From 157b377e98630fd9ab041cb77d26adee5a4aec73 Mon Sep 17 00:00:00 2001
From: AugmentedMode <31675118+AugmentedMode@users.noreply.github.com>
Date: Fri, 25 Oct 2024 09:10:17 -0400
Subject: [PATCH] fix: Cherry-pick: Fix c2 detection bypass by supporting all
 network requests types (#28087)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution? -->

Cherry pick: #28057

This update addresses a bypass that allowed scammers to bypass C2
detection by using alternative network request types to communicate with
their Command and Control (C2) servers. Previously, we only listened for
a limited set of request types (e.g., main_frame, sub_frame,
xmlhttprequest), which left the system exposed to other methods of
calling C2s.

With this fix, we now listen to all network request types and
cross-check them against our client-side blocklist, ensuring better
coverage and preventing these types of bypasses.

Changes:

Updated maybeDetectPhishing in background.js to listen for all network
requests by removing restrictions on request types.

[![Open in GitHub

Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/28057?quickstart=1)

## **Related issues**

Fixes:

## **Manual testing steps**

1. Go to a website known to be on the C2 domain blocklist. For now we
made our test website https://develop.d3bkcslj57l47p.amplifyapp.com/
have a malicious C2 Request that is on our blocklist.
2. Attempt to interact with the site.
3. Verify that on visiting the website you get redirected to the
Metamask phishing page.
4. Repeat with a site that is not on the blocklist to confirm normal
operation.


## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding

Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.


<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->
---
 app/scripts/background.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/scripts/background.js b/app/scripts/background.js
index 9f203b35661d..ad6e3b6f22c2 100644
--- a/app/scripts/background.js
+++ b/app/scripts/background.js
@@ -324,7 +324,6 @@ function maybeDetectPhishing(theController) {
       return {};
     },
     {
-      types: ['main_frame', 'sub_frame', 'xmlhttprequest'],
       urls: ['http://*/*', 'https://*/*'],
     },
     isManifestV2 ? ['blocking'] : [],