![]() ![]() They will now receive a commission for any purchases made on Shows the Cookie being set for the Affiliate ID associated with the Extension owners.The extension will insert the URL as an Iframe in the site being visited by the user.the URL queried in step 3 is redirected using a 301 response to with an affiliate ID associated with the Extension owners.passf_url() will perform a request against the URL.The “c” means the extension will invoke the function passf_url() The user navigates to and the extension posts this URL in a Base64 format to d./chrome/TrackData/.The images below show the step-by-step flow of events while navigating to the BestBuy website. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions. If the result is ‘e’, the extension would insert the result as a cookie. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. ![]() If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. Two of the functions are detailed below: Result – passf_url The response is checked using the function below and will invoke further functions depending on what the response contains. Upon receiving the URL, will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. The country, city, and zip are gathered using. The random ID is created by selecting 8 random characters in a character set. The POST data is in the following format: It creates several other variables which are then sent to d. Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. will trigger when a user navigates to a new URL within a tab. The extensions analyzed subscribe to events coming from. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.Ĭhrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The b0.js script contains many functions. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. The manifest.json sets the background page as bg.html. All 5 extensions perform similar behavior. This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.įull Page Screenshot Capture – Screenshotting This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased. They do this so that they can insert code into eCommerce websites being visited. Every website visited is sent to servers owned by the extension creator. T he la t ter borrows several phrases from another popular extension called GoFullPageĪpart from offering the intended functionality, the extensions also track the user’s browsing activity. The extensions offer various function s such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000 SeptemUpdate : Since the original publication of this blog on August 29, 2022, the AutoBuy browser extension was updated in the Chrome Store on Septemwith a version that no longer contains the potentially harmful features originally discussed in this blog.Ī few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. SeptemUpdate : Since the original publication of this blog on August 29, 2022, the Flipshope browser extension was updated in the Chrome Store on Septemwith a version that no longer contains the potentially harmful features originally discussed in this blog. Authored by Oliver Devane and Vallabh Chole
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |