Extension disappeared from Market

[Alvargon]

Hi, I do a full wipe of my Chrome, because it was broken, and when I did a sinc, this extension was missing, even from the Google market. What happened?

[Taomyn]

Just noticed this myself, Chrome is reporting that the extension violates the web store policy.

What's going on?

[Athanasius]

And this is also causing the Extension to get auto disabled (at least I suddenly found it in that state this morning, when I'm sure it had been working fine yesterday). This left me open to any javascript on the net not also blocked by uBlock Origin.

Thankfully I was allowed to re-enable it.

So, are Google actually telling the author/publisher why this has happened? Perhaps it's part of the new Chrome built-in ad blocker deployment ?

[toonvault]

Just ran into this issue too. It was working yesterday, today it was auto disabled. (manually re-enabled it)

Not sure what the 'violation' was, would be nice to know more about.. but for now I switched to uMatrix.. until more info appears about the reason behind this violation.

[d00nicus]

It can always be installed in development mode by downloading the latest copy from here, and installing it via "Load unpacked extension"

That option should stay open indefinitely since it's required for developers to actually work and be able to test their extensions.

[mi-ael]

What's definitely weird is that the ScriptBlock version installed in my chrome is 1.4 and this repo is still on 1.3. Also there is no changelog entry for 1.4 (local link: chrome-extension://hcdjknjpbnhdoabbngpmfekaecnpajba/options.html).

[Athanasius]

Yeah, that's worrying, it implies Google may have had a legitimate reason to remove the extension from the Play store. For all we know the Extension has been compromised.

So, for now I've disabled it again and am checking out uMatrix as a replacement.

[d00nicus]

Well, the source along with all changes up to 1.3 are all logged and open for us to see on here, so I'm not overly concerned from a security perspective.

It's even well commented - I think it's far more likely something motivated by internal politics at Google and them disapproving of some aspect of the functionality.

[jbionic2016]

All I see in this thread so far is the activity of folks advertising uMatrix. At least we can suspect now who is behind the whole incident and triggered the violation alarm.

[d00nicus]

There's no evidence at all to suggest any compromise - and all source code + modifications are freely available here to audit. The "maybe compromised" is the biggest conspiracy theory in here, and the most easily disproved.

What exactly is your basis for assuming a security compromise other than it no longer being on the store?

[d00nicus]

True, we don't know what the situation on the store is, but we can know if the copy here was compromised (and I can see no evidence to show any such compromise)

Other than the inconvenience of having to load it as an unpacked extension, there is no safety/security concern to not just use the copy here on Github. Additionally, since extensions are also stored on your system unencrypted, it would be trivial for anyone with a copy of the store version to compare the code against the copy here to determine if it had been tampered with.

Personally I hold no opinion if you do or don't have any motive to push one product or another (and frankly don't care) but throwing out theories about evil security compromises without a good faith basis doesn't help anyone. It's a theory that's easy to prove or disprove, so you should probably have looked into that before starting suggestions that the extension is dangerous.

This lining up with the launch of Google's own ad-blocking platform that they control seems a far more likely scenario.

[Athanasius]

I'd never even heard of uMatrix until I mentioned this ScriptBlock issue elsewhere and someone suggested it as an alternative. I was passing on that suggestion.

[d00nicus]

@Athanasius - Nothing wrong with suggesting alternatives, I just think it's premature for people to start panicking about potentially malicious code etc.

Given how long it is since the last commit here, the probability of it being pulled for reasons of malice are practically nil

[Athanasius]

For what it's worth I just checked the copy of ScriptBlock in my Linux install, which is in a 1.4_0 sub-folder, and no file in there has a file date stamp later than Jan 21 2017. I have no idea if a Chrome Extension has access to manipulate those date stamps on its own files.

[Athanasius]

@madonak - If it is compromised then continuing to use it for any length of time is un-wise. If it's not than temporarily switching to an alternative does little harm (just a little set up time).

Last commit HERE has nothing to do with whether the Play store account might have been compromised, or the extension simply sold to someone else (which has happened with a number of other browser addons/extensions in the recent past).

[d00nicus]

@Athanasius Which is why I suggested using the copy from here (which is exactly what I am doing) and/or doing a compare on the two copies of the code to identify any differences if you want to verify the integrity of the Play store copy.

It's not even like it's messy code, or poorly documented, it's fairly easy to audit compared to most of what I have to work with in my day job.

[jbionic2016]

Well, I agree that it is safer to abstain from using the extension for as long as we don't know what caused the trouble. There are many alternatives, incl. umatrix, scriptsafe and others to name

[cyberpunk64bit]

(signed up for github just to post this) Ive used scriptblock for YEARS and I am a big fan of it! When i seen it was gone, i just about lost my [redacted]. Till this gets fixed, here is the workaround (because you know google will start removing it entirely later) -download the project, -go to chrome://extensions/ -click Load Packed Extensions -navigate to folder -dont let google dictate your browsing safty

The trifecta of security I use, is peerblock, good firewall and SCRIPT BLOCK.. (cant get hack via a website if the scripts are not allowed to run..[ok, 70% true, but lowers the attack vectors])

in cough short, I WILL be using script block as long as I can!

[gshollingsworth]

Has anybody noticed the last commit was 2015-08-26 for version 1.3. I suspect a personal copy of the source was used to generate the 1.4 version dated 2017-01-20 I found at crx4chrome.com where the developer has the same handle compvid30. All versions back to 1.0 are there with the same dates of publish for versions 1.1, 1.2, and 1.3. It looks like crx4chrome was a secondary repository for the crx package. The developer's website entry there is www.scriptblock.org which redirects to the scriptblock repository here at github. The developer seems to have the same accounts there and here. The extension identifier at crx4chrome is the same as what was in the chrome store "hcdjknjpbnhdoabbngpmfekaecnpajba" and also matches the one at crx.dam.io, another independent source. The byte counts of versions 1.3 and 1.4 crx files are the same at each location available. I have not yet compared hash values.

I have analyzed differences between the 1.3 and 1.4 packages downloaded from crx4chome and the 1.4 version I have installed. There are 6 file differences between the two versions. Two of those are metadata files generated when packaging an extension from source to a crx file and are expected for any change. The content changed was version strings and signature hashes, what appears to be the public key to verify the signature is the same. They are manifest.json and verified_contents.json both time stamped 2017-01-21_01:46.

One 1.4 file did not exist at all in 1.3, save.js in the "common" directory/folder. It is 1388 bytes and timestamped 2015-09-12_20:09 shortly after the 1.3 release. I cannot find any call or reference to it from any of the other files in the extension package. Save.js seems to be something to support a new feature which never got implemented, and therefore is extraneous, and upon evaluation innocuous.

bg.js timestamped 2017-01-21_02:02 has only one byte differing between the 1.3 and 1.4 versions which is a 3 changed to a 4 in the version display string, completely expected for a version change.

If you were keeping track, that leaves two more files to be explained. They are where the real change has occurred. Both are timestamped 2017-01-21_01:57. They are named options.html and popup.js. options.html is what is displayed when you click the options link from the dropdown when clicking the scriptblock icon in the toolbar. popup.js is what is called from options.html when you click the donate button. The change in options.html was lines 95...102 from version 1.3 to lines 95...100 which is the paypal donate form. The form had absolute positioning in 1.3 and no position specified in 1.4. The two lines that went away were due to two lines no longer being wrapped and 136 less bytes in the file. The button gif hosted at objects.paypal.com changed from "btn_donate_LG.gif" to "btn_donateCC_LG.gif". The hosted_button_id string changed from "XJZJUMSDKPESC" to "EYEVCUTMT2LF4" which is exactly the same change in popup.js. I assume this is to be able to accept donations with credit cards via paypal in addition to donations from paypal accounts.

I found no malicious changes in the changes from 1.3 to 1.4. Both should perform the same with the exception of the donate function. I have re-enabled the scriptblock 1.4 extension in my chrome installation.

Why was it removed from the chrome store? Only google knows and maybe the developer if they had intelligible explanation from google. It may have something to do with the new adblocking function in chrome. It may have something to do with google's push for https rather than http. Scriptblock has many http references but https where it matters. It may be do to some bugs in automated review algorithms in the chrome store again. I can only speculate.

[d00nicus]

@gshollingsworth Thank you! Finally somebody else applying a bit of rationale and logic rather than running round jumping to poorly formed conclusions and going on about malicious code and how dangerous it would be to continue using the extension.

[Athanasius]

Yup, thanks for doing the detailed checking.

In closing, this wasn't total paranoia, this sort of thing has happened: https://malwaretips.com/threads/particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware.73584/

[mmortal03]

I think the creator of this extension is the same person as UltimateZip, so maybe contact them?: https://www.ultimatezip.com/

[lnskipp]

Yeah, does the creator actually have his contact info listed anywhere in this site? Wasn't showing up on his profile.

[mmortal03]

The copyright information says "Copyright © 2013-2015 Oliver von Schleusen" It looks like he's on Facebook. Someone who speaks German should contact him.

[mmortal03]

Here we go, from the License.txt: To contact the author, visit the project homepage above and leave a comment, or you can e-mail: compvid30[at_symbol]gmail[dot_symbol]com

From: https://github.com/compvid30/scriptblock/blob/master/License.txt

[lnskipp]

Oh cool, didn't figure it was nested in a text-file. Nice find.

[gshollingsworth]

@mmortall03 You should remove the email from your comment. Spam harvester bots will find it too easily.

I get the impression the developer is less active than he was. There could be any number of reasons. If anybody does contact him, keep in mind he may not be able to commit to doing anything about the chrome store removal. It was over a year ago that he added credit card donation, and that was over a year since the last release. There hasn't been many changes since the first release.

I myself do not have the time to take over or fork the project. I can understand if @comvid30 does not have time to support it either. It works for me. I will use it until I need to change.

[makedir]

why is there still nothing new about this? so I guess this just means the extension is dangerous to use, if no other word from the dev.

[gshollingsworth]

The extension is no more dangerous than before. I am continuing to use it. Google is beginning to implement similar features into chrome. These may conflict in future releases of chrome. At that point I may stop using it. I feel much better blocking scripts with this extension.

[dudaskank]

Well, now it's in 1.5 version and back to the store. But the code here is 3 years old 😲

[jbionic2016]

Good to hear that. I've been using ScriptSafe for the last 4 months, although it was a little painful in the beginning to set up in order to start using. ScriptSafe seems a more powerful solution, but overall I still find ScriptBlock is more simple and easier to use for an average user.

[sergeevabc]

Five years passed. How are you doing, folks? Still using ScriptBlock?

[mmortal03]

Five years passed. How are you doing, folks? Still using ScriptBlock?

This bug report should probably be closed, but I think it's actually been more than eight years since the code has been updated? It'd definitely be a nice Christmas present if the biggest current bug, in my opinion, was fixed, but I won't hold my breath: https://github.com/compvid30/scriptblock/issues/44