• by Ray Schultz , September 1, 2022

Security researcher McAfee has found five malicious Chrome extensions with a total install base of more than 1.4 million. 

“The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website,” McAfee wrote in a post earlier this week. “The latter borrows several phrases from another popular extension called GoFullPage.” 

The extensions also track the user’s browsing activity.   

“Every website visited is sent to servers owned by the extension creator,” McAfee states. “They do this so that they can insert code into eCommerce websites being visited.”

In addition, McAfee says, “This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.” 

According to McAfee, the five extensions are:

Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) — 800,000 

Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) — 300,000

FlipShope Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej ) — 80,000

Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) — 200,000

AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) — 20,000 

Typically, Chrome extensions are a convenience. They work by “subscribing to events which they then use as triggers to perform a certain activity,” McAfee notes. 

But McAfee concludes that it is risky to install extensions -- “even those that have a large install base as they can still contain malicious code.” It advises its customers to be “cautious when installing Chrome extensions and pay attention to the permissions that they are requesting."

How? “The permissions will be shown by Chrome before the installation of the extension,” McAfee continues. “Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit.”