Chrome, the most widely used web browser worldwide is under some criticism. Threat analysts have found five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more than 1.4 million times, according to McAfee reports.
The extensions offered the promised functionality but there was no visible mention to users about the activity of collecting the browsing data without their notice.
The five Google Chrome extensions in question include Netflix Party, Netflix Party 2, Full Page Screenshot Capture – Screenshotting, FlipShope – Price Tracker Extension and AutoBuy Flash Sales. Netflix Party has over 800,000 downloads, while the Netflix Party 2 Chrome Extension has over 300,000 downloads.
How these extensions Work
All five extensions discovered by McAfee have similar behaviour. The web app manifest ("manifest.json" file), which dictates how the extension should behave on the system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the attacker's control (“langhort<.>com”).
The data is delivered through via POST requests each time the user visits a new URL. The info reaching the fraudster includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.
If the visited website matches any entries on a list of websites for which the extension author has an active affiliation, the server responds to B0.js with one of two possible functions.
The first one, “Result<‘c’> – passf_url “, orders the script to insert the provided URL (referral link) as an iframe on the visited website.
The second, “Result<‘e’> setCookie”, orders B0.js to modify the cookie or replace it with the provided one if the extension has been granted with the associated permissions to perform this action.
The two Netflix Party extensions have been removed from the store, but this doesn't delete them from web browsers, so users should take manual action to uninstall them. Thus, if you are using any of the listed extensions, even if you find their functionality useful, it is recommended to remove them from your browser immediately.