The odd post requests I noticed to uaswitcher.org in wireshark while I was trying to create a packet capture. I saw that it contained my browsing history urls in double encoded base64 format. Interestingly it appears the extension was infected ~4 years back, taken down, and somehow later re-added, only to be reinfested with malware within the last few months. Suffice to say, I am now paranoid and have audited all my extensions, tossed out everything with obfuscated js, and run all my extensions in developer mode so I can be sure they never update without my consent.
I always thought it was strange that Google bothered adding so many XSS prevention measures to Chrome when they also happily give UXSS abilities to extension developers, complete with the veneer of trust provided by the Chrome web store.
> veneer of trust provided by the Chrome web store
Seriously? Who trusts the Chrome store or the Android store for that matter? If you've ever once submitted an app and seen how loose the security is, I can't see how you'd have any faith in their system.
You're viscously agreeing here. "Veneer" means a very thin layer of pretty material on top of cheaper material -- in this context the comment was saying that the trust afforded to Google is skin-deep and is probably unjustified.
From what I've seen online a lot of these adware extensions do something similar. To me it doesn't make sense as an obfuscation method since anyone capable of capturing traces of network activity (or using chrome dev tools to do the equivalent) can probably recognize a base64 encoding and can just run the decoder a second time.
Maybe it might fool some automated analyzers though.
