of them planned to eliminate the language they suspect offended DOGE and send in a new grant request. But, given the lack of details in the termination letters, all of them would have to guess as to the problem. And at least one said that the entire program that had funded her grant had since been eliminated, so this wasn't even an option.

Many of the grants were focused on STEM education, and it's extremely difficult to imagine that people will be better off without the work happening. One involved figuring out how to better incorporate instruction in quantum mechanics into high school and college education, rather than limiting this increasingly important topic to a handful of physics specialists. Another was focused on trying to help engineers communicate better with the communities that would ultimately use the things they were designing (she cited Google Glass and the Segway as examples of the problems that result when this doesn't happen).

A large multi-university collaboration had put together a program to help deaf students navigate careers in science, providing support at the undergraduate, graduate, and post-doctoral levels. The effort received multiple grants from different sources, but a number were part of a diversifying science effort, and all of those have been cut.

For a couple of the researchers present, the damage being done to the educational pipeline was personal: they had received prestigious grants that are intended to ease the transition between post-doctoral training and starting a faculty job. This funding helps them stay in a post-doctoral position long enough to develop a solid research program, then partially funds the process of starting up a lab to pursue that program. But for these researchers, the rug had been pulled out from under them partway through the process—funding that was cut even though (in one case) they were simply studying the regeneration of the retina in an experimental organism.

Pandemics, misinformation, and confusion

The damage is far from limited to education and diversity issues. Despite having been in power during a pandemic that ultimately killed well over a million Americans, the administration has decided that any pandemic-related work is not a priority. So, an entire pandemic preparedness program was scrapped. A pair of researchers was there to talk about the Antiviral Drug Discovery program (AViDD), which had been funded to develop drugs that target various emerging viral threats, such as coronaviruses and the families that include Ebola, Zika, and measles. The idea behind AViDD is to have treatments ready that could limit the spread of any new, threatening version of these viruses in order to give us time to develop vaccines.

AViDD had been funded to the tune of $1.2 billion, included nine dedicated research centers, and involved researchers at 90 institutions. In total, it had spent about half that money in developing 35 treatment candidates that targeted seven different viral families. And then the funding for the entire program was eliminated before any of those candidates could be pursued any further—the researchers likened it to building half a bridge.

Another area that has been targeted is misinformation research. One small team included an academic who's also a Reddit moderator; they trained an AI model to flag posts that might require moderator intervention, potentially cutting down on the workload of human moderators, who are often volunteers. The project had gotten to the point where they were looking for a company willing to test the system on some user-generated discussions it hosted; now it's on indefinite hold.

In other instances, it was hard to tell what had triggered the elimination of funding. One team was developing baseline data to allow us to track the presence of antibiotic resistance genes in municipal wastewater, which could be useful for various public health measures. It's not entirely clear why that funding was canceled—possibly it was considered pandemic-related? The same uncertainty applies to a group of researchers who were trying to develop methods to identify which Arctic infrastructure projects would benefit the most people in Alaska. The researchers involved suspect their efforts to engage native communities probably triggered DOGE's DEI filters, but they received the same form letter as everyone else.

Even when it was obvious why a given bit of research was cut, it didn't feel any less stupid. One grant that was targeted funded research on prostate cancer in African Americans, which undoubtedly set off diversity alarms. But the researcher who had received it highlighted that, because of a complicated mix of genetics, environmental exposures, and occupational risks, prostate cancer is diagnosed at a 76 percent higher rate in African Americans, and they die because of it at twice the rate of whites. By stopping this sort of research, we're committing to perpetuating these disparities, despite the administration's rhetoric of eliminating racial preferences.

No way to do science

Although the likely loss of a large amount of interesting science is obviously a major problem, in many ways the uncertainty is worse. A number of the people there had seen funding restored due to temporary restraining orders issued in response to a number of lawsuits. But they couldn't be confident that the money wouldn't go away again due to a different ruling during the appeals process. And, even if they were to prevail in the courts on the initial cancellation, there were already fears that the government would think of some other justification to try to take the money away a second time.

