The use of e-commerce bots to gain a competitive advantage can be traced all the way back to eBay in the late 1990s, when tech-savvy shoppers would use automated scripts to pick off underpriced listings in the final seconds. So-called “checkout bots” remain popular for automatically grabbing up limited-quantity items as they come available, but have also found a substantial new market during the coronavirus pandemic — grabbing up hard-to-get grocery delivery time slots. Though these bots are available through Chrome extensions and are relatively simple to run, they are still likely beyond the reach of certain vulnerable populations (such as the elderly) who may be struggling to schedule needed food deliveries.
Most media coverage has been focusing on the ethics of the use of these bots to jump the queue for an essential service ahead of people who may not be aware of or able to use them. However, there is a much more concrete concern that is not yet being brought up much outside of cybersecurity circles — the use of questionable Chrome extensions by previously unknown developers, which in some cases are trusted with access to store accounts and payment information.
Checkout bots and Chrome extensions adapt to the pandemic
As the pandemic stay-at-home measures are about to stretch into a third month in many areas, grocery delivery time slots are sometimes booked up for days or even weeks in advance. This has opened up an entirely new market for checkout bots, with a number of developers adapting them to automatically hunt for and snap up delivery slots as they come available.
While it may seem to be a clever way to deal with an unavoidable consequence of sudden social shutdown, these bots are raising some ethical questions. The main issue is that they give the tech-savvy — who skew young and financially comfortable — an unfair advantage in snapping up delivery time slots over those who do not understand how to navigate things like Chrome extensions. Unfortunately, that latter group skews toward the more vulnerable members of society; older people who do not know how to navigate computers, or may even not have the resources to own one.
These bots are not limited to internal grocery store delivery systems, such as the Amazon Fresh service tied to the company’s Whole Foods grocery chain. They also scan third-party services such as Instacart and Postmates, thus potentially eating up all of the available delivery time slots in an area for extended periods of time. Certain Chrome extensions go so far as to automatically complete the checkout process for those willing to store their login and payment information.
What price for delivery time slots?
That last bit has some in the cybersecurity community very concerned. According to Roger Grimes, data driven defense evangelist at KnowBe4: “Chrome extensions are HUGE security risks. Thousands of previous extensions have been found to contain privacy issues or vulnerabilities in the past … and I’d easily bet money that some of these extensions have problems. There are two main problems with any extension or browser add-on in general. First, there is the risk that the extension itself does something intentionally unauthorized. Thousands of previous extensions have been found to violate a user’s intentions by tracking where the user goes and what the user does … Second, most extensions contain unintentional vulnerabilities, and those vulnerabilities can be exploited by others to gain access to the user’s browser. High risk apps can even access your personal files stored outside the browser. Even low risk apps can access and manipulate your browsing history and access your copied and pasted data (often passwords).”
Users who are tech-savvy enough to use browser extensions and phone apps to snag delivery time slots, but not savvy enough to do things like checking a script to see what system resources it tries to access, are at the greatest immediate risk. However, if enough of these users adopt these Chrome extensions and checkout bots as a regular feature of their shopping it could put downward pressure on even less tech-savvy users to also install these things to keep up.
Chrome extensions are a particular security problem among the major web browsers. While any browser that incorporates third-party extensions could potentially be exploited by malicious code in them, Chrome extensions have a higher rate of security incidents due to Google’s security policies. Until 2015, Chrome extensions could be freely downloaded from any website with no security review process. Google has since routed them through the Chrome Web Store for security screening purposes. Unfortunately, the screening consists of an automated process during submission that is relatively easy to game. The general state of affairs led to all paid Chrome extensions being indefinitely suspended from the Web Store in early 2020. And unlike some other browsers, Chrome does not allow users to manually approve and preview the contents of browser extension updates right out of the box; it simply grabs them automatically in the background and there is no way to disable this feature.
Bad bots are not a new phenomenon
None of this is to say that the issue with delivery time slots is limited to Chrome extensions. As one might expect for something that often has access to logins and financial information, checkout bots have been abused by threat actors for years.
As Dark Reading points out, bots are particularly difficult to police as there are many “good” types that support all sorts of regular internet functions. However, these good bots also routinely manage to trip automated security features to the point that it is nearly impossible for security professionals to keep up with whitelisting and blacklisting them all. This gives bots some additional leeway to do things that a good cybersecurity system might otherwise catch.
Nevertheless, some may feel pressured to take their chances in securing delivery time slots to order groceries if it is difficult for them to physically get to a store. Security when using Chrome extensions or bots of this nature ultimately falls to the diligence of the end user. Ido Safruti, co-founder and chief technology officer at PerimeterX, offers the following tips to those who feel that these bots or scripts may be a necessity for delivery orders during the coronavirus pandemic:
When installing browser extensions:
Check their popularity, including number of users and reviews. Any extension with only a few hundred users and few or no reviews should be considered suspicious.
Pay close attention to the permissions an extension asks for. If it requires any privileged access, such as to read or change data, or access to a broad set of sites you visit, it might be best to pass.
If you are using Chrome, consider setting up a new “identity” for unsafe browsing, which can be found under the “People” setting. This identity will not have access to the personal information tied to your main Chrome identity. You can install untrusted extensions on this identity and then be very selective about the information you provide when browsing with it.
If you don’t understand the scripting language and cannot verify the author and how trustworthy the author is, do not run the script.
If you understand the scripting language, review the script carefully and verify that it does not access file system resources or make any unneeded network calls.