Adblocking extensions with more than 300,000 active users are collecting user browsing data and hacking users’ social media accounts thanks to malware that the new owner revealed a few weeks ago, according to analysis technology and posts on Github.
Cyril Gorla
Hugo Xu, developer of Nano Adblocker and Nano Defender extensions, said 17 days ago that he does not have time to maintain the project and has sold the rights to the features in Google’s Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which are often installed together, have a total of 300,000 installs.
Four days ago, Raymond Hill, the creator of the uBlock Origin extension on which Nano Adblocker is based, revealed that the developers have rolled out updates of add malicious code.
The first thing Hill noticed the new extension was doing was checking if the user had opened the developer console. If you open it, the extension sends a file titled “Report” to the server. want to find out what extension is doing,” he wrote.
The most obvious end users notice is that infected browsers automatically give likes for large numbers of Instagram posts, without input from users. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California at San Diego, told me that his browser liked more than 200 images from an Instagram account that he doesn’t follow anyone. The screenshot to the right shows some of the photos involved.
Nano Adblocker and Nano Defender are not the only extensions that have been reported to damage Instagram accounts. User Representative Switcher, an extension that had more than 100,000 active users until Google removed it earlier this month is reported to have do the same thing.
There are many Nano extension users this forum reported that their infected browsers were also accessing user accounts that did not exist in their browsers. This has led to the observation that updated extensions are accessing authentication cookies and using them to gain access to user accounts. Hill said he reviewed some of the added code and found it was collecting data.
“Since the added code is able to receive request headers in real time (via a websocket connection I guess), this means sensitive information such as session cookies may be leaked,” he wrote in a message. “I’m not a malware expert so I can’t come up with *all* possible when you have real-time access to query headers, but I agree it’s really bad.”
Other users reported that sites other than Instagram are still accessing and matching, in some cases, even when the user is not logged in to the site, but these claims cannot be immediately verified.
Alexei, a senior engineer at Frontier Electronics who worked on the Secret Badger Extension, had been following the discussions and gave me the following quote:
The important thing is that Nano extensions have been updated to transmit navigation data anonymously in a remote configuration. Remote configuration means that there is no need to update extensions to modify the list of websites whose data will be stolen. In fact, the list of websites is unknown at this time as it is configured remotely. There are many reports of affected users’ Instagram accounts, however.
Evidence gathered to date shows that the extensions are collecting user data securely and gaining unauthorized access to at least one website, in violation of Google’s terms of service and possibly applicable laws. Google has already removed extensions from the Chrome Web Store and issued a warning that they are unsafe. Anyone who has either of these extensions installed should remove them from their devices immediately.
Nano Adblocker and Nano Defender are available in the extension stores hosted by both Firefox and Microsoft Edge. Xu and others say neither of the extensions in the other locations had any effect. The warning is that Edge can install extensions from the Chrome Web Store. Any Edge users who use this source are infected and should remove the extensions.
The possibility that the extensions may have uploaded session cookies means that anyone who is infected should log out at least in all settings. In most cases this should invalidate session cookies and prevent anyone from using them to gain unauthorized access. Actually paranoid users will want to change passwords just to be on the safe side.
The incident is the latest example of someone taking an established browser extension or Android app and using it to infect a large user base that already has it installed. It is difficult to provide effective advice for preventing this type of abuse. Nano extensions are not some fly-by-night operation. Users have every reason to believe they are safe until, of course, that is not the case. The best advice is to regularly review the extensions installed. Any that are no longer in use should be removed.