As McAfee reported after analysis, these extensions surreptitiously tracked users’ web browsing history and added action tracking code to certain e-commerce sites such as online stores.

Which extensions should be removed?

These extensions offer a variety of services, such as streaming Netflix videos to groups of people, taking screenshots, and automatically finding and applying discounts.

However, “behind the scenes” the program transmitted the name of each site visited, a unique identifier, and the country, city and zip code of the visiting device to the site designated by the developer. If the site visited matches a list of ecommerce sites, the developer’s domain tells the extension to add a script to the page visited. Code replaces cookies for site so extension authors get affiliate pay for any goods purchased.

McAfee has identified the following extensions:

• Netflix Party – 800,000 users.
• Netflix Party 2 – 300,000 users.
• FlipShope – Price Tracking Extension – 80,000 users.
• Full Page Screenshot Capture – Screenshot Capture – 200,000 downloads.
• AutoBuy Flash Sales – 20,000 downloads.

Some malicious extensions found by McAfee / Photo by McAfee

All 5 have been removed from the Chrome Store. However, removing extensions from servers is not the same as removing extensions from 1.4 million infected devices. People who install these programs should manually check their browsers and make sure they are no longer working.