Jun 26, 2023

Troubleshooting a Browser Extension Problem

This blog describes a troubleshooting case where a user complained a new browser add-in broke their mouse. The blog outlines the steps taken to resolve the issue.

COMPUTERS TECHNOLOGY

📺Out Of Context SwiftOnSecurity📺😵‍💫

computer security person at a place. former helpdesk. they/them/tay. Microsoft MVP, Client Security @SwiftOnSecurity@infosec.exchange

Member of Infosec & Cybersecurity

Troubleshooting walkthrough:

Tonight I need to write a narrative of a case where a user complained a new browser add-in broke their mouse. This got escalated to me as the final tier.

I'm going to lay it out here first, because saying I'm working while laying in bed sounds cool.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
User calls Helpdesk. They can't cut and paste anymore. They notice a new browser extension, deployed via corporate policy as expected in a new push.

Helpdesk can't disable the extension. Worse, using the options in the extension doesn't help! Well work is done, escalate case!
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
Next level of support gets case. Sees user cannot copy and paste. It's due to a browser plug-in that can't be disabled.
Escalate case!
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
Next level of client engineering gets case.
Sees user cannot copy and paste due to a browser extension security asked them to deploy.
Escalate case! To me in Security.

Of course, I want to see what's happening. I call the user. They repeat story on browser extension I deployed.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
Okay, share screen in Teams. Show me.

They open a browser tab, mentioning how old the app is. Copy string. Go to second tab. Go to other old system. Also story about how ancient it is. Tries to paste. Doesn't work.

Worse, some window about clipboard pops up. That's weird. Hm. pic.twitter.com/NTFVU1jJEz
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I go ahead and disable the adblocking extension on both websites and have the user re-attempt. Still no luck.

I go into browser private mode, which completely unloads the extensions period.

User says it still doesn't work. Well damn. My job is done. It's not my fault.

But.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I ask them to show me more of their job workflow. They tell me how they haven't been able to do these steps for days.

They show how they can't copy and paste in Word either. Hey wait, a pure Chromium extension cannot touch outside its sandbox. This is something else. What???
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I try the same exact thing as the user via remote control to their PC. The broken one.

IT WORKS.

What does this tell me? Somewhere in the human interface device stack, inputs are not being either sent or received as expected. My key injection via Teams is seemingly unimpaired.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
So I start asking user. Tell me EXACTLY what you're doing to copy and paste. When I do it, it works.

They mention their "rollermouse."

Now, this is where my background in Helpdesk is infinity useful.

I know what a rollermouse is.

And I probably know what the problem is.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I helped a user with one in my first years in IT.

For people with disabilities but partial hand use, a RollerMouse allows traversing the mouse by fingertip up and down left and right. There are also programmable hot keys.

Defaulting to copy and paste.https://t.co/Bh5rK4Zc10 pic.twitter.com/AXhJQ18ZQW
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
This menu is not a Chrome extension. It is the Windows 10 clipboard history interface.

And it only appears when you hit Windows Key + V.

For some reason, the device was no longer injecting Ctrl+V. It was sending Win+V. To paste.

Holy shit. Now how do I fix it. pic.twitter.com/GSlOlvt3Mj
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
This device was provided by IT. I do not blame this user remotely in any way. They probably told previous IT people!. They were speaking in plain correct language. A 30-year vet to the company, a huge resource.

Let me tell you more. I am great at automation and remote support.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I architected IT in a call center where I never left my desk except to press a few keys to start a computer reimage that would automatically clone all their data after login 40 minutes later.

And I still found excuses to just go _sit_ with people. When I really didn't need to.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
Sitting with people and their compatriots in the unguarded casual exercise of their jobs is an immense resource.

The bottleneck in support is bandwidth of information. And remote means you have ONLY what they think is important, unless you know exactly what to press for.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
So I won. I know for a fact this isn't my fault. My sin is I tried to change the environment for the better, people laid into that for an explanation of anomaly.

But the real win is going to be to fix it.

I ask, user says there's no software. IT gave it, they plugged it in. Hm.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
I don't really _know_ why behavior of the device changed. This can be super important. But I judged a single user anomaly with a pathway to full resolution not worth that depth.

I install the driver. It includes hotkey customization.

I put in Ctrl+V.

The user blesses my skill.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
If you are someone who takes this depth of issue ownership for people, please know you are no lesser than anybody that drops "F500."

I work with people. In systems of people. Just people. They're fine.

But if you care, if you dive into this stuff, you are exceptional. Truly.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 26, 2023
And the larger a system of people, the more negative incentives accumulate, and the narrowing of responsibility proliferates.

I am in the final tier. I have unlimited altitude and resources. I will sit there and talk until it's done.

My documenting this is to extend that grace.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 27, 2023
Now I got to go write this in SharePoint. Fuck.
— 📺Out Of Context SwiftOnSecurity📺😵‍💫 (@SwiftOnSecurity) June 27, 2023