Chrome Extensions data

Earlier, a report from security firm McAfee detailed the malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. At present, after the investigation, McAfee found 5 extensions that assure to boost your browser with a total installation of over 1,400,000, but actually stealing your data.

The five malicious browser extensions identified by McAfee are Netflix Party (and its successor Netflix Party, FlipShope – Price Tracker Extension, Full Page Screenshot Capture- Screenshotting, and AutoBuy Flash Sale.

Four Malicious Extensions

The extensions provide functionalities like allowing users to watch Netflix shows together, website coupons, and taking screenshots of a website. Also, it includes several phrases from another popular extension called GoFullPage.

EHA

Further, the extensions track the user’s browsing activity. So each and every website visited is sent to servers owned by the extension creator. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

Here there is a risk of privacy since the website visited is being sent to the servers of the extension author and the users are unaware of this functionality.

Experts from McFee say that “All 5 extensions perform similar behavior”. It uses the POST method to deliver the information that includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.

https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/function-user-data.png
Function to get user data

If the visited website matches a list of websites that it has an affiliate ID for, and if it does, it will respond to the query. The response is verified using the two functions namely “Result[‘c’] – passf_url “, which orders the script to insert the provided URL (referral link) as an iframe on the visited website. 

Subsequently, “Result[‘e’] setCookie”, orders to modify the cookie or replace it with the provided one if the extension has been granted with the associated permissions to perform this action.

https://www.mcafee.com/blogs/wp-content/uploads/2022/08/flow-2-1024x616.png

Inserting a referral URL and setting the cookie to include an affiliate ID

McFee also attached a video to show how the URL and cookie modifications take place.

[embedded content]

“We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity”, McAfee.

Therefore, McAfee advises its customers to be vigilant when installing Chrome extensions and pay attention to the permissions that they are requesting.

Secure Azure AD Conditional Access – Download Free White Paper

Posted by Charlie