A few months ago, we blogged about
malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage
Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.
The 5 extensions are
| Name | Extension ID | Users |
| Netflix Party | mmnbenehknklpbendgmgngeaignppnbe | 800,000 |
| Netflix Party 2 | flijfnhifgdcbhglkneplegafminjnhn | 300,000 |
FlipShope – Price Tracker Extension
| adikhbfjdbjkhelbdnffogkobkekkkej | 80,000 |
Full Page Screenshot Capture – Screenshotting
| pojgkmkfincpdkdgjepkmdekcahmckjp | 200,000 |
| AutoBuy Flash Sales | gbnahglfafmhaehbdmjedfhdmimjcbed | 20,000 |
www.mcafee.com