The uncertainty makes it impossible to plan any significant distance ahead or hire anyone to do the work for longer-term projects. Many researchers are starting to write grants targeting non-federal funding sources, increasing the competition for that money and making it less likely that the effort will have any payoff.

Looming over all of this are the huge research cuts in the recently passed budget, which will cripple many of the agencies involved here starting in the next fiscal year. This raises questions about how much of this money might ever come back, even if the grants were reformulated to get past whatever issue got them cut.

Is there anything to be done? The event was being put on by the Democrats on the House Science Committee, and one of their members tried to offer some hope for the long-term situation. "Many of us on this committee are going to fight to claw back some of these cuts," said Representative April McClain Delaney of Maryland. But that would require some cooperation with Republicans in the House and Senate, who hold a decisive number of votes and have so far seemed comfortable with the cuts to science funding. And they'd need to find a bill to attach it to that Trump would feel compelled to sign.

But that's the future. For now, nobody offered much hope for the grants that are currently being targeted—after all, Congress had already given the federal government the money and, in many cases, directed it to spend it on these issues. At this point, the most scientists can hope for is that the US legal system ultimately acknowledges that the decision to cut their funding runs afoul of these congressional directives. And that may take years to be resolved.

Read full article

Comments

After US health secretary and hardline anti-vaccine activist Robert F. Kennedy Jr. fired all 17 highly respected vaccine experts from the federal Advisory Committee on Immunization Practices (ACIP) last month, he vetted their replacements not by medical and scientific expertise, but by their political leanings, according to a lawsuit filed by medical organizations Monday.

Under Kennedy, to qualify to be on the Centers for Disease Control and Prevention's nationally influential and historically apolitical ACIP, candidates had to be registered as a Republican or independent and could not have any history of publicly criticizing President Trump or Kennedy, the lawsuit claims.

Just two days after dismissing all 17 ACIP members—who had all gone through an extensive vetting process that lasted up to two years—Kennedy announced eight new members. One later dropped out during last-minute financial vetting the day before an ACIP meeting. Of the remaining seven, only one has the scientific and medical qualifications described under ACIP's charter.

As Ars has previously reported, the six other members have little to no relevant background for ACIP and several have expressed anti-vaccine and/or contrarian public health opinions that align with Kennedy's anti-vaccine views.

When Ars reached out to the US Department of Health and Human Services about the alleged political vetting, spokesperson Andrew Nixon did not explicitly confirm or deny the vetting, saying only that "the Secretary stands by his CDC reforms."

New dimension

That new ACIP members were required to be friendly to Trump and Kennedy, and could not be aligned with Democrats is unlikely to be surprising—even though Kennedy previously ran as a Democratic presidential candidate. Ars has also previously reported on the Trump administration requiring new federal employees to praise Trump's agenda and demonstrate loyalty.

However, the political vetting of ACIP members adds a new dimension to the perceived biases and illegitimacy of Kennedy's newly installed panel—one largely seen as a tool to help Kennedy dismantle the country's vaccine policy and further erode public confidence and uptake of lifesaving vaccines.

In the lawsuit filed Monday, leading medical organizations allege that since Kennedy's February confirmation, he has "demonstrated a clear pattern of hostility toward established scientific processes, a disregard for expert guidance, an affinity for placing persons who align with his anti-vaccination views in positions of authority at HHS, and a reliance on bias and pretext to further his apparent agenda: to undermine trust in vaccines and reduce the rate of vaccinations in this country."

The lawsuit was filed by the American Academy of Pediatrics (AAP), the American College of Physicians (ACP), the Infectious Diseases Society of America (IDSA), the Massachusetts Public Health Alliance, the Society for Maternal-Fetal Medicine, and a Jane Doe, who is a pregnant physician.

The group's lawsuit aims to overturn Kennedy's unilateral decision to drop the CDC's recommendations that healthy children and pregnant people get COVID-19 vaccines. The medical groups argue that Kennedy's decision—announced in a video on social media on May 27—violates the Administrative Procedure Act for being arbitrary and capricious.

