The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Screenshot extension injects ads

Posted on June 19th, 2014 at 7:55 AM EST

e-biohazard

One of my readers was recently having problems with advertisements being injected into web pages, and none of my ad removal instructions or my Adware Removal Tool helped. After almost a week of working on the problem, it turned out to be caused by one particular Safari extension: Awesome Screenshot. Of course, this led to a whole new kind of investigation!

I visited the Awesome Screenshot website, which is extremely polished and professional-looking. It also seems to be quite respectable… it can be found on Apple’s Safari Extensions page, has been rated 4 out of 5 stars on the Mozilla add-ons page, and in the Chrome web store it has been given 4.5 out of 5 stars by more than 35,000 people. This seems like something that should be okay, especially since I couldn’t duplicate the ads when testing in a controlled environment. However, there was no arguing with the results my reader had.

Awesome Screenshot 1So, I began to dig a little deeper. I started by examining the source code for the Awesome Screenshot Safari extension. I’m hardly an expert at analyzing Safari extension source code, but it didn’t take long to find some very concerning things.

First, I found a strange JavaScript file containing code that had been obfuscated to the point of illegibility. It is common to “minify” JavaScripts, to make the files smaller, but minifying just involves removing all unnecessary whitespace (spaces, returns, tabs, etc) and comments. What was seen here was more than that, using a confusing mishmash of single-letter function names and encoded parameters. This is a common technique used by people who create malicious JavaScripts, since it’s nearly impossible to figure out what this kind of code does without lengthy analysis by a JavaScript expert.

Awesome Screenshot 2This was concerning, but wasn’t proof of anything, since the function of this code was so thoroughly hidden. However, I then found a set of scripts that seemed to belong to a company called Presto Savings. This code has a number of functions that inject code into web pages… something that a simple screenshot extension should not be doing.

I’ve seen adware that contained inactive code before, though. The presence of nasty code is a very bad thing, but it doesn’t prove that that code is actually in use. Code libraries often contain code that may not be used. So I started looking for evidence of modifications. Simply loading my own site and examining the page source quickly revealed an injected JavaScript:

Awesome Screenshot 3

This doesn’t seem to happen all the time, but once was enough for me. There’s absolutely no legitimate reason for this extension to be injecting a Presto Savings JavaScript into my web page!

The Awesome Screenshot site does not indicate anywhere that advertising is going to be used, nor does the description on Apple’s Safari Extensions site. On the Chrome web store, the description also does not mention advertising, although it does make a vague reference to an “optional search enhancement feature,” of which the developer says, “Since many users don’t like it, we remove this feature.”

The only place where the developers reveal this behavior is on the Mozilla add-ons page, where the description of the extension includes the following:

This extension also integrate some additional features such as “Discover Similar Sites” and “Price Comparison While You Shop.” These are value-added features, and definitely are not “Malware” or “Adware” as some may mistakenly believe. Please also note that these features are disabled by default unless you enable them.

Most users would not agree that these are “value-added” features, and it’s clearly not the case that all these features are disabled by default in Safari, at least, where the “price comparison” feature is enabled by default:

Awesome Screenshot 4

 

In all, if the Awesome Screenshot website had owned up to its advertising ways right up front, I’d have had no problem with it. If a user wants to knowingly install a program that has a setting to allow ad injection, that’s his or her business, not mine. However, when a program’s website does not make any mention of ad injection, and the injection is turned on by default, that’s enough for me to classify this as adware. I have, therefore, updated my Adware Removal Tool to find and remove Awesome Screenshot.

Tags: ,


20 Comments

  • Sorcha Whyte says:

    I had Awesome Screenshot installed a while ago and noticed that it was suddenly logging a weird object to my console (Safari). After that I clicked the uninstall button in the Safari extensions tab. Is that enough to fully remove Awesome Screenshot?

    • Thomas says:

      Yes, that’s all you have to do. If you also installed it in any other browsers, you’ll need to do the same thing there.

      I added detection of this to my Adware Removal Tool, but that tool is really not necessary for removing it. If you know you have it installed, it’s easier to just remove it from the browser yourself.

  • xChris says:

    just FYI there are extensions on google chrome store that are serving ads, this is not something new…

  • Gavin says:

    Thank you for all your hard work on this subject. I check this site regularly.

    This isn’t a question that is directly related to this post, but it does involve adware of a sort. Do you know if the “Worldtrack DOT co” malware affects Safari? It’s not listed in your adware or malware guides, but I thought I might check, as I did find one site that says that it does.

    I recently had a bad experience with browser redirects. It was complicated, so I won’t go into the details. (For my peace of mind, I asked about it here: https://discussions.apple.com/thread/6408826 .) Also, I was on my iPhone at the time, and I’m assuming that anything nasty would be extremely unlikely to affect the iOS version of Safari.

    But it has me curious in case the same thing should happen when I’m on my Mac.

    Thank you.

    • Thomas says:

      It’s important to understand that the site to which you are directed by adware is not the same as the adware itself. So, Worldtrack [dot] co is not, and cannot be, adware or malware, because it’s just a website. It may be used by adware or malware; adware may redirect you there or load ads from there. But the adware will actually be called something else. The GoPhoto-it adware, for example, has been seen to load pages from the seemingly unrelated srv123 [dot] com, among many other addresses.

