What malware?

[RaptorCZ]

I'm looking for info what malware is included in the latest release? Yes, you can compare sources, but what malware is there?

[SamJUK]

I haven't had time to look into this in more depth yet. But from a cursory look over the changes, the manifest update looks to have some interesting characteristics. Especially the content scripts on linkedin, facebook and twitter domains alongside permissions for storage & declarativeNetRequest.

index.ts.7c64ed84.js looks like it adds auto sharing functionality for linkedin, which could potentially explain the flag for malware or could be a distraction away from the rest of the minified code.

[RaptorCZ]

Yes, but this is something in many other extensions. Auto enabled rights to post to social pages and advertise extension. But IMHO this is not malware. Maybe there is something inside JavaScript code, I haven't found anything.

[SamJUK]

Yup it is common functionality, but I would say this implementation is not best practise since we can use share dialog/links instead. Where you can just redirect the user to a HTTP address and that will prefill the share dialogs with your preconfigured data, without needing JS access to the pages and gives the user a option to review the shared content before posting. FB docs on this https://developers.facebook.com/docs/sharing/reference/share-dialog

While the code may or may not have malicious code in it now. The permissions have already been accepted, so a future automatic update (intended or hijacked extension) could decide to POST local storage data / personal data to a remote source. Which is a fairly common tactic, as people tend to review extension on install/permission change but not on regular updates.

[RaptorCZ]

I agree. Just looking for more info about this extension, because I'm using it in development and malware warning just suprised me :-)

[SamJUK]

Caught us by surprise too, and there doesn't seem to be many good alternative extensions either. Currently we are just building the 2.6.6 version from the source using the original source repo since we never had any issues with that version.

[quyentho-keypay]

@SamJUK Forgive me for this silly question, but from the original repository, I can only see that the last commit on the master branch was on December 9, 2022, which is v2.6.6. Where did you get the other versions from?

[SamJUK]

@quyentho-keypay Not a silly question at all, I got both the later samples from what was installed on my machine. On MacOS using Brave (chromium based) I found them under ~/Library/Application\ Support/BraveSoftware/Brave-Browser/Default/Extensions/oddcpmchholgcjgjdnfjmildmlielhof

Alternatively you can use something like crx4chrome to download the old packages that its captured https://www.crx4chrome.com/history/2193/ which gives you the CRX extension files. Then you can just unzip the CRX files via CLI to get the source code.

On the note of why the latest releases are missing from the source repo, on one of the recent closed issues on the repo he states he no longer owns the extension without much context on who the new maintainer would be. https://github.com/timstuyckens/chromeextensions-knockoutjs/issues/51

[quyentho-keypay]

Oh wow, that's interesting to know, thanks SamJUK

@quyentho-keypay Not a silly question at all, I got both the later samples from what was installed on my machine. On MacOS using Brave (chromium based) I found them under ~/Library/Application\ Support/BraveSoftware/Brave-Browser/Default/Extensions/oddcpmchholgcjgjdnfjmildmlielhof

Alternatively you can use something like crx4chrome to download the old packages that its captured https://www.crx4chrome.com/history/2193/ which gives you the CRX extension files. Then you can just unzip the CRX files via CLI to get the source code.

On the note of why the latest releases are missing from the source repo, on one of the recent closed issues on the repo he states he no longer owns the extension without much context on who the new maintainer would be. timstuyckens/chromeextensions-knockoutjs#51