Security threat researchers from McAfee have uncovered five Google Chrome extensions that monitor users’ browsing data. The Chrome extensions in question have been downloaded more than 1 million times so far.
An urgent update has been released for the Google Chrome browser
Downloaded over 1 million times
Among the malicious Chrome extensions detected by McAfee; There’s Netflix Party, FlipShope (price tracking), Full Page Screenshot Capture – Screenshotting (full page screenshot taking) and AutoBuy Flash Sales. Each of these Google Chrome extensions has over 20,000 downloads, a total of 1.4 million downloads.
How do malicious Chrome extensions work?
These Chrome extensions really do what they say, but they perform actions that the user may not notice, which pose a privacy risk. All five extensions uncovered by McAfee exhibit a similar behavior.
The web application manifest (the “manifest.json” file), which determines how the extension behaves on the system, loads a functional script (B0.js) that sends browsing data to the malicious person-controlled domain (“langhort[.]com”). Data is transmitted via POST requests each time the user logs in to a new site. The information reaching the scammer includes URL in base64 format, user ID, device location (country, city, zip code) and encrypted redirect URL. If the website entered matches any of the websites that the extension developer has an active membership of, the server responds to B0.js with one of two possible functions; The first, “Result[‘c’] – passf_url”, instructs the script to insert the provided URL (referral link) as an iframe on the website entered. Second, “Result[‘e’] setCookie” instructs B0.js to replace the cookie or replace it with the cookie provided if the extension has been given the appropriate permissions to perform this action.
McAfee also released a video showing how URL and cookie changes happen in real time:
Uninstall these Chrome extensions
Google is working to eliminate malicious extensions with the new Manifest V3 standard. Compared to legacy Manifest V2 technology, Manifest V3 gives the user more control over which pages plugins can access. Manifest V3 also blocks remotely hosted code, but that’s not enough. Currently, users are advised to remove the relevant extensions from their Chrome browsers:
- Netflix Party – 800,000 downloads
- Netflix Party 2 – 300,000 downloads
- Full Page Screenshot Capture – Screenshotting – 200,000 downloads
- FlipShope – Price Tracker Extension – 80,000 downloads
- AutoBuy Flash Sales – 20,000 downloads
12641
