- Researchers find 245 extensions installed in almost one million devices
- Extensions could convert devices into web scraping bots for a commercial service
- The researchers warned about the important security implications
New investigation has revealed that 245 extensions of the browser, installed in almost a million devices, have led a double life, since in addition to the operations for which they were designed, the key security protections in browsers were also silently disabled to allow the pay scratch operations.
This is according to security researcher John Tuckner of Security Annex, who found numerous extensions doing different things, from the management of markers, to increase the volume of the speakers. All of them incorporate a JavaScript library called Mellowtel-JS, which connects to an external AWS server and collects data on the user's location, bandwidth and browser status.
It also injects IFRAMES hidden into the web pages that users are visiting, and then loads other websites, chosen by the Mellowtel infrastructure. In addition, it eliminates IT web safety headers, omits bot detection and, ultimately shares the for profit band.
Taking advantage of the unused bandwidth
JavaScript is linked to a company called Olostep, which is promoted as a high -performance web scraping API that prevents bot detection and can send up to 100,000 parallel applications.
When paying customers by sending an objective website, Olostep uses the devices that execute affected extensions to scrape the site, effectively turning browsers into distributed scraping bots, without the knowledge or consent of the end users.
Ars Technica The founder of Found from Mellowtel said the library was designed to share the bandwidth of users without filling affiliate links, unrelated ads or collecting personal data.
“The main reason why companies are paying for traffic is to access publicly available data from websites in a reliable and profitable way,” he said, adding that extensions developers receive 55%of income, while the rest went to Mellowtel.
Despite the statements in a friendly way with the privacy of monetizing the unused bandwidth, critics argue that it exposes users to serious privacy and safety risks, especially in business environments. In your article Cyberinsidic He says that the scale and architecture of the system makes it “mature for abuse” by threat actors.
“The use of real browser sessions, potentially behind corporate VPNs or within private networks, introduces deep risks. These include the unauthorized internal access potential of resources, supplantation of legitimate traffic and degradation of browser safety due to the elimination of forced headers.”
Some extensions have been eliminated or deactivated after being marked for malware, while others cleaned the code controversial in recent updates. Many remain active, and users are recommended to review the complete list of extensions that are here.
