Chrome extensions with 1.4M installs covertly track visits and inject code

By | August 31, 2022
Chrome extensions with 1.4M installs covertly track visits and inject code

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection. The extensions McAfee identified are:

Name Extension ID Users
Netflix Party mmnbenehknklpbendgmgngeaignppnbe 800,000

Netflix Party 2

flijfnhifgdcbhglkneplegafminjnhn 300,000

FlipShope – Price Tracker Extension

adikhbfjdbjkhelbdnffogkobkekkkej 80,000

Full Page Screenshot Capture – Screenshotting

pojgkmkfincpdkdgjepkmdekcahmckjp 200,000
AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed 20,000

As of Wednesday, all five extensions have been removed from the Chrome Web Store, a Google spokesperson said. Removing the extensions from its servers isn’t the same as uninstalling the extensions from the 1.4 million infected devices. People who have installed the extensions should manually inspect their browsers and ensure they no longer run.

Source