Warning - extension seems to be hacked once again in Store

[caspertone2003]

https://chrome.google.com/webstore/detail/openmultilogin/lbofelamdnfmipbbgkebcpkapahbmcgm

Points to version 1.1

Last version from Swingline0 is 0.1625 and ID plaahcaagklllbcjognjgcnldgjnjhpb

https://chrome.google.com/webstore/detail/openmultilogin/plaahcaagklllbcjognjgcnldgjnjhpb

produces a 404 error

Back to use locally saved decompiled crx from here https://github.com/Swingline0/openMultiLogin/releases

[caspertone2003]

By the way, just reported abuse to Chrome Store

[caspertone2003]

I uploaded the BAD ONE (copycat 1.1) crx to https://ufile.io/l9qnj
Will be available there for 30 days, then deleted.
ONLY TO BE USED FOR FORENSIC ANALYSIS!!!!

background.min.js pastebin https://pastebin.com/Qc4x3r1b
content.min.js pastebin https://pastebin.com/N977LTmF

BE WARNED!

[EranSch]

Ugh... What a PITA. Thanks for reporting, @caspertone2003.

Chrome Web Store console shows my release with a status of "Taken Down" as seen below:

It seems bizarre that the store moderators would do this without notifying the developer, not sure what's up with that. Judging by the install/impression stats, it looks like it was taken down on Feb. 17th:

I'm going to send an email to the developer support team at Chrome to see what explanation can be offered. For the time being, I'd recommend bundling your own CRX from the releases tab on this repo. Will update with new events as more info surfaces.

[caspertone2003]

Swingline0 good one here to be used:

https://github.com/Swingline0/openMultiLogin/releases

[EranSch]

@caspertone2003 Yikes, good call. I updated my messaging. Whoops!

[EranSch]

Including the message sent to Chrome dev support below just to mark the timing of my inquiry on this:

…

--- Hey there! Following a recent issue <#18> opened on my extension's Github repo, I was made aware of a copycat extension <https://chrome.google.com/webstore/detail/openmultilogin/lbofelamdnfmipbbgkebcpkapahbmcgm?hl=en> which has seemingly taken the place of my extension after it was evidently taken down. The copycat publishing is using the same name as my extension and even the same description/release text: This all seems kind of crazy, I don't recall missing any notifications that my extension was to be taken down. Can you provide any insight into what has happened here and what can be done to fix this? Thanks, Eran

[caspertone2003]

The hacked one points to a website : http://multilogin.top/
In http://multilogin.top/support/ it can be read commenst such as...

"Have suddenly started getting dodgy Russian porn adverts on all my search results.
There stopped when I disabled Multilogin." (the BAD Multilogin...)

They even copied the name and icons...

[EranSch]

It's pretty bizarre... I see that the "copycat" extension on the webstore even includes all of my original description text and links to this repo...

So creepy... I hate it. This is just ridiculous that we have to put up with stuff like this.

[caspertone2003]

Yes, it is a big mess.

It is clear that your extension was intentionally cloned so to babytrap all people thinking they were updating your extention. So they kept all your text.

By the way, javascript is not my speciality, but I wonder what is making lines like

  if (url && 0 == url.indexOf("https://accounts.google.com/")) {

or
redirectUrl: details.url.replace("https://mail.google.com/mail/ca/", "https://mail.google.com/mail/")

and

githubHTTPClient.open("POST", "http://www.woopra.com/track/ce/", true);

I am afraid it might smell to account stealing...

CT.

[Damianonymous]

I do not speak English, it's a bit difficult for me to understand what is happening. The original extension, which users have never had problems with, is removed from the Chrome store. However, other extensions based on the source code in which disturbing changes were detected are still available.

https://chrome.google.com/webstore/detail/multilogin/nknfhhmhoflkcijaodalbncnmidocced
https://chrome.google.com/webstore/detail/openmultilogin/lbofelamdnfmipbbgkebcpkapahbmcgm

These products were created by the owner of this site: http://multilogin.top/

[EranSch]

Just to update the thread here, the Chrome Webstore team got back to me. Per their feedback, I re-published the extension and it's under review... we'll see what happens.

---

To have your item reinstated, please re-publish it in your developer dashboard.

Thank you for reporting other extensions.

We've escalated it to our specialists who will review and take an appropriate action on it.

Thank you for your support in keeping the Chrome Web Store ecosystem safe for our users.

Thank you for your cooperation,
Google Chrome Web Store team

[caspertone2003]

Hi
I am running 0.1625 with chrome portable 65.....162 and get some errors...

go to extensions an click in this extension, in background.html

From time to time I get a notification of error when using the extension. Not found a pattern yet neither consecuences

[erpost]

The extension is available again here: https://chrome.google.com/webstore/detail/openmultilogin/plaahcaagklllbcjognjgcnldgjnjhpb

Is everything good to go now here?

I'm still really confused as to why the multilogin.top extensions are still available. There are two right now that I can see:

https://chrome.google.com/webstore/detail/openmultilogin/lbofelamdnfmipbbgkebcpkapahbmcgm
https://chrome.google.com/webstore/detail/multilogin/nknfhhmhoflkcijaodalbncnmidocced