- Researchers find 245 extensions installed on nearly a million devices
- Extensions can transform devices into web scratch boots for a sales department
- Researchers warned against the main security implications
A new survey revealed that 245 browser extensions, installed on nearly a million devices, have led a double lifespan, because in addition to the operations for which they were designed, they silently disabled the main safety protections in browsers to allow paid web scratch operations.
It is according to the security researcher John Tuckner of Security Annex, who has found many extensions by doing different things, from the management of the bookmarks, to an increase in the volume of the speakers. All integrate a JavaScript library called Mellowtel-JS, which connects to an external AWS server and collects data on the location, bandwidth and the status of the user browser.
He also injects ifs hidden if web pages that users visit, then load other websites, chosen by the Mellowtel infrastructure. In addition, he strips the web security headers, bypass the detection of bot and, in the end – shares the for profit bandwidth.
Take advantage of the unused bandwidth
JavaScript is linked to a company called Olostep, which is promoted as a high performance web scratching API which bypasses bot detection and can send up to 100,000 parallel requests.
When customer payment submits a target website, Olostep uses the devices executed for affected extensions to scrape the site, effectively transforming browsers into distributed scratch robots, without the knowledge of end users or consent.
Ars Technica Found Mellowtel’s Founder said that the library had been designed to share the bandwidth of users without strictly the affiliation links, unrelated ads or the collection of personal data.
“The main reason why businesses pay for traffic is to access the data accessible to the public from websites in a reliable and profitable manner,” he was cited, adding that extension developers receive 55% of income, while the rest went to Mellowtel.
Despite the affirmations in a friendly way of private life to monetize the unused bandwidth, criticism argues that it exposes users with serious risks of confidentiality and security, especially in corporate environments. In his writing, Cyberinsider Said that the scale and architecture of the system make it “mature abuse” by threat actors.
“The use of real browser sessions, potentially behind business VPNs or inside private networks, has deep risks. These include the potential of access to unauthorized internal resources, the identification of legitimate traffic and the deterioration in browser safety due to the deletion of applied understanding. ”
Some extensions have been deleted or deactivated after being reported for malware, while others have cleaned the controversial code in recent updates. Many remain active and users are invited to consult the full list of extensions found here.
