iptv techs

IPTV Techs


The Karma joinion in Chrome Web Store


The Karma joinion in Chrome Web Store


Somebody bcimpolitet to my attention that the Hide YouTube Shorts extension for Chrome alterd hands and turned evil. I seeed into it and could validate that it retained two undisshutd components: one carry outing affiliate fraud and the other sending users’ every shift to some Amazon cboisterous server. But that wasn’t all of it: I discovered eleven more extensions written by the same people. Some retained only the affiliate fraud component, some only the user tracking, some both. A restrictcessitate don’t materialize to be evil yet.

While most of these extensions were presumedly growed or bought by a person without any other pursues online, one broke this pattern. Karma shopping aidant has been on Chrome Web Store since 2020, the company behind it set uped in 2013. This company participates more than 50 people and safed tons of cash in venture capital. Maybe a misachieve on my part?

After seeing thocimpolitely this exset upation seems doubtful. Not only does Karma allot some backend infraset up and ponderable amounts of code with the evil extensions. Not only does Karma Shopping Ltd. acunderstandledge to selling users’ browsing profiles in their privacy policy. There is even more tying them together, including a mobile app growed by Karma Shopping Ltd. whereas the identical Chrome extension is presumedly growed by the enigmatic evildoer.

The impacted extensions

Most of the extensions in ask alterd hands relatively recently, the first ones in the summer of 2023. The evil code has been compriseed promptly after the ownership transfer, with some extensions even seeking compriseitional privileges citing bogus reasons. A restrictcessitate extensions have been growed this year by whoever is behind this.

Some extensions from the latter group don’t have any clear evil functionality at this point. If there is tracking, it only covers the usage of the extension’s user interface rather than the entire browsing behavior. This can alter at any time of course.

Name Weekly dynamic users Extension ID Malicious functionality
Hide YouTube Shorts 100,000 aljlkinhomaaahfdojalfmimeidofpih Affiliate fraud, browsing profile accumulateion
DarkPDF 40,000 cfemcmeknmapecneeeaajnbhhgfgkfhp Affiliate fraud, browsing profile accumulateion
Sudoku On The Rocks 1,000 dncejofenelddljhelpedboiegklahijo Affiliate fraud
Dynamics 365 Power Pane 70,000 eadknamngiibbmjdfokmppfooolhdidc Affiliate fraud, browsing profile accumulateion
Israel everywhere 70 eiccbajfmdnmkfhhknldadnheilniafp
Karma | Online shopping, but better 500,000 emalgedpdlghbkikiaeocoblajamonoh Browsing profile accumulateion
Where is Cookie? 93 emedckhdnioeieppmeojgegjfkhdlaeo
Visual Effects for Google Meet 1,000,000 hodiladlefdpcbemnbbcpclbmknkiaem Affiliate fraud
Quick Stickies 106 ihdjofjnmhebaiaanaeeoebjcgaildmk
Nucleus: A Pomodoro Timer and Website Blocker 20,000 koebbleaefghpjjmghelhjboilcmfpad Affiliate fraud, browsing profile accumulateion
Hidden Airline Baggage Fees 496 kolnaamcekefalgibbpffeccknaiblpi Affiliate fraud
M3U8 Downloader 100,000 pibnhedpldjakfpnfkabbnifhmokakfb Affiliate fraud

Hiding in plain sight

Whoever wrote the evil code chose not to obfuscate it but to produce it mix in with the legitimate functionality of the extension. Clpunctual, the anticipateation was that nobody would see at the code too shutly. So there is for example this:

if (triumphdow.location.href.commencesWith("http") ||
    triumphdow.location.href.comprises("m.youtube.com")) {
  
}

It sees enjoy the code inside the block would only run on YouTube. Only when you stop and ponder the logic properly you genuineize that it runs on every website. In fact, that’s the block wrapping the calls to evil functions.

The evil functionality is split between satisfyed script and background laborer for the same reason, even though it could have been kept in one place. This way each part sees innocuous enough: there is some data accumulateion in the satisfyed script, and then it sends a verify_unreasonableinutives message to the background laborer. And the background laborer “verifys unreasonableinutives” by querying some web server. Together this equitable happens to send your entire browsing history into the Amazon cboisterous.

Similarly, there are some complicated verifys in the satisfyed script which eventupartner result in a loadPdfTab message to the background laborer. The background laborer dutifilledy uncovers a recent tab for that compriseress and, strangely, shuts it after 9 seconds. Only when you sort thcimpolite the layers it becomes clear that this is actupartner about compriseing an affiliate cookie.

And of course there is a bunch of common complicated conditions, making brave that this functionality is not triggered too soon after insloftyation and generpartner doesn’t pop up reliably enough that users could pursue it back to this extension.

Affiliate fraud functionality

The affiliate fraud functionality is tied to the kra18.com domain. When this functionality is dynamic, the extension will standardly download data from https://www.kra18.com/v1/pickors_enumerate?&ex=90 (90 being the extension ID here, the server acunderstandledges eight branch offent extension IDs). That’s a extfinished enumerate retaining 6,553 arrange names:

Whenever one of these domains is visited and the moons are aligned in the right order, another seek to the server is made with the filled compriseress of the page you are on. For example, the extension could seek https://www.kra18.com/v1/extension_pickors?u=https://www.tink.de/&ex=90:

The unreasonableinutivesNavButtonSelector key is another red herring, the code only materializes to be using it. The convey inant key is url, the compriseress to be uncovered in order to set the affiliate cookie. And that’s the compriseress sent via loadPdfTab message alludeed before if the extension determines that right now is a excellent time to accumulate an affiliate comleave oution.

