# Analysis of a Malicious Chrome Extension Posing as a YouTube Sidebar
A Chrome extension called "Youside — YouTube Sidebar" has been discovered in the Chrome Web Store. It has nothing to do with YouTube functionality. Instead of the promised features—an embedded player, subscription management, and quick access—it implements a thin client for a third-party backend, complete with remote interface control, user data collection, and hidden monetization.
Architecture: Client Without Logic
The extension with ID mmecpiobcdbjkaijljohghhpfgngpjmk exemplifies typical malicious software architecture: minimal local logic and heavy reliance on an external server. On launch, it generates or retrieves a persistent user_id from localStorage, then queries the API at https://mines.cloudapi.stream/user_info. The server's response fully dictates the user interface behavior—from element visibility to HTML block contents.
Key features:
- No calls to YouTube API or the
youtube.comdomain - No implementation of IFrame Player API
- No logic for handling subscriptions, video search, or video streaming
- All actions controlled via external server responses
This setup lets attackers dynamically alter the extension's behavior without needing to update its code in the store.
Remote Interface Control
The server returns a JSON object with fields like success, is_valid, rating, and protxt. The client applies this data directly to the DOM without any validation:
if (result.is_valid) {
proplansID.classList.add('h_');
playBtn.classList.remove('h_');
} else {
playBtn.classList.add('h_');
}
This approach mimics feature flags but lacks protection against injections. Direct HTML insertion is especially risky:
if (result.protxt) {
proplansID.innerHTML = result.protxt;
}
Since the content isn't filtered or sanitized, the server can inject arbitrary JavaScript via innerHTML, enabling XSS attacks even in the extension's isolated context.
Hidden Monetization and Tracking
All buttons with class .buyBtn are intercepted and redirected to an external domain:
document.querySelectorAll('.buyBtn').forEach(btn => {
btn.setAttribute(
'href',
`https://topup.cloudapi.stream/?user_id=${encodeURIComponent(localStorage.getItem("user_id"))}&type=game`
);
});
Any clicks on these elements pass the user's unique ID via URL parameter. This links user actions to their profile for monetization or further profiling.
For reliable tracking, it combines:
user_idfromlocalStorage(persistent identifier)chrome.runtime.id(unique extension ID in the browser)navigator.language(user's language code)
This combination ensures high-accuracy identification even if the IP changes or cookies are cleared.
Lack of Promised Functionality
Despite the store description, the extension contains no code related to YouTube:
- No calls to YouTube Data API
- No embedded video player via iframe
- No playback event handling
- No playlist or channel logic
Its only YouTube interaction is a redirect on Play button click:
playBtn.addEventListener("click", () => {
window.location = "https://youtube.com/";
});
This confirms the extension is purely a facade for a useful tool, with its real purpose being data collection and traffic monetization.
Key Takeaways
- The extension doesn't deliver the promised YouTube features.
- The interface is fully controlled by an external server via unsecured APIs.
- Arbitrary HTML injection is possible, with potential XSS risks.
- Hidden user tracking via combined identifiers.
- All monetization links redirect to third-party domains, passing
user_id.
— Editorial Team
No comments yet.