Microsoft Edge Extension "Nano Defender Pro" (Currently?) Appears Safe (Aug 18 version) #13
Comments
|
I still control the Edge store listings. This is mentioned in both the original announcement [1] and the news article [2]. [1] NanoAdblocker/NanoCore#362 |
I wasn't aware of the news article and I looked through several dozen posts earlier while looking into this, perhaps I missed a link or something in replies but I don't really think that's on me at that point haha. In the linked issue, I don't see anywhere that it's specified you still control the Edge store listings at all, I only see an update mentioning that Edge store listings have been hidden, additionally in the initial portion of the post I see the reference to the chrome Webstore as "Webstore listings" but Edge also uses the term Webstore in several locations on it's site and in the browser... I'm not too sure where exactly in the issue you're referring to, and, it certainly doesn't seem like obvious information to me hence why I had asked for clarification. Definitely good to see for sure that the case is as such, however. |
|
It is mentioned here [1] 12 days ago, please take the time to read the entire announcement thread. |
I took several hours to read through multiple threads, I looked into multiple outside locations in replies as well trying to gather what I could. I think this is a good opportunity though to make a suggestion about stuff. Personally my concern was the fact that I couldn't find the information while actively looking for it. Additionally, I do wanna address how people are way too fixed on blaming you. Nobody should be blaming you for this situation even though they are., I think a lot of info is jumbled up in various locations, not everything is really fluid, and not everything is really clear, and its confusing to look into if you haven't been staying up to date from the start I feel. It's gotta be very stressful for you, and it's a giant mess so its not easy to be managing 10 different locations. What I can definitely say though is that people don't really have a reason to be blaming you for this situation. You had essentially no control over it and you had nothing to do with it, and that should definitely be much clearer than it is I think. The website, more specifically, https://jspenguin2017.github.io/uBlockProtector, is currently not up to date, and, I think its a good idea to potentially update this location with a warning of some kind. Also I think that the announcement thread should be updated but I don't think its as important as the site, honestly it probably takes more effort. I think its important to, in a general way, explicitly state what exactly was effected and what the specific concern(s) are. I think it's also really important to make it obvious if its something that can be so urgent. IMPORTANT: An update to specifically the Chrome WebStore extension introduced malicious code which collected session information from sites like Instagram, GitHub, and potentially more. Nothing else was effected and the Chrome extension is removed. If you used the Chrome extension within the past month, please change your passwords and see the information below. I think this solves my concern as well as probably solves other concerns, and, it makes it much harder for people to be blaming you. That makes it so you don't have to worry about organization of really most anything. And, you can simply link to the site to reference the warning in less popular places, such as in README files or in issue threads. |
|
I'm not sure how you search for the information that you were seeking, but if you look up "Nano Adblocker" on Google, the 4th result is the news article which contains the answers to your concerns. |
|
I don't think an update like that on the homepage would help, I think it's better for people to read the announcement thread to understand the full story. Also, I don't want to make a statement regarding what were affected and what were not, I think that should be left to the experts. |
@Hexcede I agree it's not very productive to be bringing up blame as it's already been reiterated multiple times but here you're the one bringing it up again. I didn't want to have to get into this, but it's outrageous to say there's no reason for anyone to blame him. In what possible way could he not be blamed? He intentionally sold the rights to a Chrome extension that has auto-update enabled and full access to its users' network connections to an unknown person, no questions asked, with absolutely no warning to the users of that extension. To be clear, the only notification to users was a comment in reply to an issue thread on the project's GitHub repo. Maybe that would have been appropriate if the GitHub repo was being sold (not that anyone would buy it unless they were a scammer), however it was not the GitHub account that was being sold. You yourself stated the difficultly in finding the information in NanoAdblocker/NanoCore#362 (comment) and you at least knew you needed to look for something and also knew what to look for! As stated, it was the Chrome extension rights being sold, not the GitHub repo, how were the Chrome extension users supposed to know about the sale? The person who manages the FIrefox extension was easily able to give a popup message to its users almost immediately after finding out about the malware in the Chrome extension, but apparently jspenguin2017 couldn't be bothered to give the same warning to the users of the Chrome extension before selling it. The entire project is OPEN SOURCE, it's source is freely available for anyone who would like to use it to fork it and create their own new extension. It was not a company. It had no employees. It had no assets. It was not monetized. There's absolutely NO REASON why anyone would want to purchase solely the Chrome extension to such a project unless they intended to monetize it and/or exploit its users. This is plainly obvious, it doesn't require a crystal ball to know exactly what will happen. Now, did jspenguin2017 bother notifying the users of the Chrome extension beforehand? Did he bother looking into the background of the interested party to see if they were an advertising company? Clearly, no. Instead he just saw that the person had a made up name, a made up email address, no Internet history whatsoever. Of course there were no results for the developer's Facebook or Instagram account or anything else because again, it's just a made up name. Of course jspenguin2017 sees nothing wrong with that. Maybe you're right that jspenguin2017 is not blame. In the same way that a parent who decides to put their little kid up for "adoption" to some creepy old man is not to blame when the kid gets sexually abused and found dead. Nothing weird about the fact that they told no one, didn't know his name or where he lived, met him at night in a back alley where he was wearing a mask and paid the