

HoverZoom for Chrome is infected with malware - enscr
http://www.reddit.com/r/technology/comments/1t4ubn/hoverzoom_for_chrome_is_infected_with_malware/

======
enscr
Copied from this comment from user @hpschorr :
[http://www.reddit.com/r/technology/comments/1t4ubn/hoverzoom...](http://www.reddit.com/r/technology/comments/1t4ubn/hoverzoom_for_chrome_is_infected_with_malware/ce4h6h6)

Here's the code more readable for those interested:
[http://pastebin.com/Rvp4eMvu](http://pastebin.com/Rvp4eMvu) As others have
said and it seems they're starting to admit, it tracks your User Agent, form
submission events (not content as far as I can see), some other computer
identifying information, and loads in javascript for different actions. It
sends data to [https://jsl.blankbase.com/](https://jsl.blankbase.com/) (https
at least), that data being a number of things from the location (url) to your
browser name, version, os name and version as well as generated identifier. It
also does numerous also calls to [https://qp.rhlp.co/](https://qp.rhlp.co/)
(which is a common mention on the internet) to load javascript:
[https://qp.rhlp.co/gsd.html](https://qp.rhlp.co/gsd.html) (check source)
[https://qp.rhlp.co/search/js](https://qp.rhlp.co/search/js)
[https://qp.rhlp.co/demoda/js?v=3](https://qp.rhlp.co/demoda/js?v=3) So it
doesn't look like it sends any significantly private data (form data), but,
it's nowhere near a good thing. Nonetheless, tracking in extensions is shitty
and monetizing extensions through tracking is a poor direction for extensions
as a whole in the community. rhlp.co and blankbase.com are both registered at
GoDaddy, blankbase is using the nameserver from this company
[http://www.sambreel.com/](http://www.sambreel.com/) who may have either
created the tracking or were paid to host it. If you're concerned about the
domain usage, feel free to report them to GoDaddy , however, hopefully
creators will start to realize monetizing extensions like this is a poor
decision.

------
kevando
Can anyone confirm this?

~~~
enscr
Read the reddit page to get detailed discussion from the author. The github
code shows the offending part:
[https://github.com/Kruithne/HoverZoom_Malware/blob/master/hz...](https://github.com/Kruithne/HoverZoom_Malware/blob/master/hz.js)

