According to technical analyses and posts on Github, several adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users’ social media accounts thanks to malware its new owner introduced a few weeks ago.
Hugo Xu, the developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google’s Chrome Web Store.
Raymond Hill, the maker of the uBlock Origin extension upon which Nano Adblocker is based has now revealed that the new developers rolled out updates that added malicious code.
According to Hill, the first thing the code in the new extension doing was checking if the user had opened the developer console, If it was opened, the extension sent a file titled “report” to a server at https://def.dev-nano.com/. “In simple words, the extension remotely checks whether you are using the extension dev tools—which is what you would do if you wanted to find out what the extension is doing,” he wrote.
Users noted that infected browsers were automatically issuing likes for large numbers of Instagram posts, with no input from users.
Nano Adblocker and Nano Defender aren’t the only extensions guilty of tampering with Instagram accounts. User Agent Switcher, an extension that had more than 100,000 active users before Google removed it earlier this month is reported to have done the same.
The Nano extension was accessing authentication cookies and using them to gain access to the user accounts.