On the 3rd of October, 2020, Hugo Xu (a.k.a. “jspenguin2017”) announced he had sold Nano to “a team of Turkish developers”. No further information was posted.
Fast forward 12 days later, Raymond Hill (developer of uBlock Origin) started to dig deeper. Raymond inspected the modifications added by the new developers (which was not published to GitHub), revealing their dubious intentions.
The extension transmits your data to an unknown server, sending information about web requests (which may contain confidential information). This is a backdoor, and presents a major privacy risk to users of the Nano suite.
Despite working without collecting data, the new Nano developers have chosen to collect the following data:
- Your IP Address,
- Your Country,
- Time of your web requests,
- HTTP Methods (POST, GET, HEAD, etc.)
- Size of HTTP Responses,
- (HTTP Status Response Codes)
- Your Operating System and “other parameters about the device operating system and/or the User’s IT environment”,
- Time spent on each web page,
- URL’s navigated in the application.
If that’s not enough, the new developers have not released an official statement.
So, what can you do? Remove this extension immediately!
uBlock Origin is a fine alternative to Nano.
It comes with greater stability, many more contributors, and no data collection.
Remember to audit your extensions frequently, and remove any unused extensions.
In the case of Nano Defender, users were not notified before control of the extension was transferred to a third-party. That’s not the right way to handle this.
Hopefully, we can learn from this and move forward.
UPDATE: I’ve just been told that LiCybora, the author of the Firefox Nano extensions, has full control over the Firefox extensions. They’re safe for now.