Possibly malicious addon, or am I baseless?
Posted: 2017-11-23, 04:40
Hello, beyond the era of Netscape and AOL and all, came Firefox 1 and 2 that have burned their UI in to my brain.. with themes and extensions that felt unique and made my most used application (my web browser) an experience for me.
Fast forward off many years following the Chrome bandwagon (multi-processes + task manager to kill big pages were a must,) I decided Firefox with its Quantum and webextentions was premature for my next browser .. so I thought I'd give the guys who forked 'good ol' FF and .. there's even that bloody Walnut theme in the repository waiting for me!
I apologise for this sounding like an intro ... however, my addon-shopping experience begins ..
No-script, GreaseMonkey and a Stylish which I got a huge kick out of - remembering how they transformed early Youtube for me in to a beautiful and optimised (for me!) experience maybe the better part of a decade ago. I added a sorta privacy tool to try out called Secret Agent/Stealthy or something rather and it turned out to save my tail .. among a few others, but their choice was moot.
All my non-http traffic started being redirected, the addresses in plaintext logged:
Essentially, 's3blog.org' , some website likely I thought being HTTP originating from malware or an addon - was redirecting, through likely the same method, to prepend every non-HTTPS url as a request to a 'crvtck' dot com, what seemed like a sort of C&C for all I know. Someone had an issue with this website before and an extension called NEnhancer for Netflix, however that thread died and I had no such extension:
https://forums.majorgeeks.com/threads/n ... re.308434/
So .. I pop open a grep, and look for that addresses in my user folder ... nada. With time to kill, I start looking through the extensions, and decide it is so repeatable that I just disabled addon after addon (oh thank goodness for the 'restart manager' addon letting me reload the browser with non-https pages to test this!) and found it was S3 download bar manager I stooped in to getting, reminded of a nostalgic download manager that'd fill my status bar with joy as a young one .. I digress.
I just end up dumping the .xpi archive with 7-zip and sort by date, and find the donkey:
Essentially, a few obviously recently modified files, probably from a hijacked plugin/port to pale moon/'desperation from the author'/who knows?
Turns out the plugin gives a dirty 'opt out' page, where there is nothing implied, and you must 'not support the author' .. to perhaps kill the redirecting:
The red button, it seems, is your 'non-consent' .
Now, woe is me, they have a privacy policy on Mozilla website that says basically 'we may collect your web history' pseudo-legalese foolery:
So... opt-out HTTP hijacking? Or did I just waste my time? Or am I a clueless edge-case user? But who would honestly do what I did? If I wanted to hand out my domains browsed, I'd pop back to Google Chrome.. I'd even trust them more with them.
~Paletiger.
Fast forward off many years following the Chrome bandwagon (multi-processes + task manager to kill big pages were a must,) I decided Firefox with its Quantum and webextentions was premature for my next browser .. so I thought I'd give the guys who forked 'good ol' FF and .. there's even that bloody Walnut theme in the repository waiting for me!
I apologise for this sounding like an intro ... however, my addon-shopping experience begins ..
No-script, GreaseMonkey and a Stylish which I got a huge kick out of - remembering how they transformed early Youtube for me in to a beautiful and optimised (for me!) experience maybe the better part of a decade ago. I added a sorta privacy tool to try out called Secret Agent/Stealthy or something rather and it turned out to save my tail .. among a few others, but their choice was moot.
All my non-http traffic started being redirected, the addresses in plaintext logged:
Essentially, 's3blog.org' , some website likely I thought being HTTP originating from malware or an addon - was redirecting, through likely the same method, to prepend every non-HTTPS url as a request to a 'crvtck' dot com, what seemed like a sort of C&C for all I know. Someone had an issue with this website before and an extension called NEnhancer for Netflix, however that thread died and I had no such extension:
https://forums.majorgeeks.com/threads/n ... re.308434/
So .. I pop open a grep, and look for that addresses in my user folder ... nada. With time to kill, I start looking through the extensions, and decide it is so repeatable that I just disabled addon after addon (oh thank goodness for the 'restart manager' addon letting me reload the browser with non-https pages to test this!) and found it was S3 download bar manager I stooped in to getting, reminded of a nostalgic download manager that'd fill my status bar with joy as a young one .. I digress.
I just end up dumping the .xpi archive with 7-zip and sort by date, and find the donkey:
Essentially, a few obviously recently modified files, probably from a hijacked plugin/port to pale moon/'desperation from the author'/who knows?
Turns out the plugin gives a dirty 'opt out' page, where there is nothing implied, and you must 'not support the author' .. to perhaps kill the redirecting:
The red button, it seems, is your 'non-consent' .
Now, woe is me, they have a privacy policy on Mozilla website that says basically 'we may collect your web history' pseudo-legalese foolery:
In other words... 'We hijack and potentially inject malicious scripts from 3rd party advertisers on to every non-secured web page, but we ourselves we honestly honestly don't collect full addresses or nothing else!""If user consent is given, this add-on will show advertising on web pages.
In that case, the user's browsing history can be accessed by a third party (ad network).
But we don't collect cookies, password, e-mails or any other confidential info.
Only the domains (not full URLs) of the web-sites visited and nothing else."
So... opt-out HTTP hijacking? Or did I just waste my time? Or am I a clueless edge-case user? But who would honestly do what I did? If I wanted to hand out my domains browsed, I'd pop back to Google Chrome.. I'd even trust them more with them.
~Paletiger.