codeanpeace
commented
11 months ago Seconded, the extension attempts to load them from phtracker.com
Open clddup opened 1 year ago
codeanpeace
commented
11 months ago Seconded, the extension attempts to load them from phtracker.com
steve-taylor
commented
11 months ago ModHeader no longer respects the ads opt-out setting. Has this extension been sold recently?
ChaosCom
commented
11 months ago After having randomly appearing "MaxAI.me" ads on the right hand side of my google search results, I started investigating my extensions and found that it was ModHeader that was injecting these into the site. So I started digging around some more and found the following things:
• Original github repos of modheader are gone: https://github.com/bewisse/modheader and https://github.com/modheader/modheader • Old archived versions list same contributors as the selenium (this) one: Hao1300, Hao4 • https://blog.berd.moe/archives/chrome-malware-extension-modheader/ analysed an older version of ModHeader (3.x) that was already doing shady things (you need to google translate, but the images alone, showing code excerpts and the privacy policy), especially near the end of the blog post, are pretty damning by itself: you're were being forcefully added to a P2P network without consent, and it's casually mentioned in the privacy notice • The current extension (version 5.0.8) exposes some parts of itself to the internet via "Web Accessible Resources" (https://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/), a common pattern for malware to "leak information" • The version that I analysed (version 5.0.8) has phtracker and fpjs fingerprinting baked inside, along with code to modify some search sites (in order to inject ads into them); affected search engines include: google, bing, baidu, duckduckgo, yahoo, naver, yandex, sogou and brave • If you get "ZMO.AI", "MaxAI.me", "ImgCreator.AI" etc ads on the right hand side of your google search results, then this extension is most likely the culprit.
Note: I only did a very quick / preliminary analysis, but there's simply too many red flags for me to keep using this extension.
One day I discovered that there were some advertisements on my page. After a long investigation, I found out that they were inserted by modheader. I think your way of inserting advertisements is very shameful. At the very least, it should be emphasized in the advertisement that this advertisement is from modheader. It was inserted without any prompts. Inserting ads greatly affects the user experience. I have uninstalled on this extension so far.