Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Advertising issues #49

Open
clddup opened this issue Oct 8, 2023 · 3 comments
Open

Advertising issues #49

clddup opened this issue Oct 8, 2023 · 3 comments

Comments

@clddup
Copy link

clddup commented Oct 8, 2023
edited
Loading

One day I discovered that there were some advertisements on my page. After a long investigation, I found out that they were inserted by modheader. I think your way of inserting advertisements is very shameful. At the very least, it should be emphasized in the advertisement that this advertisement is from modheader. It was inserted without any prompts. Inserting ads greatly affects the user experience. I have uninstalled on this extension so far.
@codeanpeace
Copy link

Seconded, the extension attempts to load them from phtracker.com

@steve-taylor
Copy link

ModHeader no longer respects the ads opt-out setting. Has this extension been sold recently?

@ChaosCom
Copy link

ChaosCom commented Nov 11, 2023
edited
Loading

After having randomly appearing "MaxAI.me" ads on the right hand side of my google search results, I started investigating my extensions and found that it was ModHeader that was injecting these into the site. So I started digging around some more and found the following things:

• Original github repos of modheader are gone: https://github.com/bewisse/modheader and https://github.com/modheader/modheader
• Old archived versions list same contributors as the selenium (this) one: Hao1300, Hao4
https://blog.berd.moe/archives/chrome-malware-extension-modheader/ analysed an older version of ModHeader (3.x) that was already doing shady things (you need to google translate, but the images alone, showing code excerpts and the privacy policy), especially near the end of the blog post, are pretty damning by itself: you're were being forcefully added to a P2P network without consent, and it's casually mentioned in the privacy notice
• The current extension (version 5.0.8) exposes some parts of itself to the internet via "Web Accessible Resources" (https://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/), a common pattern for malware to "leak information"
• The version that I analysed (version 5.0.8) has phtracker and fpjs fingerprinting baked inside, along with code to modify some search sites (in order to inject ads into them); affected search engines include: google, bing, baidu, duckduckgo, yahoo, naver, yandex, sogou and brave
• If you get "ZMO.AI", "MaxAI.me", "ImgCreator.AI" etc ads on the right hand side of your google search results, then this extension is most likely the culprit.

Note: I only did a very quick / preliminary analysis, but there's simply too many red flags for me to keep using this extension.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ChaosCom @steve-taylor @codeanpeace @clddup