Chrome extensions with 1.4 million installs secretly track visits and inject code

Google has removed browser extensions with over 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into commerce sites specific electronics they were visiting.

The five extensions reported by McAfee claim to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply discount codes. Behind the scenes, the company’s researchers said, the extensions kept a running list of every site a user visited and took additional action when users landed on specific sites.

The extensions sent the name of each site visited to the site designated by the developer d.langhort.com, along with a unique identifier and the country, city and zip code of the visiting device. If the visited site matched a list of e-commerce sites, the developer’s domain instructed the extensions to insert JavaScript into the visited page. The code modified the site’s cookies so that extension authors receive affiliate payment for all items purchased.

To help keep the activity secret, some of the extensions have been programmed to wait 15 days after installation before beginning data collection and code injection. The extensions identified by McAfee are:

On Wednesday, the five extensions were removed from the Chrome Web Store, a Google spokesperson said. Removing extensions from its servers is not the same as uninstalling extensions from the 1.4 million infected devices. People who installed the extensions should manually inspect their browsers and make sure they no longer work.