600% Volume Booster extension with malicious code

Today, I was setting up a new computer and found that my favorite extension, 600% volume booster, has been removed from the Firefox extension store. I looked into it and I found that apparently the extension was injecting aliexpress affiliate links into pages without telling the user. Unfortunately, this extension is the only extension that works for me. I opened the extension up, and I believe I found the malicious script and commented it out. The extension seems to work fine with this function removed, and I found that it was also messing with TikTok video playback, and issue I had been dealing with for the past few months.

My question is, can someone who knows more than me about javascript take a look at the extension to ensure that I am not missing something obvious in the extension that is still a security risk? I have checked almost all the firefox volume booster extensions I can find and I am not able to find one with the compatibility that this one provides. I have a backup of the original untouched extension if that helps.

After a bit of searching, I found this extension that looks suspiciously similar here

I also have a copy of this extension from January. Perhaps I was one of the people who reported it contained obfuscated code, which is contrary to policy. Hard to remember all these months later. This code is so hard for me to read, I don’t think I could say what needs to be removed. Sounds like you are having an easier time of it.

The obfuscated version was removed and replaced with “open-source” version, but probably still with a injection code so it got removed again.
This should be the non-obfuscated version:
https://mega.nz/file/RLwXGaoY#wvHPRlrV8XNr2Lok9V7-n3cPh44gIW83RZG_SKkhrgc

But if this is a clone of the Chrome extension, maybe it would be better to ask the original author to port it to Firefox.

I tried to contact the chrome extension developer 2 days ago and received no response. I messaged through twitter, and I got no response but they were active on twitter multiple times in the past 2 days so I believe they might not be interested.

The version of the extension I had was already not obfuscated, and shows the same version (1.1.4) as the one you sent but it has a different hash. I uploaded both my original copy and the one I believe has no more injection code for you to check out.
https://mega.nz/folder/4WoWzK6J#_fnfGISzstU09UoeOxhdRg

Poor thinking to unobfuscate your own bad behavior!

The Chrome extension uses the chrome.tabCapture API to find all the audio streams. That has not been implemented in Firefox, so it would not be a quick and easy port, unfortunately.

I totally agree with disabling app.js.

In scripts.js, you can comment out lines 11-22 which are related to injecting app.js.

As a general note, much of the code appears to be for Chrome; it’s hard to tell what is really needed for Firefox.

Yup, you were correct, the addon still works with those lines commented out. I can see what you mean about some of this code being for chrome, I see some that I have to imagine does absolutely nothing because as you said firefox doesn’t support tabCapture, but it calls it anyway?

Regardless, thanks for your input. My only remaining issue is now I have to keep reinstalling the extension because it is no longer signed. Do you think it would be allowed to reupload the extension in a cleaned state? I’m not really familiar with extension development.

According to the old version 1.1.2 page I found on the Wayback Machine, the code is licensed under the Mozilla Public License version 2.0. So as long as you keep that license when you upload the modified version, that is cool.

There’s also the option to get it signed for self-distribution (where you download and do with it what you will).

1 Like

Have you guys seen v1.1.9 has been posted? It is the only version listed. It is still Mozilla Public License, version 2.0.

Oh right Its back on the store now, I wonder what changes were made? I hope they removed the malicious scripts

I just checked the latest 1.1.9 version and it seems that aliexpress injection has been removed but it is still doing specific changes to TikTok that make video playback not work anymore. This script seems to be the culprit. I don’t know what the script is supposed to do but it completely breaks tiktok playback.

(function () {
    var __aplay = Audio.prototype.play;
    Audio.prototype.play = function () {
        this.setAttribute('crossorigin', 'anonymous');
        document.body.appendChild(this);
        __aplay.call(this);
    };

    const HOSTS_TO_APPLY = [
        'likee.com',
        'tiktok.com'
    ];

    function hostToApply(url) {
        if (!url) {
            return false;
        }
        for (var i = 0; i < HOSTS_TO_APPLY.length; i++) {
            if (url.indexOf(HOSTS_TO_APPLY[i]) > -1) {
                return true;
            }
        }
        return false;
    }

    if (window.location == undefined) {
        return;
    }
    if (window.location.host && !hostToApply(window.location.host)) {
        return;
    }

    var __vplay = HTMLVideoElement.prototype.play;
    HTMLVideoElement.prototype.play = function () {
        var src = this.src;
        if (src) {
            this.setAttribute('crossorigin', 'anonymous');
            if (src.indexOf('https://') === -1 && window && window.location
                && window.location.href && window.location.href.indexOf('https://') === 0) {
                src = src.replace('http://', 'https://');
            }
            if (src.substring(0, 5) !== "blob:") {
                this.src = src + '';
            }
        }

        __vplay.call(this);
    };
})();

With this code removed tiktok playback works fine but it breaks as soon as you try to boost the volume using the extension. I believe this is better than the site not working at all however.