search

DandelionSprout / adfilt

The place where I, DandelionSprout, store my web filter lists for countless topics, including my Nordic adblock list. As simple as that, really.
Other
1.3k stars 143 forks source link

Antimalware list breaks buildyourstax.com games #185

Closed iam-py-test closed 2 years ago

iam-py-test commented 3 years ago

Describe the problem below this line as meticulously and detailed as possible (incl. pagelinks if any):

When visiting https://buildyourstax.com and clicking Play alone, the uBlock Origin logger shows 💊 Dandelion Sprout's Anti-Malware List is blocking https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_nLpI because it contains /socket.io/?

You also can reproduce by clicking play in group and then clicking create group. I can not test the join group option because I do not have a game code.

I found @@||fat-stax-production.herokuapp.com/socket.io/?EIO=*&transport=*&t=$xhr,domain=buildyourstax.com works to fix it but was not sure why the /socket.io/? filter exists or if a better filter should be used to fix the problem. I have found no other issues in this repo referencing this website: https://github.com/DandelionSprout/adfilt/issues?q=buildyourstax.com

Add screenshots below if needed:

image image

Add a screenshot of the extension's logger:

image image

Logger output:

Logger output ``` +40 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qtNV ``` ``` +35 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qs92 ``` ``` +30 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qqwi ``` ``` +25 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qpiT ``` ``` +20 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qoUG ``` ``` +17 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qnkk ``` ``` +15 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qnFo ``` ``` +14 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qn5I ``` ``` +13 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qmvi ``` ``` +11 ||google-analytics.com^ -- buildyourstax.com 3 xhr https://www.google-analytics.com/collect ``` ``` +11 buildyourstax.com 1 xhr https://buildyourstax.com/wp-json/dev-api/v1/create-game/ ``` ``` +2 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/app/src/assets/img/favicon.png?v=2 ``` ``` +2 ##.sponsor-text buildyourstax.com dom https://buildyourstax.com/ ``` ``` +2 ||google-analytics.com^ -- buildyourstax.com 3 xhr https://www.google-analytics.com/collect ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/00f10e28-1fd0-4072-9d62-9bf16a2a66c3.woff2 ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/c78eb7af-a1c8-4892-974b-52379646fef4.woff2 ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/b290e775-e0f9-4980-914b-a4c32a5e3e36.woff2 ``` ``` +1 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/build/img/seal.8c52106.svg ``` ``` +1 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/build/img/currency-pattern.d86d2ca.png ``` ``` +1 buildyourstax.com 1 xhr https://buildyourstax.com/wp-content/uploads/2018/10/STAX.svg ``` ``` +1 buildyourstax.com 1 xhr https://buildyourstax.com/wp-content/uploads/2018/08/pig.svg ``` ``` +1 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qj_0 ``` ``` +1 buildyourstax.com 1 css https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/695245/D28566FAEC5F88645.css ``` ``` +0 buildyourstax.com 3 css https://cloud.typography.com/6873852/7220392/css/fonts.css ``` ``` +0 buildyourstax.com 3 css https://fast.fonts.net/t/1.css?apiType=css&projectid=069d1e9d-5a92-4f00-93ab-3a12f02506d4 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-includes/js/wp-embed.min.js?ver=4.9.17 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/app.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/vendor.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/manifest.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 css https://buildyourstax.com/wp-content/themes/fat-stax/build/css/app.css?ver=1615577544 ``` ``` +0 ##+js(no-floc) buildyourstax.com dom https://buildyourstax.com/ ``` ``` +0 buildyourstax.com 1 doc https://buildyourstax.com/ ``` ``` +0 https://buildyourstax.com/ ```

Which adblocker(s) and version did you use when testing this?

Other(s): No other extensions - running in incognito with only uBlock Origin allowed. Adblocker version(s): uBlock Origin development build v1.35.3b3

Which filterlists did you use? Failing to tell this will temporarily close the report until it has been told.

image image image

I updated the Antimalware list and can still reproduce the issue.

Can reproduce with all other filters disabled and in new browser profile with only uBlock Origin installed ( Defaults + https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt) Problem does not occur with 💊 Dandelion Sprout's Anti-Malware List disabled or uBlock Origin disabled on that site.

Which browser(s) and version did you use?

Google Chrome Version 90.0.4430.212 (Official Build) (64-bit)

(Optional) Which OS and version did you use?

Other(s):

OS version: Windows 10 Home 20H2

iam-py-test commented 2 years ago

@DandelionSprout is there other information I need to add?

DandelionSprout commented 2 years ago

Essentially, the socket.io entry was added after some pretty huge privacy scandals last year, where Nano Defender, Nano Adblocker, and User Agent Switcher were sold to Turkish hackers, which used socket.io-based scripts to turn PCs into Instagram botnets. However, and to my honestly pretty huge surprise, such attacks have died out since then.

So I need to think about what to do.

iam-py-test commented 2 years ago

@DandelionSprout Thank you for the quick reply!

iam-py-test commented 2 years ago

@DandelionSprout Thank you for fixing this issue. Why is it only block /socket.io/? in chromium?

DandelionSprout commented 2 years ago

Because to the best of anyone's knowledge, the extension hijackings only occured to the extensions' Chromium versions; whereas Firefox versions were unaffected.

iam-py-test commented 2 years ago

Ok! Thank you for answering my question and fixing this issue!

iam-py-test commented 2 years ago

Essentially, the socket.io entry was added after some pretty huge privacy scandals last year, where Nano Defender, Nano Adblocker, and User Agent Switcher were sold to Turkish hackers, which used socket.io-based scripts to turn PCs into Instagram botnets. However, and to my honestly pretty huge surprise, such attacks have died out since then.

So I need to think about what to do.

I updated the list and your fix has corrected the problem

liamengland1 commented 2 years ago

Socket.io is a benign library, I would recommend not blocking it at all.

iam-py-test commented 2 years ago

Socket.io is a benign library, I would recommend not blocking it at all.

I did some research and it is a real-time bidirectional event-based communication (https://github.com/socketio/socket.io). Ref: https://www.securityweek.com/backdoor-uses-socketio-bi-directional-communication https://socket.io/docs/v4 https://www.mywot.com/scorecard/socket.io https://duckduckgo.com/?q=is+socket.io+library+malware&ia=web https://www.virustotal.com/gui/domain/socket.io/detection

iam-py-test commented 2 years ago

@DandelionSprout /socket.io/? also breaks https://app.nearpod.com/presentation?pin=KD72B image When I go to it, it will not update and every time I have to reload to see any changes.

iam-py-test commented 2 years ago

It works with Antimalware disabled

iam-py-test commented 2 years ago

Socket.io is a benign library, I would recommend not blocking it at all.

Maybe it should not be blocked

iam-py-test commented 2 years ago

@llacb47 @DandelionSprout can you reopen this issue Unlike https://github.com/DandelionSprout/adfilt/issues/188 it disallows me from reopening it. Sorry for opening two issues at once

liamengland1 commented 2 years ago

I can't.

iam-py-test commented 2 years ago

I can't.

Ok! Sorry

iam-py-test commented 2 years ago

The person who created the Nearpod ended it, so I can't get more data. Does anyone here know how to create one to test?

If you are trying to test, the problem occurred on the collaborative board