Adblocking extensions with more than 300,000 active users have been secretly uploading users’ browsing data and tampering with users’ social media accounts thanks to malware that the new owner introduced a few weeks ago, according to technical analysis and posts on Github.
Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he had run out of time to maintain the project and had sold the rights to the available versions in Google’s Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which are often installed together, have about 300,000 total installations.
Four days ago, Raymond Hill, creator of the uBlock Origin extension on which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code.
The first thing Hill noticed the new extension did was check if the user had opened the developer console. When opened, the extension sent a file titled “report” to a server at https://def.dev-nano.com/. “In simple words, the extension remotely monitors whether you are using the extension development tools – which you would if you wanted to know what the extension does,” he wrote.
The most obvious change that end users noticed was that infected browsers automatically handed out likes for large numbers of Instagram posts, without user input. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California San Diego, told me that his browser liked more than 200 images from an Instagram account that nobody followed. The screenshot on the right shows some of the affected photos.
Nano Adblocker and Nano Defender are not the only extensions reported to tamper with Instagram accounts. User Agent Switcher, an extension that had more than 100,000 active users until Google removed it earlier this month, reportedly did the same thing.
Many users of the Nano extension on this forum reported that their infected browsers also accessed user accounts that were not yet open in their browser. This has led to speculation that the updated extensions access authentication cookies and use them to access the user accounts. Hill said he looked at some of the added code and found it was uploading data.
“Since the added code could collect request headers in real time (I think over a web socket connection), this means that sensitive information like session cookies could be leaked,” he wrote in a post. “I’m not a malware expert, so I can’t think of *all* that’s possible if I have real-time access to request headers, but I do understand it’s really bad.”
Other users reported that sites other than Instagram were also visited and in some cases tampered with even when the user had not visited the site, but these claims could not be immediately verified.
Alexei, a senior staff technologist from the Electronic Frontier Foundation working on the Privacy Badger extension, has been following the discussions and has provided me with the following synopsis:
The bottom line is that the Nano extensions have been updated to stealthily upload your browsing data in a remotely configurable manner. Remotely configurable means there was no need to update the extensions to adjust the list of websites whose data would be stolen. In fact, the list of websites is currently unknown because it is configured remotely. However, there are many reports that users’ Instagram accounts have been affected.
Evidence collected so far shows that the extensions stealthily upload user data and gain unauthorized access to at least one website, in violation of Google’s terms of service and potentially applicable laws. Google has already removed the extensions from the Chrome Web Store and issued a warning that they are not safe. Anyone who has installed one of these extensions should remove it from their computer immediately.
Nano Adblocker and Nano Defender are available in the extension stores hosted by both Firefox and Microsoft Edge. Xu and others say none of the extensions available in these other locations are affected. The caveat is that Edge can install extensions from the Chrome Web Store. All Edge users who used this source are infected and need to remove the extensions.
The possibility that the extensions may have uploaded session cookies means that anyone infected should at least completely log out of all sites. In most cases, this should invalidate the session cookies and prevent someone from using them to gain unauthorized access. Really paranoid users will want to change passwords just to be on the safe side.
The incident is the latest example of someone acquiring an established browser extension or Android app and using it to infect the large user base that has already installed it. It is difficult to give useful advice to prevent this kind of abuse. The Nano extensions were not just another operation. Users had every reason to believe they were safe until, of course, that was no longer the case. The best advice is to regularly check installed extensions. Everything that is no longer used should be removed.