Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
AdBlockers Caught Cookie Stuffing - ThreatWire Crosspost (Patreon)
Downloads
Content
Google has just removed two very popular ad blocking extensions from the Chrome Web Store due to their use of permanent cookie stuffing. Cookie stuffing is when a website or browser extension “stuffs” extra information into user cookies, sometimes called affiliate cookies which can be used to hijack traffic from legitimate sources. The additional cookie data keeps track of browsing including online transactions. The perpetrator can gain additional income from the data by making affiliate commissions off of user transactions.
In this case, AdBlock by AdBlock Inc, and uBlock by Charlie Lee were both doing the cookie stuffing. It appears that the two extensions were made specifically to do cookie stuffing, and they used the names of even more popular ad blocking extensions to do it. UBlock Origin by Raymond Hill, and AdBlock by getadblock.com are the real deal - and are still available on the Chrome web store. The two malicious ones were found in searches for ad blockers and were appeared as top options. They both did indeed block ads - so users were unaware of their actual underlying motive.
As for the attack: they did this by modifying cookie files which are generated whenever you go to certain websites, and adding a parameter that allowed them to earn a commission from payments made on those sites. This would happen on lots of popular websites like aliexpress, booking.com, linkedin.com and more.
The apps waited for 55 hours before starting that kind of behavior and would only stop if the user opened Chrome’s Developer Tools. Both of the apps used the original AdBlock extension code as a basis for their own code. Both apps were removed after Andrey Meshkov, co-founder and CTO of AdGuard, reported on the discovery.
Currently installed copies were disabled for user's browsers and they had over 1.5 million downloads combined. Disappointingly, the two malicious apps were allowed on the Web Store in the first place because Google’s policies allow for multiple extensions with the same name. The malicious behavior did spur Google to remove the bad actors.
Google has proposed a solution called Manifest V3, which would limit the capabilities of extensions to improve overall performance, security and privacy. But according to Meshkov, this would not prevent cookie stuffing. According to the EFF, Manifest V3 doesn’t change observational APIs that are available to extensions, so they can still observe data. It would also not touch content scripts, which lets all extensions interact with the contents of web pages.
So users are left to protect themselves. Meshkov does offer up some recommendations including only installing extensions from brands you trust, asking yourself if you really need the extension in the first place, and being wary of raving reviews that could be fake. You can also install extensions from trusted developer websites instead of through the Chrome Web Store.
Links:
Support Shannon on alternative platforms! https://snubsie.com/support
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Links:
AdBlockers Caught in Ad Fraud Scheme
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
https://chrome.google.com/webstore/search/adblock
https://thehackernews.com/2019/09/browser-chrome-extension-adblock.html
https://adguard.com/en/blog/fake-ad-blockers-part-2.html
https://www.eff.org/deeplinks/2019/07/googles-plans-chrome-extensions-wont-really-help-security