One of 30 extensions is likely intermittently hijacking tabs


#1

Is there a tool that reports what action or extension caused a tab to open? Just a 3-4 times a day I’ll come across a tab that’s been opened, initially from lzpv4rsmat dot com but always redirected, usually to the adult site best2018games dot com.

With 30 extensions and only occasional hijacking it’ll take forever to diagnose by disabling them, assuming it’s an extension. Avast, malwarebytes, and defender haven’t found anything (FF 62 on Win10 64).

I’m most concerned that something more malicious is also going on.

TIA


(rugk) #2

Unfortunately, I know no such tool.

First, I would make sure it is really an add-on (as it could also be another application). To do so, just restart FIrefox with add-ons disabled.

But you can try to get into the whole thing with debugging tools:

  1. Enable add-on debugging:
    https://developer.mozilla.org/de/docs/Tools/about:debugging#Enabling_add-on_debugging
  2. Debug any extension.
  3. In the debugger click on the “pause” icon at the right. This stops all JS from this add-on, so if it stops it shows this has background processes running. Maybe you even see some code that opens a new tab.

In any case, if you found the bad extension, do not forget to report it on addons.mozilla.org. The report button is next to the button for adding an evaluation.


(erosman) #3

I have seen that practice in a number of add-ons. If you list the add-ons that you have, I will check them to see which one is doing it.


#4

Thanks erosman. The list is below in three images, but the images are cut off in the post, so you have to click the expand icon on the lower right of each image in turn to see the full images/list(s):


(erosman) #5

It would be more convent to list them (with URLS). :wink:


#6

Yes, unfortunately text can’t be selected on the about:addons page.


#7

After some hours AFK, I clicked refresh on this page and two new lzpv4rsmat dot com tabs opened, though redirects were blocked by the entry I’d added to ublock origin.


(erosman) #8

Some add-ons periodically open those advertising pages to make money. They are not related to this site (or other sites).


(Mittineague) #9

You’re making some progress, you can now reasonably assume that the extensions you temporarily removed are not at fault. It can be slow narrowing the suspects down, but with patience you’ll get there. :+1:


#10

So there’s no chance that the extension (presumably) that’s doing this is keylogging or stealing other info?

It seems to open a tab twice a day at random times, so it could take quite a while to identify the source.

The first history entry for lzpv4rsmat is on 7/17. I don’t recall installing any new extensions, and my FF history doesn’t show that I visited addons.mozilla.org near that time, so the adware must have come with an update. Unfortunately, “View Recent Updates” in about:addons doesn’t show anything.

erosman wrote:

They are not related to this site (or other sites).

Yes, and the fact that it occurred on this page proves that it’s not caused by some other page I was visiting.


(erosman) #11

As I said, if you list the extensions you have (not an image) so that I can search and find the addon, I will check them to see which one is doing it.


#12

Below is the list of extension names. I’ll have to add the URL’s later. In the meantime I’ll try scanning with Malwarebytes’ AdwCleaner. I also temporarily changed the default browser to be certain that FF is the source.

1-Click YouTube Video Downloader
Archive URL
AutoFill Forms
Avast Online Security
Best Proxy Switcher
Bitly
Cisco Webex Extension
Cookie AutoDelete
Copy All Tab Urls WE
Decentraleyes
Docs Online Viewer
Easy YouTube mp3
Firefox Multi-Account Containters
FoxClocks
Google search link fix
HTTPS Everywhere
Hunter
OneNote Web Clipper
Open Tabs Next to Current
Print Edit WE
Privacy Badger
Redirector
S3.Translator
Save Page WE
Screengrab!
Shorten me - URL Shortener
Social Fixer for Facebook
Sync Tab Groups
Tab Session Manager
Terms of Service; Didn’t Read
uBlock Origin
Video Speed Controller
Zoom Image
Zoom Page WE


(erosman) #13

I had a quick look at their codes but didnt see which one was doing it.
I only checked the latest versions of the add-ons.
How come you have a mix of old legacy and new WE add-on?


#14

Thanks very much for checking. I cleaned up some things AdwCleaner suggested, including removing two disabled extensions, without seeing any improvement. I’m continuing the process of elimination.

How come you have a mix of old legacy and new WE add-on?

I’m not sure which are the old legacy addons. In general I kept the extensions that I could when I upgraded to Quantum.


(Issalfarstafr) #15

Hey, I have the same problem that started happening recently with the exact same "lzpv4rsmat " link that redirects. I checked your addons and the only one I found in common with me (aside from uBlock) is “Easy YouTube mp3”. I believe that’s the cause of this, and I suggest you to disable it as I’ll be doing so too


#16

How could an extension apparently removed from addons.mozilla.org continue to be updated in FF?

In my FF I’ve now disabled “Easy YouTube mp3” “2.3.1.0” “By Daniel Lehr (haftungsbeschraenkt)” “Last Updated July 6, 2018.” Though about:addons doesn’t give any indication of this, “Easy YouTube mp3” is no longer at https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-mp3.

Currently “Easy YouTube mp3 Add-on” (with “Add-on”) “by Theveloper,” “Version 1.3” is at https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-mp3-addon/.


(Olifak) #17

Easy YouTube mp3 is definitely the culprit, I’ve been having the same problem for a few days now until I found this thread, it’s the one addon that we have in common, I removed it and I haven’t seen the tab opening since. Thanks.


(erosman) #18

I was actually the one that rejected that addon. I guess it would be useful to check installed add-on pages every now and then to and check their state and read reviews.


(Justdave) #19

For future reference, if you go to the Help menu and choose Troubleshooting Information and then scroll down, there’s a list of your extensions there that you can copy/paste from.


#20

I was actually the one that rejected that addon.

Did you reject the July 6th update, but it was installed anyway? Shouldn’t rejected updates be blocked from being installed?

Apparently hijacking previously benign addons is common. “A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware” per https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/:

Thanks!