Thread: Content Merry Christmas GFY - Tango Down User Blocker 🎄
View Single Post
Old 12-27-2025, 10:26 PM  
TheLegacy
SEO Connoisseur
 
TheLegacy's Avatar
 
Industry Role:
Join Date: Apr 2003
Location: Brantford, Ontario
Posts: 17,451
Quote:
Originally Posted by fris View Post
i agree before saying that its harmful at least look at the source code of the extension, which has nothing malicious in the code.
Glad you suggested it. Here's what was found as checked by a long time programmer Mark Prince

He said:

One thing that was bugging me about this is that he is not smart enough to figure this out on his own. He didn't. A lot of it came from this person:

https://github.com/joshmanders

- Copy-pasted an "update checker" from a tutorial/Stack Overflow
- Slapped his "WebIgniter" branding on everything
- Is using an XSS vulnerability he introduced to remote backdoor to every computer it's installed on

Links to more if interested:
https://productforums.google.com/for...%2Fg6MZBp4oNb4
https://github.com/joshmanders
https://cheatsheetseries.owasp.org/c...eat_Sheet.html
https://github.com/Bug-Hunter-X/XSS-...nnerHTML-pctwy


Just as I feared - it contains a hidden backdoor.

His Chrome extension contains a DOM-based Cross-Site Scripting (XSS) vulnerability in popup.js:273-274 where untrusted data from a remote server (webigniter.com/downloads/tango-down-version.txt) is inserted directly into innerHTML without sanitization. When the popup opens, it fetches version data via fetch() and passes the response through response.text() directly into a template literal that's rendered as HTML.

He could then inject arbitrary JavaScript into your browser which executes with full extension privileges, granting access to the tabs permission (read all URLs), storage permission (exfiltrate user data), and the ability to inject code into any website via the content script, effectively turning the extension into a remote access trojan (RAT).

The backdoor lets him secretly take control of it at any time without your knowledge. Every time you click the extension icon, it checks the website for updates, but the code trusts whatever the website sends back without verifying it's safe. Right now it just sends version numbers, but at any time he could change one text file on his server to instead send malicious commands that would activate on your browser the next time you open the extension. Once activated, it could see every website you visit, steal your saved data from the extension, send information to his server, or even modify what you see on websites without you knowing it.


In short it's just as I thought Pheer would try and do
__________________
SEO Connoisseur


Microsoft Teams: Robert Warren SEO
Telegram: @TheLegacy54
RobertWarrenSEO.com
TheLegacy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote