// From anonymox/background/proxy-manager.js (circa 2017) let proxyList = []; function fetchProxyList() { fetch('https://api.anonymox.net/get_proxies') .then(res => res.json()) .then(data => { proxyList = data.proxies; // [{host, port, type, country}] setNextProxy(); }); }
function collectTelemetry() { let data = { urls: window.performance.getEntriesByType('navigation').map(n => n.name), referrer: document.referrer, user_agent: navigator.userAgent, extension_id: chrome.runtime.id, install_date: localStorage.getItem('install_date') }; fetch('https://stats.anonymox.net/collect', { method: 'POST', body: JSON.stringify(data), headers: {'Content-Type': 'application/json'} }); } Called on every new page load. Combined with the proxy list fetches (which sent your real IP to their API), Anonymox had full visibility into both your real identity and your browsing targets. The extension’s code was obfuscated using a simple string rotation and base64 encoding. Here’s an example from the actual source: anonymox code
So next time you install a “free anonymizer” extension, ask yourself: What would the Anonymox source code look like if I could see it? // From anonymox/background/proxy-manager
No validation of proxies. The extension blindly trusted any IP and port from the remote server. 3. The Malware Vector: Hidden in Plain Sight The most shocking part of the Anonymox code was not the proxy logic—it was the update mechanism . Here’s an example from the actual source: So
function setNextProxy() { let proxy = proxyList[Math.floor(Math.random() * proxyList.length)]; let config = { mode: "fixed_servers", rules: { singleProxy: { scheme: proxy.type, host: proxy.host, port: proxy.port } } }; browser.proxy.settings.set({value: config}); }