According to technical analyses and posts on Github, adblocking extensions with more than 300,000 active users have surreptitiously uploaded user browsing data and tampered with using social media accounts thanks to malware introduced by its new owner a few weeks ago.
A few days ago, Hugo Xu, developer of the extensions Nano Adblocker and Nano Defender, said that he no longer had the time to maintain the project and sold the rights to the versions available in Google’s Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender have approximately 300,000 installations, which they often have together.
Four days ago, Raymond Hill, creator of the extension uBlock Origin on which Nano Adblocker is based, revealed that updates that added malicious code had been rolled out by the new developers.
Hill first noticed that the new extension was checking if the user had opened the developer console. When it was opened, the extension sent a file to the server at https:/def.dev-nano.com/. with the name ‘report’ “The extension remotely examines in simple words if you use the dev tools extension — what if you wish to find out about the extension,” he said.
The most evident change was that infected browsers automatically generated a large number of Instagram posts without any user input. Cyril Gorlla, a University of California, San Diego artificial intelligence and machine learning researcher, told me his browser liked more than 200 images from an Instagram account that had nobody followed.
The only extensions that are reported to manipulate Instagram accounts are Nano Adblocker and Nano Defender. User Agent Switcher, an extension with more than 100,000 active users up to Google’s removal earlier this month, is reportedly the same.
Many Nano extension users in this forum reported they had also reached user accounts that had not already been opened on their browsers with their browsers. This led to the suspicion that the updated extensions have access to and access to authentication cookies. Hill said he checked the added code and found that the data was being uploaded.
“It means that sensitive information such as session cookies can be leaked because the added code has been able to collect request headers in real-time (by means of a WebSocket connection I suppose).,” he wrote in a message. “I am not an expert in malware and I can’t come up with everything *all*, which is possible when accessing request headers in real-time, but I know that it’s really bad.”
Additional users reported that sites other than Instagram were also accessed and manipulated, in some cases, even if the user had not accessed the site, but these claims could not be checked immediately.
Alexei, a senior employee technologist at the Electronic Frontier Foundation working on the privacy extension Badger, has followed up discussions and provided me with the following summary:
The gist is that the Nano extensions were updated to surreptitiously upload your browsing data in a remotely configurable way. Remotely configurable means that there was no need to update the extensions to modify the list of websites whose data would be stolen. In fact, the list of websites is unknown at this time as it was remotely configured. There are many reports of users’ Instagram accounts being affected, however.
To date, evidence collected shows that the extensions covertly upload user data and gain unauthorized access to at least one website, in breach of Google’s terms of service and laws that may apply. Google has already deleted Chrome Web Store extensions and issued a warning that they are not safe. Anyone installed on any of these extensions should immediately remove them.
In extension stores hosted by both Firefox and Microsoft Edge, Nano Adblocker and Nano Defender are available. Xu and others say that neither of the available extensions is affected at these other locations. The caution is that Edge can install Chrome Web Store extensions. Any Edge user using this source is infected and the extensions should be removed.
The possibility of session cookies being uploaded by the extensions means that anyone who has been infected should at least log out of all sites completely. In most cases, session cookies should be invalidated and anybody should avoid unauthorized access. Truly paranoid users just want to change their passwords to be safe.
The incident is the latest example of a person who acquires an established browser extension or Android app and uses it to infect his large user base. It is difficult to offer practical advice to prevent this type of abuse. The extensions of Nano were not a fly-by-night operation. Users had every reason to believe that they were safe until that was no longer the case, of course. The best advice is to check the extensions installed routinely. Anything that is no longer useful should be deleted.
