The Tallest Dwarf

RSSEmailMastodonNewsletterTwitterGitHubDribbbleLinkedInFacebookInstagramYouTubePinterestReddit icon

Possible compromise of Read Aloud browser extension

Posted at — Sep 23, 2021 by Abishek Muthian

Possible compromise of Read Aloud browser extension.

Read Aloud is a famous Text-To-Speech browser extension with 65,065 Users & Recommended badge on Firefox and 3,000,000+ users on Chrome web store. It is mostly used by people with accessibility needs, Especially those who are visually impaired.

I saw a hyperlink with the text 'India success [story]' on the footer of the popup of the extension. Clicking the URL leaded to the YouTube video titled 'Home ivermectin based kits in India' [1].

Read Aloud browser extension compromise Image credit: User WolfIcefang on GitHub.

Checking the code [2] the content for the hyperlink is fetched dynamically from the readaloud website [3].

{"id":"ivermectin","text":"India success [story]","link":"https://youtu.be/eO9cjy3Rydc","period":1440} ```

The hyperlink is changed then changed from 'India success [story]' to 'report issues' automatically.

The publisher of the extensions seems to be same as the developer, I have asked for clarifications on their ~~GitHub issues~[4] Archive.

Update

The developer/publisher has commented on the GitHub Archive saying quote, to bring awareness to a story that has so far been suppressed, unquote.

I have pointed out the misinformation in the statements and deceptive practices to the developer but the developer is doubling down on their claims without addressing the deceptive practices.

My opinion is that the browser extension should be reported for it's deceptive practices on Chrome webstore and Firefox add-ons and taken down to prevent misinformation and potential harm to the users.

Archive of URLs

[1] https://web.archive.org/web/20210923144909/https://www.youtube.com/watch?v=eO9cjy3Rydc

[2] https://web.archive.org/web/20210923143226/https://github.com/ken107/read-aloud/blob/8770c74f323392ba113f50eb1c4014d07b28ffd9/js/popup.js

[3] https://archive.is/QUgkl

[4] https://web.archive.org/web/20210923150526/https://github.com/ken107/read-aloud/issues/232

Change Log

23 Sep 2021: Added statement from the developer with my opinion on what action needs to be taken. Updated GitHub URL with archive as the developer deleted the issue I raised.

Newsletter

I strive to write low frequency, High quality content on Health, Product Development, Programming, Software Engineering, DIY, Security, Philosophy and other interests. If you would like to receive them in your email inbox then please consider subscribing to my Newsletter.