Specifically, Kennedy made the decision unilaterally, without consulting the CDC or anyone on ACIP, entirely bypassing the decades-long evidence-based process ACIP uses for developing vaccine recommendations that set standards and legal requirements around the country. Further, the changes are not supported by scientific evidence; in fact, the data is quite clear that pregnancy puts people at high risk of severe COVID-19, and vaccination protects against dire outcomes for pregnant people and newborns. Kennedy has not explained what prompted the decision and has not pointed to any new information or recommendations to support the move.

“Existential threat”

The medical groups say the decision has caused harms. Pregnant patients are being denied COVID-19 vaccines. Patients are confused about the changes, requiring clinicians to spend more time explaining the prior evidence-based recommendation. The conflict between Kennedy's decision and the scientific evidence is damaging trust between some patients and doctors. It's also making it difficult for doctors to stock and administer the vaccines, and creating uncertainty among patients about how much they may have to pay for them.

In making the claims, the medical groups offer a sweeping review of all of the damaging decisions Kennedy has made since taking office—from canceling a flu shot awareness campaign, spreading misinformation about measles vaccines amid a record-breaking outbreak, to clawing back $11 billion in critical public health funds, and wreaking havoc on ACIP.

The lead lawyer representing the groups, Richard Hughes IV, a partner at Epstein Becker Green, did not immediately response to Ars' request for comment.

But in a statement Monday, Hughes said that "this administration is an existential threat to vaccination in America, and those in charge are only just getting started. If left unchecked, Secretary Kennedy will accomplish his goal of ridding the United States of vaccines, which would unleash a wave of preventable harm on our nation’s children."

Read full article

Comments

An anonymous reader quotes a report from The Guardian: The herbicide ingredient used to replace glyphosate in Roundup and other weedkiller products can kill gut bacteria and damage organs in multiple ways, new research shows. The ingredient, diquat, is widely employed in the US as a weedkiller in vineyards and orchards, and is increasingly sprayed elsewhere as the use of controversial herbicide substances such as glyphosate and paraquat drops in the US. But the new piece of data suggests diquat is more toxic than glyphosate, and the substance is banned over its risks in the UK, EU, China and many other countries. Still, the EPA has resisted calls for a ban, and Roundup formulas with the ingredient hit the shelves last year. [...] Diquat is also thought to be a neurotoxin, carcinogen and linked to Parkinson's disease. An October analysis of EPA data by the Friends of the Earth non-profit found it is about 200 times more toxic than glyphosate in terms of chronic exposure. [...] The new review of scientific literature in part focuses on the multiple ways in which diquat damages organs and gut bacteria, including by reducing the level of proteins that are key pieces of the gut lining. The weakening can allow toxins and pathogens to move from the stomach into the bloodstream, and trigger inflammation in the intestines and throughout the body. Meanwhile, diquat can inhibit the production of beneficial bacteria that maintain the gut lining. Damage to the lining also inhibits the absorption of nutrients and energy metabolism, the authors said. The research further scrutinizes how the substance harms the kidneys, lungs and liver. Diquat "causes irreversible structural and functional damage to the kidneys" because it can destroy kidney cells' membranes and interfere with cell signals. The effects on the liver are similar, and the ingredient causes the production of proteins that inflame the organ. Meanwhile, it seems to attack the lungs by triggering inflammation that damages the organ's tissue. More broadly, the inflammation caused by diquat may cause multiple organ dysfunction syndrome, a scenario in which organ systems begin to fail. The authors note that many of the studies are on rodents and more research on low, long-term exposure is needed. The report notes that the EPA is not reviewing the chemical, "and even non-profits that push for tighter pesticide regulations have largely focused their attention elsewhere." "[T]hat was in part because U.S. pesticide regulations are so weak that advocates are tied up with battles over ingredients like glyphosate, paraquat and chlorpyrifos -- substances that are banned elsewhere but still widely used here. Diquat is 'overshadowed' by those ingredients."

Read more of this story at Slashdot.