One of 30 extensions is likely intermittently hijacking tabs


#12

Below is the list of extension names. I’ll have to add the URL’s later. In the meantime I’ll try scanning with Malwarebytes’ AdwCleaner. I also temporarily changed the default browser to be certain that FF is the source.

1-Click YouTube Video Downloader
Archive URL
AutoFill Forms
Avast Online Security
Best Proxy Switcher
Bitly
Cisco Webex Extension
Cookie AutoDelete
Copy All Tab Urls WE
Decentraleyes
Docs Online Viewer
Easy YouTube mp3
Firefox Multi-Account Containters
FoxClocks
Google search link fix
HTTPS Everywhere
Hunter
OneNote Web Clipper
Open Tabs Next to Current
Print Edit WE
Privacy Badger
Redirector
S3.Translator
Save Page WE
Screengrab!
Shorten me - URL Shortener
Social Fixer for Facebook
Sync Tab Groups
Tab Session Manager
Terms of Service; Didn’t Read
uBlock Origin
Video Speed Controller
Zoom Image
Zoom Page WE


(erosman) #13

I had a quick look at their codes but didnt see which one was doing it.
I only checked the latest versions of the add-ons.
How come you have a mix of old legacy and new WE add-on?


#14

Thanks very much for checking. I cleaned up some things AdwCleaner suggested, including removing two disabled extensions, without seeing any improvement. I’m continuing the process of elimination.

How come you have a mix of old legacy and new WE add-on?

I’m not sure which are the old legacy addons. In general I kept the extensions that I could when I upgraded to Quantum.


(Issalfarstafr) #15

Hey, I have the same problem that started happening recently with the exact same "lzpv4rsmat " link that redirects. I checked your addons and the only one I found in common with me (aside from uBlock) is “Easy YouTube mp3”. I believe that’s the cause of this, and I suggest you to disable it as I’ll be doing so too


#16

How could an extension apparently removed from addons.mozilla.org continue to be updated in FF?

In my FF I’ve now disabled “Easy YouTube mp3” “2.3.1.0” “By Daniel Lehr (haftungsbeschraenkt)” “Last Updated July 6, 2018.” Though about:addons doesn’t give any indication of this, “Easy YouTube mp3” is no longer at https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-mp3.

Currently “Easy YouTube mp3 Add-on” (with “Add-on”) “by Theveloper,” “Version 1.3” is at https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-mp3-addon/.


(Olifak) #17

Easy YouTube mp3 is definitely the culprit, I’ve been having the same problem for a few days now until I found this thread, it’s the one addon that we have in common, I removed it and I haven’t seen the tab opening since. Thanks.


(erosman) #18

I was actually the one that rejected that addon. I guess it would be useful to check installed add-on pages every now and then to and check their state and read reviews.


(Justdave) #19

For future reference, if you go to the Help menu and choose Troubleshooting Information and then scroll down, there’s a list of your extensions there that you can copy/paste from.


#20

I was actually the one that rejected that addon.

Did you reject the July 6th update, but it was installed anyway? Shouldn’t rejected updates be blocked from being installed?

Apparently hijacking previously benign addons is common. “A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware” per https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/:

Thanks!


(jscher2000) #21

I don’t think an extension can update to a nonexistent version, but unless a block is deployed, it won’t be disabled or rolled back, either. Extensions have to be nominated for blocking through a separate process from review.


(erosman) #22

Version 2.3.1.0 · July 5, 2018 had a feature to “ask for feedback” every 7 days. That included opening the lzpv4rsmat(dot)com
Currently that does not result in automatic rejection and it is left to users to decided if the monetization system deployed by an add-on is desirable or not.

Version 2.3.2 · July 13, 2018 had more serious issues and was rejected the same day. Developer deleted his/her account after that.

Once all version of an add-on are rejected, the add-on will no longer update but it remains on users computers. If an add-on is blocked for serious issues (a totally different process by Admin) then it will be disabled on users’ Firefox as well.


(B.J. Herbison) #23

Reported: 14 years ago


#24

The problem with this approach is that it’s extremely time-consuming for a user to determine which add-on is opening the new tab. There should be an easier way than process of elimination to detect monetization systems that are added in an update, especially when they can open tabs intermittently rather than when the add-on is actually used.

What’s the best way to submit this concern, since it’s not bug per se?


(erosman) #25

@caitmuenster should be able to advise on this issue.


(Mpj220) #26

My bet goes to “1-Click YouTube Video Downloader”

I have the same thing happening to me. Multiple tabs opening, fake flash update tabs.
All are usually identified by Norton or Malwarebytes and are blocked.

This is my work PC and I have all of 2 add-ons. Adblock plus and 1-Click YouTube Video Downloader.

I just deleted the possible offender.


#27

@caitmuenster brought this up at a team meeting, then replied:

If you look at each extension listing on addons.mozilla.org, you might be able to narrow down which extension is the culprit to the ones that use the ‘new tab’ permission. Otherwise, process of elimination is the best way to identify the extension causing the unwanted behavior.

We currently don’t have a policy against this kind of behavior, but it’s something we might discuss more in the future if we see more users complaining about a poor experience.


#28

Removing it stopped new tabs from opening for a week. When I removed it I installed “YouTube mp3 Downloader” which requests no malicious permissions per addons.mozilla.org.

Today however a tab opened to addonbrowser dot com/youtube-mp3-download?v=3.0.0&type=install that was flagged by Avast as potentially harmful, advertising “Mp3 Downloader for Youtube.”

A new window also popped open to www.pc.error2323219459ausmsauthcombof0807 “dot” com.s3-website.us-east-2.amazonaws.com/assests/eng_ff_auth.html… with a “** YOUR COMPUTER HAS BEEN BLOCKED.**” message and an 877 number to call. It came with a repeating authentication popup “http://www.winsupporthelp.club is requesting your username and password” that was impossible to dismiss without restarting FF.


(Mittineague) #29

This is very serious. A majority of so called “help” sites ask the unwary for access to their OS, and once given can do all manner of badness.

Have you done a full scan of your computer? It sounds like this may have less to do with any plugin and more to do with your computer being infected.


#30

I’ve run scans with Malwarebytes and Avast. I’ve just changed my default browser to MS Edge (again) so I can be sure, and I’ll report back if Edge is opened. However, there’s no policy against extensions doing this:


#31

I disabled “YouTube mp3 Downloader” and haven’t seen an ad in a couple of days. I now see reviews for the addon that say: “tries to open scam pages and phishing pages” (2 days ago) and “…and it’s been opening ads in my browser. Deleted and ads are gone.” (13 days ago).

“YouTube mp3 Downloader” isn’t shown to use the “new tab” permission.