Click the AdBlock Plus icon in the browser extension area in the upper right-hand corner.Refresh the page or click the button below to continue.Under “ Pause on this site” click “ Always”.Click the AdBlock icon in the browser extension area in the upper right-hand corner.If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.Adblock Adblock Plus Adblocker Ultimate Ghostery uBlock Origin Others Request access to the narrowest permissions necessary to implement your Product’s features or services. There is also Chrome Web Store policy on extension permissions: What they do is making it harder to people to find proper products that solve their problem. Well, 13 almost identical video downloaders, 9 almost identical volume boosters, 9 almost identical translation extensions, 5 almost identical screen recorders are definitely not providing value. Extensions should provide value to users through the creation of unique content or services. We don’t allow any developer, related developer accounts, or their affiliates to submit multiple extensions that provide duplicate experiences or functionality on the Chrome Web Store. Typically, these extensions violate at least two Chrome Web Store policies. These extensions are accumulating users with the purpose of monetizing them, likely via similarly dubious means. What are the other extensions up to?įour outright malicious extensions leaves 105 extensions without obvious malicious functionality. Yet the extension is still available in the Chrome Web Store. For example, this two years old review names the problem quite explicitly: But one doesn’t have to go that far, the reviews for The Great Suspender in the Chrome Web Store are full with user complains. For example, this Reddit thread identified The Great Suspender as the culprit two years ago. There is also some special code for that will replace the aid parameter with a random affiliate out of a given list. All the redirects happen via the domains prj11com, prj12com, prj13com, prj14com, prj15com. If a match is found (and a number of other conditions met), you will be redirected to where is the digit in the pr key and the second value in the array stored under the r key. So p is what this code looks for in a website address. Let’s replace it by the strings it refers to: Looks fine? Well, the next download after a few hours will produce the real result:ĭifficult to read? That’s probably because the p key of these objects is actually a position referring to a long encoded string. Its entire ad blocking functionality essentially consists of 33 hardcoded rules and a tiny YouTube content script.īut wait, there is some functionality to update the rules! Except: why would someone put rule updates into a tabs.onUpdated listener? This is the code running whenever a tab finishes loading (simplified): When opened it up, this turned out to be the most lazy ad blocker I’ve ever seen. There might be more, but I didn’t have time to thoroughly review more than a hundred browser extensions. The companies developing these extensionsĪltogether, I found malicious functionality in four browser extensions.The webRequest/declarativeNetRequest permission.The Great Suspender and Flash Video Downloader.If you aren’t interested in the technical details, you should probably go straight to the list of affected extensions. All of these extensions are clearly meant for dubious monetization. The names are often confusingly similar to established products. While most of these extensions didn’t seem to contain malicious code (yet?), almost all of them requested excessive privileges under false pretenses. I kept finding similar extensions until I had a list of 109 extensions, installed by more than 62 million users in total. In reality, it turned out to be an obfuscated malicious logic meant to perform affiliate fraud. Supposedly, it was buggy locale processing. When I looked into this extension, I immediately discovered a strange code block. That, and the permissions: why does a translator extension need webRequest and webRequestBlocking permissions? When looking for more PCVARK extensions, I stumbled upon an inconspicuous extension called “Translator - Select to Translate.” The only unusual thing about it were its reviews, lots of raving positive reviews mixed with usability complains. We’ve also seen PCVARK’s malicious ad blockers. We’ve already seen Chrome extensions containing obfuscated malicious code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |