Beware: Nano AdBlock's New Devs

[HenrickTheBull]

I recently got a notification from Edge alerting me that Nano was disabled due to malware and when I went to my extension this is what I saw.

The Chrome Webstore is completely gone too.

EDIT: Don't attack jspenguin2017 for this. I highly doubt they would have known this would happen.

[musm]

Same here

[pomi2137]

Uninstall, change all the passwords and spread the word.

[wadawada]

I feel the selling was very irresponsible and unethical behavior. Nano github said it would accept no donations before and changed the mind without notification. Should have pushed notification in the extension before the change of ownership so I can uninstall it on time to save my personal data.

Now I am notified by webstore and I have no idea how much of my data was stolen. I never thought the adblocker would be the security hole. Silver lining is I was gonna recommend nano adblocker to family and friends but I haven't.

[HenrickTheBull]

I feel the selling was very irresponsible and unethical behavior. Should have pushed notification in the extension before the change of ownership so I can uninstall it on time to save my personal data.

Now I am notified by webstore and I have no idea how much of my data was stolen. I never thought the adblocker would be the security hole. Silver lining is I was gonna recommend nano adblocker to family and friends but I haven't.

I had to issue a warning because in my Discord server we had a resources channel with a "Privacy Protection" section and we highly recommended Nano and Nano Defender. I wasn't aware of this UNTIL I got the Webstore Notification.

[sandsmark]

fwiw, since devtools detection was what stopped gorhill from testing further, I'm fairly certain this kills all detection of devtools (even the latest debug tricks), as well as incognito detection (safer to debug it in incognito, not sure if they try to detect that though): https://github.com/sandsmark/anti-anti-devtools/blob/master/script.js

[cocacrave]

Got the warning from Chrome Extension just now. Read about it. Now I'm Scared AF...

I'm not sure if this is the place for this question so I'm sorry if I'm in the wrong place... Q. I only copy and paste password from KeePass (Password Manager). Does that still mean my passwords are compromised?

[wadawada]

This is a disaster now. I am just checking my Instagram's Settings/Account/Posts You've Liked And notice I liked many things that I am not aware of. God knows what all of my accounts have done. This is the worst security hole I have encountered. Wondering what people's data was worth.

Imagine this can happen again easily with other extensions. I believe this is something that webstore has to improve.

https://www.reddit.com/r/Adblock/comments/jc447f/nano_adblocker_nano_defender_was_sold_and_should/ https://www.ghacks.net/2020/10/16/time-to-remove-nano-adblocker-and-defender-from-your-browsers-except-firefox/

[yenhanshih]

Consider anything and everything compromised. On page load, your browser will listen to an URL and recieve directions on what to send up to it. It can send anything from plain text passwords to access tokens. I'll be changing all my credentials tonight and invalidating all my logins.

[painor]

So what's the alternative now ?

[HenrickTheBull]

So what's the alternative now ?

I'm recommending going to uBlock Origin. Their team has been very good keeping things above board and that's what Nano was based on.

[pomi2137]

Got the warning from Chrome Extension just now. Read about it. Now I'm Scared AF...

I'm not sure if this is the place for this question so I'm sorry if I'm in the wrong place... Q. I only copy and paste password from KeePass (Password Manager). Does that still mean my passwords are compromised?

You should assume that all your data was stolen. Do not panic, Password Manager will make the process easier for you, just take your time and do it right.

[musm]

Well chrome disabled the extension so I assume that if you didn't re-enable you should be ok

[HenrickTheBull]

Well chrome disabled the extension so I assume that if you didn't re-enable you should be ok

It could have been bad since the transfer.

[wadawada]

Well chrome disabled the extension so I assume that if you didn't re-enable you should be ok

Check all your social accounts. If you did not delete it before the transfer, your data was probably compromised. https://github.com/jspenguin2017/Snippets/issues/3#issuecomment-712449305

[jinxx0]

Opera GX didn't detect virus and i disabled myself....

[LoLyeah]

This is a disaster now. I am just checking my Instagram's Settings/Account/Posts You've Liked And notice I liked many things that I am not aware of. God knows what all of my accounts have done. This is the worst security hole I have encountered. Wondering what people's data was worth.

I didn't even opened my Instagram for weeks on PC, yet my acc still liking those random photos. How'd they do that?

[cocacrave]

Got the warning from Chrome Extension just now. Read about it. Now I'm Scared AF... I'm not sure if this is the place for this question so I'm sorry if I'm in the wrong place... Q. I only copy and paste password from KeePass (Password Manager). Does that still mean my passwords are compromised?

You should assume that all your data was stolen. Do not panic, Password Manager will make the process easier for you, just take your time and do it right.

Ok I'll change all my passwords to be safe. But I want to understand, should I prioritize sites I accessed since the transfer? Because to change all my passwords is kind of ridiculous... would take ages... although I'll get to it eventually.

[cocacrave]

This is a disaster now. I am just checking my Instagram's Settings/Account/Posts You've Liked And notice I liked many things that I am not aware of. God knows what all of my accounts have done. This is the worst security hole I have encountered. Wondering what people's data was worth.

I didn't even opened my Instagram for weeks on PC, yet my acc still liking those random photos. How'd they do that?

Ok wow... that just answered my question I was wondering... Change all your passwords immediately.

[sandsmark]

I didn't even opened my Instagram for weeks on PC, yet my acc still liking those random photos. How'd they do that?

just a guess, they could have sniffed the session cookies if you visited some site that connected to some instagram servers.

[panagiac]

@jspenguin2017 You screwed up so bad.

[mapx-]

Someone who analyzed the new (malware) code is saying they got the request headers (cookies, session) and not the body (other data like passwords), read here: https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712448295

[wadawada]

Does anyone know how to remove all likes on Instagram? There are too many unauthorized likes that I can't unlike them one by one

[mapx-]

So, you should enter every such site and logout => the cookies on various servers will be removed / changed and for example other likes wont be possible anymore on instagram / other sites

[sandsmark]

@jspenguin2017 You screwed up so bad.

I think he knows that, and while it was a (really) bad call it's kind of understandable when you're burnt out from trying to maintain a very popular open source project for free. I don't think anyone makes the best decisions in that state.

[cgorlla]

Someone who analyzed the new (malware) code is saying they got the request headers (cookies, session) and not the body (other data like passwords), read here: #2 (comment)

If this is true then there's no reason to change passwords, just logout of everything and login again.

[sandsmark]

If this is true then there's no reason to change passwords, just logout of everything and login again.

That was just a quick look at one version, it seems. Considering how much access the extension had/has it would be trivial to snarf everything typed into a password field.

Though if you use the browser's built in password manager they wouldn't have a way to access passwords you didn't type in (third party password extensions are probably safe, but I wouldn't bet on it considering how they work).

[mutachre]

Consider anything and everything compromised. On page load, your browser will listen to an URL and recieve directions on what to send up to it. It can send anything from plain text passwords to access tokens. I'll be changing all my credentials tonight and invalidating all my logins.

Ok, that's scary.

[technowhizz]

So I have no passwords saved on chrome and keep my passwords separately and hadn't logged in for a few weeks however, I was still affected by the instagram hack. It is definitely stolen cookies. Log out of all your accounts and log out of all sessions to be extra safe. I think your passwords are safe. It's the cookies.

[wadawada]

I do appreciate his work of dealing with anti-ads with trackers for free for quite some time It is also true that he did not put much thoughts with the selling and causes a disaster It just makes me wonder how much trust we can put on open source projects...

Anyway, we should focus on checking the scope of the damage and what can do to deal with the damaged

[HenrickTheBull]

The Github repo for the new devs and the URL that Nano was reporting to are all gone.

