1.1.3 release contains phishing(?) code. about chrometana HOT 15 CLOSED

Hey guys! Fun fact. When your extension gets taken down due to a bullshit DMCA notice, it's possible for others to somehow push updates.

I am in contact with Google and will be putting up an official press release tonight. This is absolutely maddening and I'm so sorry guys.

from chrometana.

Update has been shipped. I'm closing this for now, but please don't hesitate to contact me with anything at all

from chrometana.

I can confirm. Either the author of the extension sold out his users, or his Google account was compromised.

Report the extension here if you have experienced this issue: https://chrome.google.com/webstore/report/kaicbfmipfpfpjmlbpejaoaflfdnabnc?utm_source=chrome-remove-extension-dialog

The script being injected is alert10.js in the extension root folder. I assume it's just a drop-in.

The code does not seem to have been uploaded to github.

from chrometana.

Thanks! Oh, and by the way, EdgeDeflector allows us to use Chrome with Cortana, so the extension has a purpose again. Yay!

from chrometana.

Update shipping soon

http://chrometana.theo.li/2017/06/google-account-compromised-malware-shipped-chrometana-1-1-3/

from chrometana.

The problem is that Google has literally no customer support , other than specialized departments like the Pixel. I once had someone already have a Google account with my email and nobody could help me get it removed.

from chrometana.

Here's the entire extension source as it exists on the Web Store as of this writing.

https://www.dropbox.com/s/5l9prxit0y3ue7s/Chrometana%201.1.3%20%28ONLY%20FOR%20ANALYSIS%20MAY%20CONTAIN%20SPYWARE%20DO%20NOT%20INSTALL%20INTO%20CHROME%29.zip?dl=0

I looked at the manifest file. It looks like it may contain a workaround to prevent Google from automatically catching it.

"content_scripts": [ {
  "js": [ "alert10.js" ],
  "matches": [ "\u003Call_urls>" ],
  "run_at": "document_start"
} ],

I assume \u003C is the unicode code for < which ultimately makes a match string of "<all_urls>" which causes this script to be injected into every page you visit.

I do lots of JS coding for a living so I figured my own analysis of the script might be useful.

First of all, it looks like most of the file from the start is an md5 JS library that was dropped in, including comments and code that is for Internet Explorer specifically. However it appears to not be used at all. Maybe it was included so if someone opened the file in Chrome's Dev Tools or a text editor they would not see anything interesting happening right away?

Line 193 appears to be where the author's code starts. When I break it down it appears to do the following:

1. Check the current page to see if it's a "keeper" page (I think this is a page on the site the user is ultimately redirected to).
2. Use a cookie called "_alert" to track the last time we showed a popup to the user. Only if it has been more than 10 seconds AND the current page is not a "keeper" page do we show a new alert.
3. Show a yes/no popup dialog with the message "Your computer is infected. You have to check it with antivirus.". However, show it in the user's native language if the user's language is Spanish, Italian, French, Portuguese, German, Russian, or Greek.
4. If the user clicks yes, redirect the current page to http : // chromeupdates . top / tds . php ? subid = ce Otherwise redirect the page to https : // chromeupdates . top / s . html (I DO NOT RECOMMEND VISITING THESE PAGES I DON'T KNOW WHAT IS ON THEM)

from chrometana.

@The-MAZZTer can you gist alert10.js so we can take a look @ it?

from chrometana.

Damn. It's scary to see something so trusted turn into this

from chrometana.

Confirmed, happens here too.

Chrometana version 1.1.3 via Download Chrome Extension on Opera 45.

from chrometana.

I will mention that this is the exact same thing that happened to Infinity New Tab, complete with the same wording, a month or two ago, so it's probably a compromised account.

from chrometana.

Google is not responsive and I have no idea how any of this happened. I'm shipping an update momentarily. If anyone has advice on how to get ahold of Google and fix/prevent garbage like this please let me know

from chrometana.

I'll be running the necessary test to hopefully insure that my PC is clean, however could we get a statement about the malwares' effect on end users who may not be able to read the code?

from chrometana.

@MissPotato , the "malware" included was a small javascript pop-up. That pop-up could bring you to a website with worse viruses.

If you did not download anything from a suspicious webpage, you're fine.

from chrometana.

@theobr , thanks for the statement! I tend to avoid downloading things from sites I don't use.

from chrometana.