It turns out that the ad blocking extension that was downloaded 300,000 times was tampering with SNS by collecting personal information without permission

Malicious code is loaded in the ad blocking extensions ' Nano Adblocker ' and ' Nano Defender ' that have been installed about 300,000 times in total, and users' personal information and browsing data can be secretly uploaded to the server or SNS accounts. It turned out that it had been tampered with.

[Announcement] Recent and upcoming changes to the Nano projects · Issue # 362 · NanoAdblocker / NanoCore · GitHub

Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica

Google removes two Chrome ad blockers caught collecting user data | ZDNet

Hugo Xu, the developer of NanoAdblocker and NanoDefender , announced on GitHub on October 4, 2020 that he had sold his rights to another developer, saying he 'couldn't afford to continue the project.'

But on October 16th, Raymond Hill, creator of another ad-blocking extension, uBlock Origin , pointed out that the new developers of NanoAdblocker and NanoDefender are putting in malicious code. While looking at the code for the two extensions in the developer console, Hill sent a file titled 'Report' to a server called ''. It seems that he noticed that.

Further investigation revealed that malicious code was collecting the following user information:

・ User's IP address
・ OS details
・ Open website URL
-Web request time stamp
・ HTTTP method
-HTTP response size
-HTTP status code
・ Web page stay time
・ The link clicked on the web page

In addition to the above, Cyril Gorlla, a researcher on artificial intelligence at the University of California, San Diego, arbitrarily accessed Instagram accounts with extensions that no one was following and liked more than 200 posts. I am reporting that I was pushing.

Xu, the former creator of Nano Defender and Nano Adblocker, said he sold the rights to two Turkish developers, but the extension creator field has not changed, and Xu's name is It was left behind. It is believed that this is because the person who put in the malicious code tried to hide his identity.

Please note that the two extensions have been removed from the Chrome Web Store at the time of writing, as Google prohibits data collection using extensions.

in Software,   Security, Posted by darkhorse_log