[painor]

So do we get to know how much were our cookies worth in $ ?

[sandsmark]

It just makes me wonder how much trust we can put on open source projects...

About as much as not-open source. :-)

FWIW, the project was fine while it was "proper" open source, that's why gorhill was able to so quickly diff the released source code vs. what they actually shipped when they started modifying it.

So I have no passwords saved on chrome and keep my passwords separately and hadn't logged in for a few weeks however, I was still affected by the instagram hack. It is definitely stolen cookies. Log out of all your accounts and log out of all sessions to be extra safe. I think your passwords are safe. It's the cookies.

What I meant was that it's likely that they got passwords as well, in addition to the session cookies.

[jinxx0]

@painor no problem just log out on all accounts

[musm]

Go to browser settings and delete all cookies. As a precaution you can begin to change passwords in the meantime (even if they are not affected it's never a bad idea to change important ones)

[technowhizz]

Go to browser settings and delete all cookies. As a precaution you can begin to change passwords in the meantime (even if they are not affected it's never a bad idea to change important ones)

DO NOT DO THIS. This doesn't destroy the cookies on the server

If anything this makes you less aware of what sites you were logged into and it means that a simple logout wont work and you'll either have to reset your password (And hope that the site logs out all other sessions) or hope the site has a log out all other sessions button.

go to each site and if you're logged in then log out and log in again

[sandsmark]

@painor no problem just log out on all accounts

And change the password on all sites you typed in your password the last weeks (logging in, changing password, etc.).

Go to browser settings and delete all cookies. As a precaution you can begin to change passwords in the meantime (even if they are not affected it's never a bad idea to change important ones)

That won't help, that just deletes the local cookies, the old session cookies might still be valid (depending on the site).

So do we get to know how much were our cookies worth in $ ?

You can probably get a good estimate by looking at the prices on e. g. blackhatworld. :-P

[technowhizz]

It just makes me wonder how much trust we can put on open source projects...

About as much as not-open source. :-)

FWIW, the project was fine while it was "proper" open source, that's why gorhill was able to so quickly diff the released source code vs. what they actually shipped when they started modifying it.

So I have no passwords saved on chrome and keep my passwords separately and hadn't logged in for a few weeks however, I was still affected by the instagram hack. It is definitely stolen cookies. Log out of all your accounts and log out of all sessions to be extra safe. I think your passwords are safe. It's the cookies.

What I meant was that it's likely that they got passwords as well, in addition to the session cookies.

Judging by This the issue is cookies only and in my own case it was cookies only as the password hadn't been typed in ages nor was it stored

[sandsmark]

Judging by This the issue is cookies only and in my own case it was cookies only as the password hadn't been typed in ages nor was it stored

In this case, yes, but you don't know what else they got.

And FWIW, I checked some prices, instagrams likes are going for like 20 cents per 1000, following is 40 cent per thousand. So unfortunately I don't think you can make bank by selling your cookies freely. :-P

[DADESUPER]

And FWIW, I checked some prices, instagrams likes are going for like 20 cents per 1000, following is 40 cent per thousand. So unfortunately I don't think you can make bank by selling your cookies freely. :-P

As i said on the other thread

if i had access to someone's cookies i'd first of all target coin exchanges, then banks/CCs, then shopping sites and finally social media. So if we knows social media was hacked, well...

[sandsmark]

if i had access to someone's cookies i'd first of all target coin exchanges, then banks/CCs, then shopping sites and finally social media. So if we knows social media was hacked, well...

those are harder to target, it's much easier to just bulk sell IG/FB/reddit/twitter sessions for likes and followers through standard channels.

but again, we can't know for certain exactly how much they collected.

[DADESUPER]

those are harder to target, it's much easier to just bulk sell IG/FB/reddit/twitter sessions for likes and followers through standard channels.

but again, we can't know for certain exactly how much they collected.

