Google has removed two ad blocker extensions from the official Chrome Web Store over the weekend after the two were caught collecting user data last week.
The two had been around for more than a year, but the malicious code was not included with the original versions.
The data collection code was added at the start of this month, in October 2020, after the original author sold the two extensions to “a team of Turkish developers.”
After the sale, several users, including Raymond Hill, the author of the uBlock Origin ad blocker, came forward to point out that the two extensions were modified to include malicious code.
“The extension is now designed to lookup[sic] specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com,” Hill said.
After further analysis, this malicious code was exposed to collect information about users, such as:
- User IP address
- OS details
- Website URLs
- Timestamps for web requests
- HTTP methods (POST, GET, HEAD, etc.)
- Size of HTTP responses
- HTTP status codes
- Time spent on each web page
- Other URLs clicked on a web page
In addition, the two Turkish developers also never modified the two extensions’ author fields, leaving the original author’s name in place, in what appeared to be an attempt to hide the sale and the culprit behind the malicious code.
However, this only made things easier for Google’s staff, as any type of extensive data collection is forbidden, per Chrome Web Store rules.
The two extensions were taken down over the weekend and disabled in users’ Chrome browsers.