List of compromised websites and scope of damage, by Nano Adblocker and Defender

[wadawada]

Checklist for everyone affected

• Login sessions between 10/15 and 10/16 are most likely to be affected
• Check your Instagram for random likes, even if you didn't visit it for a long time, you might be still affected
• Check other websites you visited in the past 10 days for a suspicious activity
• Check your accounts for suspicious login attempts
• If suspicious activity found, report below

Countermeasures

• Your passwords are probably fine so far. This is actually confirmed by the reports of failed logins by some, as some websites are smart enough not to allow suspicious usage of stolen cookies, which is good. However, it can be compromised if you visited a website with poor security practices (which store passwords in cookies, for example).
• DO NOT simply delete cookies from your browser. Cookies on the server-side need to be refreshed, which cannot be done by deleting cookies on the client-side
• You need to logout ALL sessions of websites that you visited in the past 10 days. Find the option in settings to "Terminate all sessions", which will invalidate all previously issued cookies at all locations. If there is no option to terminate all sessions, you can contact support for assistance in terminating all of your sessions due to possible cookie theft.
• Login again to refresh session cookies
• As a last resort, changing password should (although it might not) invalidate all previous cookies. (https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712724272)

Please READ the following web page for help and a detailed explanation of what happened https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713028839 https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712599645 https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/

other info: https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712448295 info in session cookies

If you want to rant, you can go to https://github.com/jspenguin2017/Snippets/issues/4 For other issues, you can also go to https://github.com/jspenguin2017/Snippets/issues/3 or https://github.com/jspenguin2017/Snippets/issues/2 You may have one or more or none accounts affected

If one or more of your accounts of some websites/apps has suspicious activities recently, you can use the following format to help report/confirm being compromised,

1 website: www.something.com
2 saved passwords on chrome? YES if password was saved/ NO if password was typed
3 suspicious activity on login session page (if provided): YES (eg failed logins) /NO 
4 unauthorized activity on website/app: describe what happened

Websites already confirmed to be compromised

Instagram You can check suspicious activities by On Instagram Mobile, Settings > Security > Login Activity On Instagram Website, Settings > Login Activity On Instagram Mobile, Settings > Account > Posts You've Liked to see if you have unauthorized likes Question: need a way to remove unauthorized likes A solution: https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713626427

Websites that may be compromised, needs confirmation if it is related to this incident

Github: check the security log to see if there are failed attempts to login recently https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712522905 (2 confirmed suspicious activity with failed login) https://github.com/settings/security-log

Microsoft/Outlook account (2 confirmed suspicious activity with failed login) https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357

Twitch (Question: maybe no way to check login sessions?) https://help.twitch.tv/s/article/account-hacked?language=en_US

[NDevTK]

@Stellarspace I dont know if it could be an extension however its a script because the code can be viewed easily and theirs no automatic updates to be abused.

[jayankamdar]

Why was this closed? It is certainly an ongoing issue, as long as there are still people who aren't aware - for example, I only today found out that my instagram was compromised through this.

[tweedge]

I think it's appropriate to have closed this, as the incident itself has ended, and the scope of the impact has been determined by community reports within the first couple days. Many of the comments after that devolved into 1:1 support and allegations about compromises (or compromise attempts) which do not appear to be related to Nano Adblocker/Nano Defender. The chance that there is another site which has been abused or accessed by the developers on many users' machines which has not been discovered is currently considered to be "low" unless additional evidence is posted. Though to be clear, I still definitely welcome new evidence, either posted here or disclosed privately.

[Mactastic1-5]

Why was this closed? It is certainly an ongoing issue, as long as there are still people who aren't aware - for example, I only today found out that my instagram was compromised through this.

Wrong repository to talk about this issue and politics has no place on GitHub. Change your password and it will sign you out of all sessions, including the session that was hijacked. Enable 2FA if you don’t have it enabled already. Session hijacking is unavoidable on any platform when your computer is infected by malicious software.

I think it's appropriate to have closed this, as the incident itself has ended, and the scope of the impact has been determined by community reports within the first couple days. Many of the comments after that devolved into 1:1 support and allegations about compromises (or compromise attempts) which do not appear to be related to Nano Adblocker/Nano Defender. The chance that there is another site which has been abused or accessed by the developers on many users' machines which has not been discovered is currently considered to be "low" unless additional evidence is posted. Though to be clear, I still definitely welcome new evidence, either posted here or disclosed privately.

Microsoft accounts have long been targeted by malicious actors and there will always be unsuccessful login attempts that show up in the security logins. On that note, it’s become political.

[Windowsfreak]

Confirming Instagram, Microsoft, GitHub, each with failed login attempts as Location mismatch. Phew!

Anyone found out which cookies or request headers were leaked? Only from pages accessed in the past 14 days, or all of them?

[tweedge]

@Windowsfreak here is some information that will help. First, did you log in to your Instagram, Microsoft, or GitHub between October 15 and October 16? If not, it is almost certainly not related to this infection. See note:

Account login attempts are suspicious, but you would have had to perform the login yourself while infected with this malware in order to divulge your password or 2FA codes (in the request headers). If you know you didn’t log in during the time frame you may have been infected, those login attempts are currently understood to be not related to this event.

If so, while the malware operator could have attempted to steal your credentials, they haven't been known to. There is additionally no way to say for sure what cookies of yours have been leaked. Both of these are because of how the malware operates.

The operator would need to send a specific event (or multiple specific events) to your browser to begin targeting those accounts of yours. They could do this per-user by sending events only to you, so there's no way to know for sure whether or not other accounts of yours were targeted unless you have traffic logs of the incident. However, they haven't been known to do so and they would have needed to send those events before you were logged in to those accounts, which the operator can't monitor, predict, or force.