Closed iam-py-test closed 2 years ago
@DandelionSprout is there other information I need to add?
Essentially, the socket.io
entry was added after some pretty huge privacy scandals last year, where Nano Defender, Nano Adblocker, and User Agent Switcher were sold to Turkish hackers, which used socket.io
-based scripts to turn PCs into Instagram botnets. However, and to my honestly pretty huge surprise, such attacks have died out since then.
So I need to think about what to do.
@DandelionSprout Thank you for the quick reply!
@DandelionSprout Thank you for fixing this issue.
Why is it only block /socket.io/?
in chromium?
Because to the best of anyone's knowledge, the extension hijackings only occured to the extensions' Chromium versions; whereas Firefox versions were unaffected.
Ok! Thank you for answering my question and fixing this issue!
Essentially, the
socket.io
entry was added after some pretty huge privacy scandals last year, where Nano Defender, Nano Adblocker, and User Agent Switcher were sold to Turkish hackers, which usedsocket.io
-based scripts to turn PCs into Instagram botnets. However, and to my honestly pretty huge surprise, such attacks have died out since then.So I need to think about what to do.
I updated the list and your fix has corrected the problem
Socket.io is a benign library, I would recommend not blocking it at all.
Socket.io is a benign library, I would recommend not blocking it at all.
I did some research and it is a real-time bidirectional event-based communication
(https://github.com/socketio/socket.io).
Ref:
https://www.securityweek.com/backdoor-uses-socketio-bi-directional-communication
https://socket.io/docs/v4
https://www.mywot.com/scorecard/socket.io
https://duckduckgo.com/?q=is+socket.io+library+malware&ia=web
https://www.virustotal.com/gui/domain/socket.io/detection
@DandelionSprout /socket.io/?
also breaks https://app.nearpod.com/presentation?pin=KD72B
When I go to it, it will not update and every time I have to reload to see any changes.
It works with Antimalware disabled
Socket.io is a benign library, I would recommend not blocking it at all.
Maybe it should not be blocked
@llacb47 @DandelionSprout can you reopen this issue Unlike https://github.com/DandelionSprout/adfilt/issues/188 it disallows me from reopening it. Sorry for opening two issues at once
I can't.
I can't.
Ok! Sorry
The person who created the Nearpod ended it, so I can't get more data. Does anyone here know how to create one to test?
If you are trying to test, the problem occurred on the collaborative board
Describe the problem below this line as meticulously and detailed as possible (incl. pagelinks if any):
When visiting
https://buildyourstax.com
and clickingPlay alone
, the uBlock Origin logger shows💊 Dandelion Sprout's Anti-Malware List
is blockinghttps://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_nLpI
because it contains/socket.io/?
You also can reproduce by clicking
play in group
and then clickingcreate group
. I can not test thejoin group
option because I do not have a game code.I found
@@||fat-stax-production.herokuapp.com/socket.io/?EIO=*&transport=*&t=$xhr,domain=buildyourstax.com
works to fix it but was not sure why the/socket.io/?
filter exists or if a better filter should be used to fix the problem. I have found no other issues in this repo referencing this website: https://github.com/DandelionSprout/adfilt/issues?q=buildyourstax.comAdd screenshots below if needed:
Add a screenshot of the extension's logger:
Logger output:
Logger output
``` +40 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qtNV ``` ``` +35 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qs92 ``` ``` +30 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qqwi ``` ``` +25 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qpiT ``` ``` +20 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qoUG ``` ``` +17 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qnkk ``` ``` +15 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qnFo ``` ``` +14 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qn5I ``` ``` +13 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qmvi ``` ``` +11 ||google-analytics.com^ -- buildyourstax.com 3 xhr https://www.google-analytics.com/collect ``` ``` +11 buildyourstax.com 1 xhr https://buildyourstax.com/wp-json/dev-api/v1/create-game/ ``` ``` +2 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/app/src/assets/img/favicon.png?v=2 ``` ``` +2 ##.sponsor-text buildyourstax.com dom https://buildyourstax.com/ ``` ``` +2 ||google-analytics.com^ -- buildyourstax.com 3 xhr https://www.google-analytics.com/collect ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/00f10e28-1fd0-4072-9d62-9bf16a2a66c3.woff2 ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/c78eb7af-a1c8-4892-974b-52379646fef4.woff2 ``` ``` +1 buildyourstax.com 1 font https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/b290e775-e0f9-4980-914b-a4c32a5e3e36.woff2 ``` ``` +1 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/build/img/seal.8c52106.svg ``` ``` +1 buildyourstax.com 1 image https://buildyourstax.com/wp-content/themes/fat-stax/build/img/currency-pattern.d86d2ca.png ``` ``` +1 buildyourstax.com 1 xhr https://buildyourstax.com/wp-content/uploads/2018/10/STAX.svg ``` ``` +1 buildyourstax.com 1 xhr https://buildyourstax.com/wp-content/uploads/2018/08/pig.svg ``` ``` +1 /socket.io/? -- buildyourstax.com 3 xhr https://fat-stax-production.herokuapp.com/socket.io/?EIO=3&transport=polling&t=Nb_qj_0 ``` ``` +1 buildyourstax.com 1 css https://buildyourstax.com/wp-content/themes/fat-stax/app/static/fonts/695245/D28566FAEC5F88645.css ``` ``` +0 buildyourstax.com 3 css https://cloud.typography.com/6873852/7220392/css/fonts.css ``` ``` +0 buildyourstax.com 3 css https://fast.fonts.net/t/1.css?apiType=css&projectid=069d1e9d-5a92-4f00-93ab-3a12f02506d4 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-includes/js/wp-embed.min.js?ver=4.9.17 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/app.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/vendor.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 script https://buildyourstax.com/wp-content/themes/fat-stax/build/js/manifest.js?ver=1615577399 ``` ``` +0 buildyourstax.com 1 css https://buildyourstax.com/wp-content/themes/fat-stax/build/css/app.css?ver=1615577544 ``` ``` +0 ##+js(no-floc) buildyourstax.com dom https://buildyourstax.com/ ``` ``` +0 buildyourstax.com 1 doc https://buildyourstax.com/ ``` ``` +0 https://buildyourstax.com/ ```Which adblocker(s) and version did you use when testing this?
Other(s): No other extensions - running in incognito with only uBlock Origin allowed. Adblocker version(s): uBlock Origin development build v1.35.3b3
Which filterlists did you use? Failing to tell this will temporarily close the report until it has been told.
I updated the Antimalware list and can still reproduce the issue.
Can reproduce with all other filters disabled and in new browser profile with only uBlock Origin installed ( Defaults +
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt
) Problem does not occur with💊 Dandelion Sprout's Anti-Malware List
disabled or uBlock Origin disabled on that site.Which browser(s) and version did you use?
Google Chrome Version 90.0.4430.212 (Official Build) (64-bit)
(Optional) Which OS and version did you use?
Other(s):
OS version: Windows 10 Home 20H2