Security News > 2022 > August > Chrome extensions with 1.4 million installs steal browsing data
Threat analysts at McAfee found five Google Chrome extensions that steal track users' browsing activity.
Collectively, the extensions have been downloaded more then 1.4 million times.
The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor's cookie to appear as if they came through a referrer link.
The web app manifest, which dictates how the extension should behave on the system, loads a multifunctional script that sends the browsing data to a domain the attackers control.
The data is delivered through via POST requests each time the user visits a new URL. The info reaching the fraudster includes the URL in base64 form, the user ID, device location, and an encoded referral URL. If the visited website matches any entries on a list of websites for which the extension author has an active affiliation, the server responds to B0.js with one of two possible functions.
To evade detection, analysis, and to confuse researchers or vigilant users, some of the extensions feature a delay of 15 days from the time of their installation before they start sending out the browser activity.