Ancestors

Written by Yellow Flag on 2025-01-20 at 13:45

Published a new article: Malicious extensions circumvent Google’s remote code ban

https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/

Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. “Fun” fact: some of these extensions have been featured on my blog in 2023, others on McAfee’s in 2022.

Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.

Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.

=> More informations about this toot | More toots from WPalant@infosec.exchange

Written by Buttered Jorts on 2025-01-20 at 14:37

@WPalant you can bet if something like uBlock Origin did that Google would be all over it.

=> More informations about this toot | More toots from ajn142@infosec.exchange

Toot

Written by Yellow Flag on 2025-01-20 at 15:07

@ajn142 Why do you think that? There are plenty of malicious ad blockers on my list. I somewhat suspect that Google is quite happy about the ad blockers in CWS being rather shady and low quality on average.

Obviously, no legitimate ad blocker should do that, but that’s a different question.

=> More informations about this toot | More toots from WPalant@infosec.exchange

Descendants

Written by Buttered Jorts on 2025-01-20 at 15:51

@WPalant my opinion is that Google would care more about “contempt of business model” more than, y’know, actual crimes. I should have been clearer, I didn’t mean that if uBlock Origin were doing malicious stuff Google wouldn’t care, but that if they were finding a way to work around Manifest V3 to continue delivering superior ad-blocking that Google would be on them like white on a polar bear in a snowstorm.

=> More informations about this toot | More toots from ajn142@infosec.exchange

Written by Yellow Flag on 2025-01-20 at 15:53

@ajn142 Ah, that’s probably true. They kicked out Adblock Plus from Play Store because I found a way to do somewhat decent ad blocking on Android – which it isn’t meant for.

=> More informations about this toot | More toots from WPalant@infosec.exchange

Written by Buttered Jorts on 2025-01-20 at 15:59

@WPalant I also didn’t realize you were the Adblock Plus guy 🤣

=> More informations about this toot | More toots from ajn142@infosec.exchange