Skip to content

Instantly share code, notes, and snippets.

@tstromberg

tstromberg/gist:e69d7b75170adea5a395e34986b9ae36

Created July 5, 2023 13:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tstromberg/e69d7b75170adea5a395e34986b9ae36 to your computer and use it in GitHub Desktop.
Save tstromberg/e69d7b75170adea5a395e34986b9ae36 to your computer and use it in GitHub Desktop.
Download ZIP
Browse Securely for Chrome™ is Spyware
Raw
gistfile1.txt
Here is what Browse Securely transmits in regards to visiting a Spotify pairing page:
{
"uid": "36ebc658-c7bd-4230-8886-0f7cffce6b76",
"utm_source": null,
"mid": null,
"prid": "8d5294c3-0bac-4959-a25b-c50df4726965",
"id": "86a0a954-b827-40c5-9202-00689694c47c",
"ext_num": 109,
"runtime_id": "eldjnmdpkecnjjkmmgndpcibgkfpodfh",
"version": "1.3.7.5165",
"net_conf": "netd75171",
"user_conf": {
"apiDomain": "https://ext.securybrowsenow.com",
"blockedPages": 0,
"dashUrl": null,
"errorDomain": "https://securybrowseit.com",
"hideBlockPage": false,
"isEnc": true,
"pingTimeoutSeconds": 14400,
"protectedSearches": 0,
"sUrl": null,
"scannedPages": 0,
"searchesThisRun": 0,
"stopDefaultScan": false,
"syncDomains": [],
"urlCacheSizeLimit": 1500,
"urlCacheTimeoutSeconds": 86400,
"userWrOff": false,
"wrBL": null,
"wrFirstEnabled": true,
"wrOff": false,
"wrPassDisabled": false,
"wrWL": null
},
"product_conf": {
"productType": "SEC"
},
"popUpConfig": {
"contextMenuItems": null,
"displayBadgeText": false,
"dontShowQuestionMark": false
},
"browser_action_conf": {
"icon": "icons/icon16.png",
"popup": "popup.html",
"title": "Browse Securely for Chrome™"
},
"local": {
"language": "en-US",
"local_time": 1688562441.999,
"local_timezone": 240
},
"manager": true,
"manifest_version": 3,
"extra": {
"url": "https://accounts.spotify.com/en/login?continue=https%3A%2F%2Faccounts.spotify.com%2Fpair%2Fv1%3Fflow_ctx%3Ddc06c42a-2a66-42ea-93a5-058b351ce9ea%253A1688584023",
"tabId": 1181371126,
"chain": {
"items": [
{
"status": 307,
"source": "https://accounts.spotify.com/pair/v1?flow_ctx=dc06c42a-2a66-42ea-93a5-058b351ce9ea%3A1688584023",
"target": "https://accounts.spotify.com/en/pair/v1?flow_ctx=dc06c42a-2a66-42ea-93a5-058b351ce9ea%3A1688584023",
"time": 1688562433328.829
}
]
},
"ref": "https://accounts.spotify.com/en/login?continue=https%3A%2F%2Faccounts.spotify.com%2Fpair%2Fv1%3Fflow_ctx%3Ddc06c42a-2a66-42ea-93a5-058b351ce9ea%253A1688584023",
"isSiteRateExt": false,
"t": "Login - Spotify",
"index": 4,
"pUrl": "https://accounts.spotify.com/en/pair/v1?flow_ctx=dc06c42a-2a66-42ea-93a5-058b351ce9ea%3A1688584023",
"opUrl": null,
"wid": 1181371121,
"active": true,
"w": 912,
"h": 803
},
"hid": "81249f0f-4088-48ad-83b7-310f7783a661",
"action": "risk"
}
Here is the main data obfuscation loop, that encodes the JSON blob as an array of uint8 utf8 bytes,
performs a bitwise XOR (with a value of 255), and then base64's the result:
function w(e) {
for (var r = t.from(e, "utf8"), n = 0; n < r.length; n++)
r[n] ^= d;
return r.toString("base64")
}
Here is the obfuscated data blob that is POST'd to https://ext.securybrowsenow.com/api/back/notf:
hN2Klpvdxd3MyZqdnMnKx9KcyJ2b0svNzM/Sx8fHydLPmcicmZmcmsmdyMnd092Ki5KgjJCKjZya3cWRipOT092SlpvdxZGKk5PT3Y+Nlpvdxd3Hm8rNxsuczNLPnZ6c0svGysbSns3KndKcys+bmcvIzcnGycrd092Wm93F3cfJns+exsrL0p3HzcjSy8+cytLGzc/N0s/PycfGycbLnMvInN3T3ZqHi6CRipLdxc7PxtPdjYqRi5aSmqCWm93F3ZqTm5WRkpuPlJqckZWVlJKSmJGbj5yWnZiUmY+Qm5mX3dPdiZqNjJaQkd3F3c7RzNHI0crOycrd092RmougnJCRmd3F3ZGai5vIys7Izt3T3YqMmo2gnJCRmd3FhN2ej5a7kJKelpHdxd2Xi4uPjMXQ0JqHi9GMmpyKjYadjZCIjJqRkIjRnJCS3dPdnZOQnJSam6+emJqM3cXP092bnoyXqo2T3cWRipOT092ajY2QjbuQkp6Wkd3F3ZeLi4+MxdDQjJqcio2GnY2QiIyalovRnJCS3dPdl5abmr2TkJyUr56Ymt3FmZ6TjJrT3ZaMupGc3cWLjYqa092PlpGYq5aSmpCKi6yanJCRm4zdxc7Ly8/P092PjZCLmpyLmpusmp6NnJeajN3Fz9PdjKqNk93FkYqTk9PdjJyekZGam6+emJqM3cXP092Mmp6NnJeajKuXloytipHdxc/T3YyLkI+7mpmeipOLrJyekd3FmZ6TjJrT3YyGkZy7kJKelpGM3cWkotPdio2TvJ6cl5qsloWas5aSlovdxc7Kz8/T3YqNk7yenJeaq5aSmpCKi6yanJCRm4zdxcfJy8/P092KjJqNqI2wmZndxZmek4ya092Ijb2z3cWRipOT092IjbmWjYyLupGenZOam93Fi42KmtPdiI2wmZndxZmek4ya092Ija+ejIy7loyenZOam93FmZ6TjJrT3YiNqLPdxZGKk5OC092PjZCbipyLoJyQkZndxYTdj42Qm4qci6uGj5rdxd2surzdgtPdj5CPqo+8kJGZlpjdxYTdnJCRi5qHi7KakYq2i5qSjN3FkYqTk9Pdm5aMj5Oehr2em5iaq5qHi93FmZ6TjJrT3ZuQkYusl5CIroqajIuWkJGyno2U3cWZnpOMmoLT3Z2NkIiMmo2gnpyLlpCRoJyQkZndxYTdlpyQkd3F3ZackJGM0JackJHOydGPkZjd092PkI+Kj93F3Y+Qj4qP0ZeLkpPd092LlouTmt3F3b2NkIiMmt+smpyKjZqTht+ZkI3fvJeNkJKaHXtd3YLT3ZOQnJ6T3cWE3ZOekZiKnpia3cXdmpHSqqzd092TkJyek6CLlpKa3cXOycfHysnNy8vO0cbGxtPdk5CcnpOgi5aSmoWQkZrdxc3Lz4LT3ZKekZ6Ymo3dxYuNiprT3ZKekZaZmoyLoImajYyWkJHdxczT3ZqHi42e3cWE3YqNk93F3ZeLi4+MxdDQnpyckIqRi4zRjI+Qi5aZhtGckJLQmpHQk5CYlpHAnJCRi5aRiprCl4uLj4zazL7azbnazbmenJyQipGLjNGMj5CLlpmG0ZyQktrNuY+elo3azbmJztrMuZmTkIignIuH2sy7m5zPyZzLzZ7SzZ7JydLLzZqe0sbMnsrSz8rHnczKzpyaxpqe2s3KzL7OycfHysfLz83M3dPdi56dtpvdxc7Ox87MyM7OzcnT3ZyXnpaR3cWE3ZaLmpKM3cWkhN2Mi56LiozdxczPyNPdjJCKjZya3cXdl4uLj4zF0NCenJyQipGLjNGMj5CLlpmG0ZyQktCPnpaN0InOwJmTkIignIuHwpucz8mcy82e0s2eycnSy82antLGzJ7K0s/Kx53Mys6cmsaantrMvs7Jx8fKx8vPzczd092Lno2Ymovdxd2Xi4uPjMXQ0J6cnJCKkYuM0YyPkIuWmYbRnJCS0JqR0I+elo3Qic7AmZOQiKCci4fCm5zPyZzLzZ7SzZ7JydLLzZqe0sbMnsrSz8rHnczKzpyaxpqe2sy+zsnHx8rHy8/NzN3T3YuWkprdxc7Jx8fKyc3LzMzMzcfRx83GgqKC092Nmpndxd2Xi4uPjMXQ0J6cnJCKkYuM0YyPkIuWmYbRnJCS0JqR0JOQmJaRwJyQkYuWkYqawpeLi4+M2sy+2s252s25npyckIqRi4zRjI+Qi5aZhtGckJLazbmPnpaN2s25ic7azLmZk5CIoJyLh9rMu5ucz8mcy82e0s2eycnSy82antLGzJ7K0s/Kx53Mys6cmsaantrNysy+zsnHx8rHy8/NzN3T3ZaMrJaLmq2ei5q6h4vdxZmek4ya092L3cXds5CYlpHf0t+sj5CLlpmG3dPdlpGbmofdxcvT3Y+qjZPdxd2Xi4uPjMXQ0J6cnJCKkYuM0YyPkIuWmYbRnJCS0JqR0I+elo3Qic7AmZOQiKCci4fCm5zPyZzLzZ7SzZ7JydLLzZqe0sbMnsrSz8rHnczKzpyaxpqe2sy+zsnHx8rHy8/NzN3T3ZCPqo2T3cWRipOT092Ilpvdxc7Ox87MyM7Ozc7T3Z6ci5aJmt3Fi42KmtPdiN3Fxs7N092X3cXHz8yC092Xlpvdxd3Hzs3LxpnPmdLLz8fH0svHnpvSx8ydyNLMzs+ZyMjHzJ7Jyc7d092enIuWkJHdxd2NloyU3YI=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment