Skip to main content

Chrome extensions with 1.4M users may have stolen your data

McAfee researchers have discovered various Google Chrome extensions that steal browsing activity, with the add-ons racking up more than a million downloads.

As reported by Bleeping Computer, threat analysts at the digital security company have come across a total of five such malicious extensions.

Google Chrome icon in mac dock.
PixieMe / Shutterstock

With more than 1.4 million downloads, the extensions have tricked an unprecedented number of individuals into adding them to their browsers. The extensions in question that have been tracked down thus far are:

  • Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) — 800,000 downloads
  • Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) — 300,000 downloads
  • Full Page Screenshot Capture — Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) — 200,000 downloads
  • FlipShope — Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) — 80,000 downloads
  • AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) — 20,000 downloads

Once one of the extensions listed above has been installed onto Chrome, it can subsequently detect and observe when the user opens an e-commerce website on their browser. The cookie that is generated by the visitor is altered in order to make it seem they arrived at the site via a referrer link. Ultimately, whoever is behind the extensions can then receive an affiliate fee should the target buy anything from these sites.

All the extensions actually deliver on whatever functionality is listed on their Chrome web store pages. Coupled with the fact that they showcase a user base in the tens or hundreds of thousands, it may convince many that they’re safe to download if they’re being utilized by so many individuals.

While the Netflix Party extensions have been taken down, the screenshot and price tracker ones are still live on the Chrome web store.

As for how the extensions work, McAfee detailed how the web app manifest — an element controlling how the add-ons run on the browser — executes a multifunctional script, allowing browsing data to be sent directly to the attackers through a certain domain that they’ve registered.

Once a user visits a new URL, their browsing data is sent with the use of POST requests. Such information includes the website address itself (in base64 form), the user ID, device location (country, city, and zip code), and a referral URL that’s encoded.

To avoid being detected, some of the extensions won’t activate their malicious tracking activity until 15 days after it’s been installed by the target. Similarly, we’ve recently seen how threat actors delay their malware being loaded onto a system for up to a month.

Hackers have increasingly relied on hiding malicious codes and malware in free Windows software and downloads. Most recently, they’ve been targeting users with space images, as well as trying to breach systems via Windows Calculator.

Zak Islam
Former Digital Trends Contributor
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
This Chrome extension lets hackers remotely seize your PC
A depiction of a hacker breaking into a system via the use of code.

Malicious extensions on Google Chrome are being used by hackers remotely in an effort to steal sensitive information.

As reported by Bleeping Computer, a new Chrome browser botnet titled 'Cloud9' is also capable of logging keystrokes, as well as distributing ads and malicious code.

Read more
Google Chrome extensions are failing, and $8,000 is on the table for a fix
A mouse pointer hovering over the CrankWheel Chrome Eextension.

There seems to be some mysterious problem affecting certain Chrome extensions, but it's intermittent enough that it hasn't yet been solved. The problem is annoying enough that one developer has posted two $4,000 bug bounties and created an Upwork job listing that pays up to $150 per hour. These incentives might inspire others to help track down and fix the bug.

First spotted by TechRadar and described in detail in a blog post written by Jói Sigurdsson, founder and CEO of the CrankWheel screen-sharing extension for the Google Chrome browser, the bug is related to a failure to trigger an action when the extension's icon is clicked on the toolbar. Since this is frequently how an extension is used, it's a crippling error. Unfortunately, the problem is difficult to recreate and is estimated to impact only 3% to 5% of those that have affected extensions installed.

Read more
This new Google Chrome feature may boost your search history
A MacBook with Google Chrome loaded.

Google is adding a new feature to its Chrome web browser that’s intended to help you find previously browsed topics and pick up where you left off. Called Journeys, it’s rolling out now for Chrome’s desktop version.

The feature essentially works like an extension of browsing history. When you type a word into the search bar or head to the Chrome History Journeys page in your browser, you will see a list of previously visited sites linked to that topic. Chrome will know how much you’ve interacted with any particular site, and those it considers the most relevant to you will go to the top of the pile.

Read more