Google has removed today two extensions from the Chrome Web Store. The two extensions were fully functional ad blockers, but they tried to deceive users by using the names of other more reputable ad blocker extensions.
But besides using misleading names to hijack and deceive other extensions' userbases, the two — “AdBlock” by “AdBlock, Inc” and “uBlock” by “Charlie Lee” — were also caught performing cookie stuffing.
Cookie stuffing is an old technique where a website or browser extension adds extra information to a user's cookie. The technique is often used in affiliate marketing to hijack traffic from its legitimate source.
The two extensions were modifying cookies files when users visited certain websites and adding a parameter that would ensure the extension authors would earn a commission from any payments users made on the sites.
The two extensions would activate on sites such as teamviewer.com, microsoft.com, linkedin.com, aliexpress.com, booking.com, and many other more.
This malicious behavior would only start 55 hours after installation, and would cease if users opened Chrome's Developer Tools, said Andrey Meshkov, co-founder and CTO of AdGuard, and the one who discovered the shady behavior in both extensions.
Both extensions were based on the code of the original “AdBlock” extension and appeared to be a used as a wireframe for the malicious code.
Google removed the two extensions this morning, after ZDNet and other news outlets reached after Meshkov published his research yesterday. After their removal, the extensions were also disabled in all users' browsers, preventing new attacks on Chrome users. The first extension had more than 800,000 installs, while the second had over 850,000.