Chrome extensions with 1.4M installs covertly track visits and inject code

If you’ve installed any of these extensions, manually remove them stat.

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection. The extensions McAfee identified are:

NameExtension IDUsers
Netflix Partymmnbenehknklpbendgmgngeaignppnbe800,000
Netflix Party 2flijfnhifgdcbhglkneplegafminjnhn300,000
FlipShope – Price Tracker Extension adikhbfjdbjkhelbdnffogkobkekkkej80,000
Full Page Screenshot Capture – Screenshotting pojgkmkfincpdkdgjepkmdekcahmckjp200,000
AutoBuy Flash Salesgbnahglfafmhaehbdmjedfhdmimjcbed20,000

As of early September, all five extensions have been removed from the Chrome Web Store, a Google spokesperson said. Removing the extensions from its servers isn’t the same as uninstalling the extensions from the 1.4 million infected devices. People who have installed the extensions should manually inspect their browsers and ensure they no longer run.

Source: Chrome extensions with 1.4M installs covertly track visits and inject code | Ars Technica

Posted in Exploit, Vulnerability.