Chrome extensions with 1.4 million installs steal browsing data


McAfee threat analysts found five Google Chrome extensions that steal tracking of users’ browsing activity. Collectively, the extensions have been downloaded more than 1.4 million times.

The purpose of the malicious extensions is to monitor when users visit the e-commerce website and modify the visitor’s cookie to appear as if they came through a referral link. For this, the authors of the extensions get an affiliate fee for any purchase in electronic stores.

The five malicious extensions that McAfee researchers discovered are as follows:

  • netflix party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
  • netflix party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
  • Full Page Screenshot – Screenshot (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
  • FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
  • Auto buy flash sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads
Four of the malicious extensions
Four of the malicious extensions (McAfee)

It is worth noting that previous extensions still have the promised functionality, making it difficult for victims to notice malicious activity. Although their use does not directly affect users, they pose a serious risk to privacy.

Therefore, if you are using any of the listed extensions, even if you find their functionality useful, it is recommended to remove them from your browser immediately.

How extensions work

All five extensions discovered by McAfee have similar behavior. The web application manifest (“manifest.json” file), which dictates how the extension should behave on the system, loads a multifunctional script (B0.js) that sends browsing data to a domain controlled by attackers (” langhort[.]com”).

The data is delivered through POST requests each time the user visits a new URL. The information that reaches the scammer includes the URL in base64 format, the user ID, the location of the device (country, city, postal code), and an encoded referrer URL.

Function to get user data.
Function to get user data. (McAfee)

If the visited website matches any entry in a list of websites for which the extension author has an active affiliation, the server responds to B0.js with one of two possible functions.

The first, “Result[‘c’] – passf_url “, instructs the script to insert the provided URL (referrer link) as an iframe on the visited website.

The second, “Result[‘e’] setCookie”, tells B0.js to modify the cookie or replace it with the provided one if the extension with the associated permissions to perform this action has been granted.

Inserting a referral URL (above) and setting the cookie to include an affiliate ID (below)
Inserting a referral URL (above) and setting the cookie to include an affiliate ID (below) (McAfee)

McAfee has also posted a video to show how URL and cookie modifications occur in real time:

To evade detection, analysis, and confuse researchers or vigilant users, some of the extensions have a 15-day delay from the time they are installed before they start sending browser activity.

15 day delay on some of the malicious extensions
15 day delay on some of the malicious extensions (McAfee)

At the time of this writing, “Full Page Screenshot – Screenshot” and “FlipShope – Price Tracker Extension” are still available in the Chrome Web Store.

The two Netflix Party extensions have been removed from the store, but this does not remove them from web browsers, so users must take manual actions to uninstall them.

Leave a Comment