Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
1.1.3 release contains phishing(?) code. #27
Today, the plugin required new permissions to reactivate. When activated, going to ANY site resulted in a popup message saying that my computer is infected, and then it redirects the user to
Poking around that page I found this:
Seems to just be a script that doesn't really do much (according to this thread). But still, concerning.
I can confirm. Either the author of the extension sold out his users, or his Google account was compromised.
Report the extension here if you have experienced this issue: https://chrome.google.com/webstore/report/kaicbfmipfpfpjmlbpejaoaflfdnabnc?utm_source=chrome-remove-extension-dialog
The script being injected is alert10.js in the extension root folder. I assume it's just a drop-in.
The code does not seem to have been uploaded to github.
Here's the entire extension source as it exists on the Web Store as of this writing.
I looked at the manifest file. It looks like it may contain a workaround to prevent Google from automatically catching it.
I do lots of JS coding for a living so I figured my own analysis of the script might be useful.
First of all, it looks like most of the file from the start is an md5 JS library that was dropped in, including comments and code that is for Internet Explorer specifically. However it appears to not be used at all. Maybe it was included so if someone opened the file in Chrome's Dev Tools or a text editor they would not see anything interesting happening right away?
Line 193 appears to be where the author's code starts. When I break it down it appears to do the following:
Hey guys! Fun fact. When your extension gets taken down due to a bullshit DMCA notice, it's possible for others to somehow push updates.
I am in contact with Google and will be putting up an official press release tonight. This is absolutely maddening and I'm so sorry guys.