How to find out which extension opened an advertising tab?
Recently I've been coming back to my chrome browsers to find a tab open with the following URL:
(link disabled to prevent giving them any more clicks)
https ://theaisecrets.beehiiv.com/p/chatgpt-can-now-work-docs-apps-websites-emails
This is happening across all my computers, both linux, windows, and linux VM, so I don't think it's OS-specific malware, but I suspect a rogue chrome extension is opening the tab, because I have chrome synced across all affected devices via my google account.
I've searched for this particular problem and URL to no avail, so I wondered if there's a way to track back which extension opened the tab, other than by doing a binary search disabling half my extensions at a time (which would be annoying as hell - the tabs only seem to get opened once a day or so).
It may be easiest to check the recent reviews for the extensions you have installed. There's a good chance one of them was recently sold and acquired by a malware or advertising company.
Most likely, the URL that's being opened is being sent from a remote server, and not included in the extension itself. Otherwise it would have been caught by the store's scanning process. As a result, grepping the extension files themselves probably won't help. MV3 extensions are designed to prevent this from happening, but most extensions are still built on the MV2 API.
Good shout. I did just what you said. Lo and behold, I found reviews mentioning malware and popups in the reviews for this extension which I have installed and enabled:
https://chrome.google.com/webstore/detail/enable-right-click-for-go/ofgdcdohlhjfdhbnfkikfeakhpojhpgm
If that extension turns out to be the culprit, make sure to report it. Google tends to take browser hijacking via Chrome extensions pretty seriously, especially since that's often a vector for malware.
I have reported it.
A good replacement to this would be Absolute Enable Right Click & Copy, source available (BSD), hasn't had an update in five years since it just works.
Thank you!
Next time when someone asks, "why do you use outdated software?", keep this reason handy! Software in today's world is always in flux, you never know when an ISV sells their soul to a greedy capitalist for a pocket sum of money and leaves your system vulnerable for them to exploit.
And even if that happens, the extension must still update itself to the newer version in order to get its "evil" act done. Why doesn't chrome or firefox provide us a way to stop auto-updates of extensions? I used Chrome earlier and recall that you had to go through hooves like manually updating the extension's manifest.json and set its update url to
localhostjust to prevent it from updating! I've switched to firefox now and don't use any extension except ublock origin. For any other needs, I write my own extensions in JS and install locally....but it's worth a try, best in binary mode.
If you tell easily, you have too many extensions. Delete everything that you can't be very sure is honest. Opening a advertising tab is the least of your concerns, any extension could be taking all of your browsing history, data and logins.
You're not wrong, and I should delete them all. But having caught this, I now want to pin down which one it is before I nix them all, so I can name/shame etc.
Any adblocker can remotely have filter lists adjusted to inject any javascript into any website. If the creator of an adblocker is nefarious, it could be remotely changed to steal all passwords, history and browsing data. The little review processes there are could never catch such an attack.
Seems like it would be good of browsers to add metadata about which process, extension, or tab opened an URL. This is information which could be read by the user to track down all sort of things. Just like you can identify the parent process in a system that trail is lost when the target is the browser.