Adblockers Installed 300,000 Times Are Malicious and Should Be Removed Now (arstechnica.com) 33
An anonymous reader quotes a report from Ars Technica: Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github. Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google's Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.
Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code. The first thing Hill noticed the new extension doing was checking if the user had opened the developer console. If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/. "In simple words, the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing," he wrote. The most obvious change end users noticed was that infected browsers were automatically issuing likes for large numbers of Instagram posts, with no input from users. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California in San Diego, told me that his browser liked more than 200 images from an Instagram account that didn't follow anyone. The screenshot to the right shows some of the photos involved.
Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code. The first thing Hill noticed the new extension doing was checking if the user had opened the developer console. If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/. "In simple words, the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing," he wrote. The most obvious change end users noticed was that infected browsers were automatically issuing likes for large numbers of Instagram posts, with no input from users. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California in San Diego, told me that his browser liked more than 200 images from an Instagram account that didn't follow anyone. The screenshot to the right shows some of the photos involved.
Doing it wrong (Score:3)
> If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/ [dev-nano.com].
These guys suck at malware. When you know an analyst is watching the malware is supposed to ... do nothing. Don't intentionally do suspicious shit when you know the good guys are looking.
Re: (Score:2)
Re:Doing it wrong (Score:5, Insightful)
Re: (Score:2)
Besides that, spyware is a subset of malware.
Ironically ... (Score:2)
I can't browse that URL because it's blocked by uMatrix. :-)
[ I have both uMatrix and uBlock Origin install in Firefox. ]
Re: (Score:2)
unlock origin continues ok? (Score:2)
If the 'new devs' were legit (Score:5, Insightful)
They could have forked the open source code. They wanted to buy the users.
Re: (Score:2)
I know, Slashdot isn't legit either. I mean Bizx could also have forked the code but instead bought the site from Dice.
No legitimate entity would ever pay money for established IP right?
Too good (Score:1)
In situations like this, I am immediately reminded of the sage response [youtube.com] by M. Laughington Baggus.
He is truly a voice of our times.
Extensions should not be allowed to send data (Score:2)
Re: (Score:2)
how is an ad blocker supposed to know what is and isn't an Ad, if it doesn't send a GET request to download filters?
Filters should be part of the extension. Less convenient as it relies on extension updates, but way safer.
Re: (Score:2)
Re:Extensions should not be allowed to send data (Score:5, Interesting)
That limits configurability dramatically. If I want to block malware, but not simple ads, now I need to fork the extension. If you want to block third-party tracking ads, but don't mind ads elements served as part of the page itself, from the same host, but someone else wants them all blocked, that's another fork. It gets crazy. uBlock Origin ships with 33 different "generic" block lists, plus another 34 lists specific to certain languages and locales, and you're allowed to customize the set however you like. And it lets you add custom additional sources on top of that. Even ignoring the region/language specific lists, if you had to have the filters baked into the extension, that would make custom list sources impossible, and require a few billion forks of the extension for every possible combination of filter list.
And of course, once you've done all that, you've still got an extension that, for legitimate reasons, needs to be able to arbitrarily modify the HTML of the page (assuming you want to allow it remove ads on an element-by-element basis, not just block network connections from the page). For all practical purposes, this lets it communicate with whatever it likes by injecting a combination of frames and scripts. Locking it down to the level of safety you want would leave you with an crippled version of what the extension provides as is.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
*One* adblocker (Score:5, Informative)
*One* adblocker, which has been installed 300,000 times, is malicious. Not all adblockers that have been installed 300,000 times are necessarily malicious.
(Yes yes, I know, the editors here can't be expected to actually make a comprehensible title.)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Actually... "Adblockers Installed 300,000 Times Are Malicious and Should Be Removed Now" --> if your adblocker has been installed 299,999 times or 300,001 times, then you're safe! Don't worry! Also like me on instagram please :3
Re: (Score:2)
Damn, and there I though we finally had an easy to check parameter to determine maliciousness!
Is uBlock Origin safe or not? (Score:1)
Re: (Score:1)
Re: (Score:2)
uBlock Origin is the original extension, and this one was a fork with some tweaks.
Re: (Score:1)
So... (Score:1)
What about discussing which adblockers are to be trusted, and then I mean both as in capable of disabling ads and the owner/developers are trustworthy. ?
Also: Facebook ads. Please have mercy, Lolth, for I have not deserved this! =,-(
Re: (Score:1)
Re: (Score:2)