Better safe than sorry. Personally i'd rather make sure my money is safe, more than my instagram account. If i'm gonna waste time terminating sessions in facebook and instagram i'm sure as hell gonna make sure my money is safe.

Oh also now that i think about it: onlyfans has piss poor security, and has already been targeted by a malicious extension in the past. So if you have an account there i'd log out to be safe. I doubt that sort of thing will come up as a question so it's useful to bring it up

[Head]

And FWIW, I checked some prices, instagrams likes are going for like 20 cents per 1000, following is 40 cent per thousand. So unfortunately I don't think you can make bank by selling your cookies freely. :-P

Looking on the cached page in the Chrome Web Store: Nano Adblocker 100,000+ users Nano Defender 200.000+ users

100k Instagram users, each do 100 likes would be $2000. Is that worth the risk going to jail? 🤣

[yenhanshih]

We may have an imposter among us...

@lilcsz 's account lists from Turkey. The account also contributed to repos that bomb and spam Instagram accounts among other blackhat repos contributed to.

[sandsmark]

100k Instagram users, each do 100 likes would be $2000. Is that worth the risk going to jail?

these are (usually) fairly well-established criminal operations (kind of confirmed by what yenhanshih dug up). so I assume they don't really care much about that risk. :-P

[RuggeDX]

Looks like one of my Instagram accounts I recently logged in to was compromised. None of the accounts that I auto-log-in to have had suspicious activity going on but I'm changing my passwords on pretty all of em anyway. Never had an account of mine get hacked like this haha

Judging by this comment however, it seems that Instagram cookies aren't secure and that that's how they were able to get into my Insta, but not other accounts?

So if I understand correctly, this most likely only affects sites where you were automatically logged in based on (unsecure) cookies?

[sandsmark]

So if I understand correctly, this most likely only affects sites where you were automatically logged in based on (unsecure) cookies?

I'd assume everywhere you didn't have to type your password every time you opened the page, i. e. with session cookies

[fiic5883]

Judging by this comment however, it seems that Instagram cookies aren't secure and that that's how they were able to get into my Insta, but not other accounts?

So if I understand correctly, this most likely only affects sites where you were automatically logged in based on (unsecure) cookies?

You misunderstood it. In short, cookie are there to remember you every page load (among other uses). This affect every sites that don't tell you to re login every 5, 10, 15 minutes or so. The reason only Instagram got affected maybe because they only targeted Instagram at the moment, or no one has figured out if they did something else.

[JDuesterhus]

We may have an imposter among us...

@lilcsz 's account lists from Turkey. The account also contributed to repos that bomb and spam Instagram accounts among other blackhat repos contributed to.

the suspect even has an anime avatar. this is the man you're looking for your honor

[ghost]

So I just got the news and don't know how to proceed. I would like some advice. I was using nano defender on google chrome which has sync enabled with my google account. I do not have any saved passwords, I always type them manually or is just already logged in with Google. Should I change every single one of my passwords starting with my google accounts? I do not use any social media.

[DADESUPER]

So I just got the news and don't know how to proceed. I would like some advice. I was using nano defender on google chrome which has sync enabled with my google account. I do not have any saved passwords, I always type them manually or is just already logged in with Google. Should I change every single one of my passwords starting with my google accounts? I do not use any social media.

For the important sites change passwords, better safe than sorry. For the other sites go on the ones you logged into, log out then back in. That should invalidate the old session cookie which the hacker could use to access the account.

As far as we know now only cookies were stolen, not passwords. But better safe than sorry. If an account is important to you and you have the time changing the password won't hurt. Deleting cookies & history in the browser settings won't fix anything and makes it harder to track down the sites you were logged into, so don't bother.

For sites that support it (such as google and facebook) there's also a button to log out of all active sessions so all cookies are automatically invalidated. However that often deletes them all but the one you're currently using, so you may still need to log out and back in. Changing password automatically invalidates all session cookies for that site.