SoylentNews

Adblockers Installed 300,000 Times are Malicious and Should be Removed Now

posted by Fnord666 on Friday October 23 2020, @10:24AM   
from the uninstall-this-malware-immediately dept.

upstart writes in with an IRC submission for carny:

Adblockers installed 300,000 times are malicious and should be removed now:

Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github.

Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google's Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code.

[...] The incident is the latest example of someone acquiring an established browser extension or Android app and using it to infect the large user base that already has it installed. It's hard to provide actionable advice for preventing this kind of abuse. The Nano extensions weren't some fly-by-night operation. Users had every reason to believe they were safe until, of course, that was no longer the case. The best advice is to routinely review the extensions that are installed. Any that are no longer of use should be removed.

---

Original Submission

• Colour me totally not shocked (Score: 5, Insightful) by zocalo on Friday October 23 2020, @11:12AM

  by zocalo (302) on Friday October 23 2020, @11:12AM (#1067840)

  When Raymond Hill annouced that he was discontinuing UMatrix he covered this exact point. He'd been burnt previously by transferring rights to an existing project to another developer, who had then inserted some sketchy code into it which was then pushed out to all existing users, and this was why he would be fine with someone forking UMatrix and continuing to develop it under a new name, but would not be transferring control of the project to another dev. There are multiple other examples of this kind of thing happening as well, particularly with ad-blockers and other security/VPN and other types of extension which come ready made with low-level access to the browser and/or user data.
  
  Realistically, it's too much to expect end users to be able to keep on top of this, especially when you've got browser vendors that insist on resetting user prefererances NOT to auto-update the browser and/or extensions, so if you're going to try and stop this kind of attack vector then it really has to fall to those operating the extension "stores". Not sure you could achieve that though; a policy update requiring project control ownership transfers be notified to the store might help, but that's probably going to need to be supplemented by things like monitoring of accounts/IP ranges used to upload updates to the store - any such red flags could then trigger a period of increased scrutiny of the code before it is made available for users to download. Not a perfect solution, but it would at least raise the bar enough to deter a bunch of the also-rans and script kiddies, which is still better than nothing.

  --
  UNIX? They're not even circumcised! Savages!

  Starting Score:	1		point
  Moderation		+3
  Insightful=3, Total=3
  Extra 'Insightful' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		5