14 votes

How to find out which extension opened an advertising tab?

Recently I've been coming back to my chrome browsers to find a tab open with the following URL:
(link disabled to prevent giving them any more clicks)

https ://theaisecrets.beehiiv.com/p/chatgpt-can-now-work-docs-apps-websites-emails

This is happening across all my computers, both linux, windows, and linux VM, so I don't think it's OS-specific malware, but I suspect a rogue chrome extension is opening the tab, because I have chrome synced across all affected devices via my google account.

I've searched for this particular problem and URL to no avail, so I wondered if there's a way to track back which extension opened the tab, other than by doing a binary search disabling half my extensions at a time (which would be annoying as hell - the tabs only seem to get opened once a day or so).

12 comments

  1. [8]
    Wes
    Link
    It may be easiest to check the recent reviews for the extensions you have installed. There's a good chance one of them was recently sold and acquired by a malware or advertising company. Most...

    It may be easiest to check the recent reviews for the extensions you have installed. There's a good chance one of them was recently sold and acquired by a malware or advertising company.

    Most likely, the URL that's being opened is being sent from a remote server, and not included in the extension itself. Otherwise it would have been caught by the store's scanning process. As a result, grepping the extension files themselves probably won't help. MV3 extensions are designed to prevent this from happening, but most extensions are still built on the MV2 API.

    26 votes
    1. [5]
      bobstay
      Link Parent
      Good shout. I did just what you said. Lo and behold, I found reviews mentioning malware and popups in the reviews for this extension which I have installed and enabled:...

      Good shout. I did just what you said. Lo and behold, I found reviews mentioning malware and popups in the reviews for this extension which I have installed and enabled:

      https://chrome.google.com/webstore/detail/enable-right-click-for-go/ofgdcdohlhjfdhbnfkikfeakhpojhpgm

      21 votes
      1. [2]
        cfabbro
        Link Parent
        If that extension turns out to be the culprit, make sure to report it. Google tends to take browser hijacking via Chrome extensions pretty seriously, especially since that's often a vector for...

        If that extension turns out to be the culprit, make sure to report it. Google tends to take browser hijacking via Chrome extensions pretty seriously, especially since that's often a vector for malware.

        15 votes
        1. bobstay
          Link Parent
          I have reported it.

          I have reported it.

          10 votes
      2. [2]
        drannex
        Link Parent
        A good replacement to this would be Absolute Enable Right Click & Copy, source available (BSD), hasn't had an update in five years since it just works.

        A good replacement to this would be Absolute Enable Right Click & Copy, source available (BSD), hasn't had an update in five years since it just works.

        7 votes
    2. pyeri
      Link Parent
      Next time when someone asks, "why do you use outdated software?", keep this reason handy! Software in today's world is always in flux, you never know when an ISV sells their soul to a greedy...

      There's a good chance one of them was recently sold and acquired by a malware or advertising company.

      Next time when someone asks, "why do you use outdated software?", keep this reason handy! Software in today's world is always in flux, you never know when an ISV sells their soul to a greedy capitalist for a pocket sum of money and leaves your system vulnerable for them to exploit.

      And even if that happens, the extension must still update itself to the newer version in order to get its "evil" act done. Why doesn't chrome or firefox provide us a way to stop auto-updates of extensions? I used Chrome earlier and recall that you had to go through hooves like manually updating the extension's manifest.json and set its update url to localhost just to prevent it from updating! I've switched to firefox now and don't use any extension except ublock origin. For any other needs, I write my own extensions in JS and install locally.

      9 votes
    3. Minty
      Link Parent
      ...but it's worth a try, best in binary mode.

      grepping the extension files themselves probably won't help

      ...but it's worth a try, best in binary mode.

      1 vote
  2. [3]
    p4t44
    Link
    If you tell easily, you have too many extensions. Delete everything that you can't be very sure is honest. Opening a advertising tab is the least of your concerns, any extension could be taking...

    If you tell easily, you have too many extensions. Delete everything that you can't be very sure is honest. Opening a advertising tab is the least of your concerns, any extension could be taking all of your browsing history, data and logins.

    8 votes
    1. bobstay
      Link Parent
      You're not wrong, and I should delete them all. But having caught this, I now want to pin down which one it is before I nix them all, so I can name/shame etc.

      You're not wrong, and I should delete them all. But having caught this, I now want to pin down which one it is before I nix them all, so I can name/shame etc.

      5 votes
    2. [2]
      Comment deleted by author
      Link Parent
      1. p4t44
        Link Parent
        Any adblocker can remotely have filter lists adjusted to inject any javascript into any website. If the creator of an adblocker is nefarious, it could be remotely changed to steal all passwords,...

        Any adblocker can remotely have filter lists adjusted to inject any javascript into any website. If the creator of an adblocker is nefarious, it could be remotely changed to steal all passwords, history and browsing data. The little review processes there are could never catch such an attack.

        1 vote
  3. Chinpokomon
    Link
    Seems like it would be good of browsers to add metadata about which process, extension, or tab opened an URL. This is information which could be read by the user to track down all sort of things....

    Seems like it would be good of browsers to add metadata about which process, extension, or tab opened an URL. This is information which could be read by the user to track down all sort of things. Just like you can identify the parent process in a system that trail is lost when the target is the browser.

    2 votes