11

There have been lot of articles about legitimate chrome/ opera extensions that get sold out to malicious parties that end up pushing the wrong kind of code down the pipe, since by default these extensions auto update.

Since these extensions are mostly open source i.e. JScript and similar code,

How could we trace which ones is causing certain behaviors?

e.g. I got these 2 site/ URLs on my Opera (Chromium base) browser and upon googling them cant understand why and where from they showed up while I was doing some changes and rebooting my "Tomato Router".

I'd like to trace where if any redirectors are sitting. Some specifics sanitized out.

http://coolbar.pro/tracker/go-new?url=javascript%3Areboot()&cid=16

http://crvlck.com/get?key=33bc39603cbf409986a444d6bb525bf1&out=javascript%3Areboot%28%29&ref=https%3A%2F%2F192.XXX.YYY.ZZZ%2F&format=go&uid=16

My scans with Avira and other Anti Virus did not bring up anything conclusive.

I'd like to do & learn to do a bit of manual research into extensions.

Alex S
  • 381
  • 2
  • 13
  • Other extension can help you with that. Get a request monitoring extension, a cookie editing one (to test behavior) or other similar ones that can significantly help your research. – Overmind Jul 21 '16 at 09:15

1 Answers1

12

If you see any activity on the browser that has these show up/ key words that might point to these issue then the following solution may help.

Keywords for people to find this answer/ solution:

crvlck.com
coolbar.pro
33bc39603cbf409986a444d6bb525bf1

The Extension "Tab Manager" was sold to a malicious 3rd party and users were not notified in any fashion by the original dev.

On the github source code page he pointed to a new entry for the Extension, which most users dont have any way of being notified or knowing. For this, users need to delete and remove the old extension and if they want they can install from the new link.

https://github.com/VanCoding/Tab-Manager - Readme.md

Tab Manager

This is a Google Chrome extension which allows you to easily and quickly manage and access your tabs/windows ;) Have fun with it!

IMPORTANT: The old "Tab Manager"-entry in the chrome web store has been sold and I am no longer the owner! Neither do I know the source code of the version that currently gets deployed there.

Please note that only the web store entry and no source code has been sold. I, and all contributors of the project, are still the owners of the source code. I've also created a new entry on the chrome web store. I'll keep it up to date with the source code as with the old entry.

license

MPLv2

But, I still wonder what could we people / users do in future to keep track of such "handovers/ sellouts" and take steps.

Discussed here as well: https://productforums.google.com/forum/#!topic/chrome/Znvs228EVc8

Specifics of the malicious code are available here:

https://github.com/VanCoding/Tab-Manager/issues/45

https://www.reddit.com/r/help/comments/4tquap/hitting_collapse_comment_icon_button_is/

Update:

Consequently after being criticized for introducing such activities into an open source project, the original author/ dev just made a bait/ switch on the open source project and high tailed out after his open source project turned sold into Malware, with prospective infections of 1,43,000 (based on downloads/ installs of original extension from Chrome Store). Finally, after arguing his stance he just removed/ deleted the open source project repository from GitHub.

Patrik Stutz
VanCoding
Cloud Studios
Hochdorf LU CH
patrik.stutz@gmail.com
http://cloudstudios.ch
Joined on Feb 2, 2011

His final comments & activities on the subject from screenshot attached: enter image description here

Alex S
  • 381
  • 2
  • 13
  • 2
    FYI, I have published a new extension that uses the unmolested open source code directly from github if anyone is interested: https://chrome.google.com/webstore/detail/tab-manager/eobcjlgohobbfcgabmijkdgpjkknpbbo – joshperry Jul 21 '16 at 18:24
  • 3
    The VanCoding/Tab-Manager repo appears to be gone. – Ted M. Young Jul 22 '16 at 19:39
  • http://www.whois.com/whois/cloudstudios.ch – Max Jul 31 '16 at 06:49