parents $5000. How could they know? They did nothing wrong. I don't know why anyone would blame the parents. I wanna address how people are way too fixed on blaming the parents. Nobody should be blaming the parents for this situation even though they are. Obviously he doesn't care about putting up a visible notice anywhere. He didn't care about doing it earlier, why would he care now? The damage is already done. Frankly I suspect he had a good idea what the scammers were going to do and didn't care, had the same attitude then as he does now. That he wouldn't be the one actually inserting the malware, so his hands would be clean. There are a bunch of scammers that send out emails to developers of extensions in the Chrome store that want to either insert their own code in the extension or outright buy it. The scammer tells the owner that the deal is contingent on not warning users, as that would defeat the purpose of being able to secretly insert their code. No doubt the "Turkish dev" gave the same instructions to jspenguin2017 and he was happy to oblige. |
|
@brbsix Christ. I hardly think that this is even remotely comparable to anything like that. While jspenguin is certainly not handling this situation well at all and is being unhelpfully stubborn to everyone as far as I can tell my point is that he very likely had no intentions of this happening and didn't really have any control over the situation. I doubt he intends to make himself look as bad as he does. Secondly, your last paragraph is just speculation there is literally no actual basis to that. You can't really make that claim nor can you support it by any means. You're effectively just assuming he intended to do this and then committing to the idea without any actual reason to believe it besides jspenguin's actions but honestly you can attribute a lot of them to other tings than that. @jspenguin2017 First of all making people aware is important not just to help them but to help you. If you don't make an effort to make people aware it can leave you liable for plenty of things. You may not think it would help, but, it takes a small amount of effort to update the site and the possibility of the benefits it could bring are absolutely worth the two minutes it would take. Unfortunately you're a couple weeks late so you're really already in the hole. However, you'd still be helping yourself more by doing anything than nothing. Secondly, I am looking for information in the place you'd generally expect to find information: The project itself. I found the project externally, not through Google searches, and, I'm not expecting to have to fucking Google the project every time I use it. You can't just leave it up to the responsibility of your userbase to find the information themselves and know that they may literally lose access to their accounts. Again, doing nothing basically leaves you entirely liable, and again, it really isn't difficult to push a small little warning. I don't see what the fuss is about putting up warnings. Thirdly, from what I can tell you really really don't seem to be making an effort to fix an issue you had direct influence in. It comes across like you really just don't care. The damage you are bringing to yourself by actively trying not to make an effort is 1. You are likely ruining your reputation as a developer, 2. You are likely creating grounds for people to legitimately take action against you, 3. You are potentially actively putting more people at risk. You are putting forth more effort to do nothing than you are anything else. You can't just say "well the information is available, just research it better" to everyone and leave it at that you have to make an effort or you're hurting yourself and potentially hurting an unknown amount of other people. I am not contributing to this conversation any further as we're getting into some very ridiculous territory. I really don't see why this is a conversation in the first place, a lot of this should go without saying and if you really don't see an issue with how you are handling this I really don't think its worth my time to make an attempt to provide feedback. |
@jspenguin2017 Can we please get any information on if any Edge extensions have any possibility of being effected?
Having Nano extensions installed right now or installing any is like handling mercury, it'd be nice to get a briefing on what exactly is likely not to have been effected or impossible to have been effected.
I couldn't find if jspenguin2017 verifies the safety of the Edge version of the extension so I did it myself. Also not sure if these new developers have the ability to upload code to the Edge store.
Tl;dr The Edge extension is currently safe (checked 10/24/2020 11:40 PM EST)
Alright, so, unfortunately this isn't documented and my solution came in the realization that the Microsoft webstore requests the manifest file of an extension before its installed (I didn't want to install it before knowing). The manifest file contains an update URL which thankfully yields us a way to download the crx file (this is again, completely undocumented and as far as I could find, no tools are available to download Edge store extensions, thanks Microsoft)
Update URL:
https://edge.microsoft.com/extensionwebstorebase/v1/crx#Downloading the CRX
(Note, you need to either do this on a page that can't install extensions such as a new tab page, or download with a tool. I personally used the site linked in this issue https://robwu.nl/crxviewer)
Take the update URL, and stick
?response=redirect&x=id%3Dijfkmnlofajajikjhfiigelipempcklj%26installsource%3Dondemand%26ucon the end. Note, the ID starts afterid=%3D, I've placed the WebStore ID from here https://microsoftedge.microsoft.com/addons/detail/nano-defender-pro/ijfkmnlofajajikjhfiigelipempcklj.This produces the following:
https://edge.microsoft.com/extensionwebstorebase/v1/crx?response=redirect&x=id%3Dijfkmnlofajajikjhfiigelipempcklj%26installsource%3Dondemand%26uc
This URL will download the crx file.
Viewing the source code via the crxviewer tool above shows that the
connect.jscode that appeared in the updated version of the extension does not which suggests there's no usage of socket.io. I downloaded a zip of the contents to analyze the file in a bit more depth. Doing a full search for "nano-dev" and "dev-nano" shows no occurrences which means the malicious URL goes unused. A full search of "socket" shows no occurrences.Additionally, I've searched for specific examples of code, keywords, etc mentioned here and found none and additionally have read all of
core.jswhich from what I can tell was the modified file according to a screenshot higher showing it was changed.I've scanned through most of the rest of the extension's code and do not see anything out of place thankfully. I'm fairly sure this version of the extension is unmodified.
The text was updated successfully, but these errors were encountered: