Foul play, potentially


Magic Enhancer for YouTube, a Chrome extension that offers a cleaner YouTube interface, has been slurping users’ browsing history, security researcher Robert Heaton has discovered.

Heaton, a software engineer at US payments firm Stripe, uncovered the potentially unwanted behavior in the app after a tip-off from a reader of his blog.

“If you click the wrong buttons while installing it [Magic Enhancer for YouTube] then it also tracks the full URL of every website that you visit,” Heaton said in a post, dated February 18.

BZO Technologies LC, the firm behind Magic Enhancer, is transparent about collecting user data, asserting through its privacy policy that this is necessary in order to enable a feature that displays the number of likes and dislikes for a YouTube video.

Heaton disputes this, arguing that Magic Enhancer for YouTube is a threat to privacy since most users are unaware that tracking is enabled as soon as the extension is installed. The feature would also work without this data, he adds.

“I have no idea what really happens to your data once it reaches the Magic Enhancer servers, but the set up smells similar to the type of data hoovering performed by Stylish, another invasive Chrome extension owned by Similar Web, a web analytics company,” Heaton writes.

“There is no possible way that a video insight feature could require slurping up the URL of every website that you visit, and this misdirection suggests that something nefarious is afoot.”

Heaton created a proxy server in order to observe the traffic going to and from the extension. He recommends uninstalling the extension, editing its source code, or blocking traffic to the Magic Enhancer domain in order to heighten user privacy.

Magic Enhancer for YouTube boasts almost 350,000 active users.

Whack-a-mole

Concern about this particular extension comes days after security researchers at Cisco’s Duo Labs revealed that they had partnered with Google to identified 500 rogue Chrome extensions that infected users’ browsers.

The dodgy browser add-ons – associated with a large-scale malvertising campaign – were purged from Chrome’s Web Store as a result.

More than 1.7 million users were affected by the rogue activity prior to their removal.

Independent security researcher Jamila Kaya and Duo infosec engineer Jacob Rickerd, who helped create the CRXcavator Chrome extensions examinations tool, led the research effort that identified the rogue apps.

A post on Google’s Security Blog last week offers an overview of how it combated bad apps and malicious developers last year.


RELATED Malvertising is on the decline but serious security issues remain