      It’s possible that some of the Mac adware that I have described in my Adware Removal Guide might, in some cases, load content from or redirect to this site. I’ve never observed that, but in this area, there’s almost always something I haven’t observed, even with adware I’ve been watching for a long time.

      Also, there’s no adware at all for an iOS device that hasn’t been jailbroken.

  • Derek Currie says:

    Hi Thomas! Thanks for another great article.

    One thankfully rare but ongoing issue for Mac users are applications that install tracking cookies. Of course, they’re harmless if you’re not surfing the net. But there they are, surveilling you when you are on the net. One developer I talked to acknowledged the tracking cookie injection and kindly removed it from his application. Another I talked to also removed it, then recently put it back in again! Thankfully, I like his software or I’d clobber him. I also have cookie control applications that delete the thing whenever the application tries to inject it again.

    Then there are the browser add-ons that also inject tracking cookies. I found a slew of them that do it in Firefox. I’m in the process of identifying exactly which add-ons are injecting what cookies. This is nefarious, nearly on the order of the Awesome Screenshot adware injection.

    The trend in the current era is to surveil the customer to the maximum extent allowable by law, and then some, as witnessed from the NSA. I consider it customer/citizen abuse. Helping people understand how to protect their rights is becoming increasingly more difficult. With time, I suspect developers will provide more sophisticated user protection software that will make maintaining one’s privacy more simple and reliable.

  • daire says:

    hi Thomas,
    nothing to do with this article but I’ve noticed that sophos free anti-virus for mac blocks users from using the for network, which is used by many people around the world to stay private and navigate around government restrictions. i’ve tried tweeting them and asking why but i have not got a response. sophos was my go to anti virus until i discovered this, it seems very strange, or maybe they do not know. could you ask?

    • daire says:

      that should say “tor network” not “for network”

    • Al says:

      The Tor network is also most cybercriminals’ network of choice to keep their dirty work hidden from law enforcement.

      I understand the pursuit of privacy on the Internet, but “navigating around government restrictions” is often against the law, so I think I understand why Sophos might choose to protect you in this way.

      It’s easy enough to turn such blocking off in Sophos Preferences or add the Tor sites to the “Allowed Websites”

  • Roger Coathup says:

    thanks, had been noticing a javascript ‘prestosavings.js’ getting loaded and wondered what on earth it was.

    Have uninstalled awesome screenshot

  • David Barnett says:

    Just noticed that this was happening on checking out source code on some sites I was working. Stunned that this script kept appearing in the page. Just been pulling apart my code when I found this article. Stunned that this is coming from an Apple certified extension. Shall be writing to Apple and adding some negative feedback for Awesome Screenshot. I noticed even unchecking the ‘Enable price comparison’ bit, still didn’t stop it from injecting code in to my page. Bad, bad, bad!

  • James Brighton says:

    Just a big thank you for creating this script! It worked perfectly on my MacMini.
    Any download site inserting male ware I will boycott might I suggest all who want a user friendly and free internet do the same.
    Shame on Apple for not pulling this extension. It is still prominently promoted on the Apple site with no warning, very bad form Apple. It must be making $$$ for someone at Apple.

  • Victor Wang says:

    I just found the same problem, googled it online and got it here. Great thanks for digging out

    And I found the script on chrome extension is even tricker: it actually tried to steal cookie and send to
    http://savecdn.com/addon/coupontool2/load_settings.php?pid=awesome

    What a business! Keep away from this extension.

  • jabba says:

    thanks for the article
    noticed this script causing problems in linux/chrome
    will look for an alternative

  • jabba says:

    add rule to black list in adblock plus:

    “https://savecdn.com/addon/coupontool2*”

  • haxored says:

    Jabba, that works fine until they decide to use a new host. It occurs to me that no one even mentions the nastiest part of code injection: CODE INJECTION STEALS COOKIES. This is not paranoia. Open your console, click on the requests to savecdn.com, and you will see your cookies for “x” private domain that you happen to be viewing have been posted to savecdn.com as form data. Who knows what they’re doing with our cookies. They can be used for user impersonation.

  • Mark says:

    You might find this article interesting. It would seem that not only does awesome screenshot have adware it also is tracking all of the pages you visit and sending them to a server, this includes very specific URLS you would not want being public
    https://mig5.net/content/awesome-screenshot-and-niki-bot

    • Thomas says:

      Good information, thanks. I’ve forwarded this information to Apple’s product security team, in hopes that this will be the final straw that gets Apple to remove Awesome Screenshot from the front page of their Safari Extensions site.

  • Jane says:

    I have spent two days trying to chase down why Safari and Chrome were both messing with my e-mail and why I kept getting websites, uninvited, opening in my browser and taking over. I could not get rid of them by purging cookies, etc. I could not open links in gmail on Safari or Chrome..kept getting the awshucks on Chrome and maybe you need to allow popups on Safari. Finally, gouging, I found your site and ran your adware removal program. I had just added several extensions right before this happened. I had deleted most of them but had kept Awesome Screen shots for both browsers. Your program removed them and now all works well in terms of opening links in gmail. I also seem not to be getting the obnoxious website intrusions. Thank for this tool.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.