Appspector Browser Extension Injects Code into WordPress Posts

Recently, it has been discovered that the Appspector Extension for web browsers has been injecting JavaScript code into Search Engines. More alarmingly it has also been injecting code into WordPress Post/Page editor. The popular extension, which has since been removed from Google Chrome and Firefox, detects which technologies are being used on a website.

However, 2 weeks ago random ads started showing up after searching on Google. I just ignored them at the time but when I went to create a WordPress Post I came across a random image icon in the Visual editor display.

I switched to text view and came across a JavaScript file that had conveniently been placed at the bottom of my editor. After deleting it and saving the post again it reappeared.

I checked the Google Chrome Console, in developer tools and I saw that this file was trying to load 3 other JavaScript files which were being blocked by Chrome as an (XSS) Cross-Site Scripting attack.

On removing the appspector extension it automatically opened up another tab which tried to tell me that my flash player was out of date and started downloading a new version. No doubt If I installed it would lead to many viruses.

How Widespread is it?

Having checked all of my WordPress posts and pages including drafts I only encountered it on my last published post and my projects page which I updated the same day. All posts prior to this were fine. However, I am not certain if this affects users using other Content Management Systems like Drupal or Joomla.

How do you know if you have been affected?

If you open your Developer Console in your browser ctrl+alt+i  (Windows & Linux) cmd+alt+i (Mac) and check all your posts and pages that have been created or edited. If you see red in your console or any reference to any of the following.

https://worldnaturenet.xyz
https://statcounter.biz
http://netanalyzer.space

How to Remove it if you have been infected?

Open up your infected blog post/page in text view and delete the code.

Remember to save your post! Come across any other CMS that has been affected by the Appspector XSS injection? Please feel free to have your say.