Google this week removed two malicious extensions from the Chrome Web Store. The two extensions were caught stuffing cookies in web browsers of over a million of their users, as an affiliate referral scheme. The ad blockers “AdBlock”and “uBlock Origin” used names misleadingly similar to those of more reputable software.
Andrey Meshkov, co-founder and CTO of AdGuard is the researcher who discovered this behavior. He said in a blog post that the cookie stuffing only started 55 hours after installation, and would stop if a user opened Chrome’s developer console.
Cookie stuffing, also called cookie dropping, is a technique in which a website or a browser extension puts affiliate cookies into a web browser without their users’ knowledge.
Affiliate cookies are used to track when a user makes an online purchase. Many websites do this transparently, saying for example “click this link to support…” In this case cookie stuffing allowed the makers of these browser extensions to claim commissions for sales. Potentially even stealing the revenue from someone else as these extensions would modify cookies files on a users browser.
According to Meshkov both extensions were build based on the code of the original “AdBlock” extension. Google removed both extensions after media reports this week. Google also disabled them in all users’ browsers to prevent new attacks. Between the two extensions they were on 1,650,000 web browsers.
Browser extensions are a weak link in browser security with permission to access all the web pages you visit. In the past some have even stolen online account passwords. As useful as browser add ons are, for both your privacy and security, try to limit the number you install, and make sure you are downloading from trusted sources. Remember just being in the Chrome Web Store is not enough reason to trust an extension.
Header Image by AdGuard