Security News

Fake Google Chrome Ad Blocker Extensions Were Cookie Stuffing

Two ad blocking extensions being used by over 1.5 millions users have been removed from the Google Chrome Web Store because they are fake, reports AdGuard.

The extensions - AdBlock by AdBlock Inc. and uBlock by Charlie Lee - have also stolen their names from legitimate ad blocking extensions.

"At first, these add-ons just do what they're supposed to do — they block ads," writes Andrey Meshkov, co-founder and CTO of AdGuard, in the report. "They both are based on the code of the original AdBlock extension so the quality is good enough ... However, about 55 hours after the installation, the response suddenly changes ... This new response contains a list of commands for the extension to execute. After that the extensions' behavior changes, and they start doing a few more things besides ad blocking."

One of the "things besides ad blocking" is cookie stuffing, the process whereby the fake extensions are 'stuffed' with extra cookies, so when the unsuspecting user visits a site and makes a purchase, the creator of the fake extension gets paid a commission.

Meshkov uncovered the cookie stuffing when he discovered the affiliate program of one website sent the user's browser an 'affiliate' cookie, so when purchases were made on that website, the commission went to the creator of the fake extension.

"There are many more affiliate links they are using for this," writes Meshkov, including microsoft.com, linkedin.com, aliexpress.com and booking.com.

The report was unable to say specifically how much had been profited, but estimated it to be millions of dollars each month.

Google has removed the extensions.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join 833 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: