Google removed two ad blocker extensions from the official Chrome Web Store over the weekend after realizing they were stealing users' data.
The two extensions are called Nano Adblocker and Nano Defender, and each had more than 50.000 and 200.000 installations, respectively, by the time they were removed.
After the sale, several users, including Raymond Hill, creator of the ad blocker uBlock Origin, appeared to point out that the two extensions were modified to include malicious code.
“The extension is designed to seek [sic] specific information from your outgoing requests in network and send them to https://def.dev-nano.com ", said Hill.
After further analysis, this malicious code was exposed for collection information about users, such as:
- User IP address
- Details operating system
- Timestamps for web requests
- Methods HTTP (POST, GET, HEAD, etc.)
- Size of HTTP responses
- HTTP status codes
- Time dedicated to each website
- Click on other URLs on a web page
In addition, the two Turkish developers never modified the author fields of the two extensions, leaving the original author's name in place, in what appears to have been an attempt concealment of selling and the culprit behind the malicious code.
The two Turkish developers created a page with the privacy policies where they tried to reveal the collection behavior data in an erroneous attempt to legitimize malicious code.
However, this made things easier for Google staff, as any extensive data collection is prohibited under Chrome Web Store rules.
Both extensions were removed over the weekend and turned off in users' Chrome browsers.