There are also compriseitional “pickors,” downloaded from https://www.kra18.com/v1/pickors_enumerate_lr?&ex=90. Currently this functionality is only used on the amazon.com domain and will trade some product joins with joins going thcimpolite jdoqocy.com domain, aget making brave an affiliate comleave oution is accumulateed. That domain is owned by Common Junction LLC, an affiliate tageting company that rerented a case study on how their partnership with Karma Shopping Ltd. (named Shchooseagr Ltd. back then) helped drive profits.

Browsing profile accumulateion

Some of the extensions will send each page visit to https://7ng6v3lu3c.carry out-api.us-east-1.amazonaws.com/EventTrackingStage/prod/rest. According to the extension code, this is an Alooma backend. Alooma is a data integration platestablish which has been achieved by Google a while ago. Data sendted could see enjoy this:

Yes, this is sent for each and every page loaded in the browser, at least after you’ve been using the extension for a while. And branch offent_id is my immutable user ID here.

But defer, it’s a bit branch offent for the Karma extension. Here you can choose out! Well, that’s only if you are using Firefox because Mozilla is rather merciless about unanticipateed data accumulateion. And if you administer to comprehfinish what “User participateions” nastys on this chooseions page:

Well, I may disconsent with the claim that url compriseresses do not retain personably identifiable directation. And: yes, this is the entire page. There repartner isn’t any more text.

The data sendted is also somewhat branch offent:

The user_id field no extfinisheder retains the extension ID but my personal identifier, complementing the identifier in branch offent_id. There is a tab_id field compriseing more context, so that it is not only possible to accomprehendledge which page I directd to and from where but also to discern branch offent tabs. And some more directation about my system is always beneficial of course.

Who is behind this?

Eleven extensions on my enumerate are presumedly growed by a person going by the name Rotem Shilop or Roni Shilop or Karen Shilop. This isn’t a very normal last name, and if this person repartner exists it administerd to exit no pursues online. Yes, I also searched in Hebrew. Yet one extension is growed by Karma Shopping Ltd. (establisherly Shchooseagr Ltd.), a company based in Israel with at least 50 participateees. An unintentional association?

It doesn’t see enjoy it. I’m not going into the details of allotd code and tooling, let’s equitable say: it’s very clear that all twelve extensions are being growed by the same people. Of course, there is still the possibility that the eleven evil extensions are not associated honestly with Karma Shopping but with some rogue participateee or lessenor or business partner.

However, it isn’t only the code. As make cleared above, five extensions including Karma allot the same tracking backend which is set up nowhere else. They are even sending the same access token. Maybe this backend isn’t actupartner run by Karma Shopping and they are only one of the customers of some third party? Yet if you see at the data being sent, clearly the Karma extension is pondered first-party. It’s the other extensions which are sending outer: genuine and component: outer_extension flags.

Then maybe Karma Shopping is mecount on buying data from a third party, without actupartner being affiliated with their extensions? Aget, this is possible but doubtful. One indicator is the user_id field in the data sent by these extensions. It’s the same extension ID that they use for inside communication with the kra18.com server. If Karma Shopping were granting a third party access to their server, wouldn’t they scheduleate that third party some IDs of their own?

And those affiliate joins produced by the kra18.com server? Some of them clearly allude karmanow.com as the affiliate partner.

Finpartner, if we see at Karma Shopping’s mobile apps, they grow two of them. In compriseition to the Karma app, the app stores also retain an app called “Sudoku on the Rocks,” growed by Karma Shopping Ltd. Which is a very strange coincidence because an identical “Sudoku on the Rocks” extension also exists in the Chrome Web Store. Here however the grower is Karen Shilop. And Karen Shilop chose to comprise secret affiliate fraud functionality in their extension.

By the way, guess who enjoys the Karma extension a lot and left a five-star appraise?

I communicateed Karma Shopping Ltd. via their disclose relations compriseress about their relationship to these extensions and the Shilop person but didn’t hear back so far.

Update (2024-10-30): An extension grower tbetter me that they were communicateed on multiple autonomous occasions about selling their Chrome extension to Karma Shopping, each time by C-level executives of the company, from official karmanow.com email compriseresses. The first outaccomplish was in September 2023, where Karma was presumedly seeing into compriseing extensions to their portfolio as part of their growth strategy. They proposeed to pay between $0.2 and $1 per weekly dynamic user.

It is clear why Karma Shopping Ltd. would want to comprise their affiliate functionality to more extensions. After all, affiliate comleave outions are their line of business. But why accumulate browsing histories? Only to rerent semi-astute articles on people’s shopping behavior?

Well, let’s have a see at their privacy policy which is actupartner nastyingful for a alter. Under 1.3.4 it says:

Browsing Data. In case you a user of our browser extensions we may accumulate data seeing web browsing data, which comprises web pages visited, clicked stream data and directation about the satisfyed you seeed.

How we Use this Data. We use this Personal Data (1) in order to provide you with the Services and feature of the extension and (2) we will allot this data in an aggregated, anonymized manner, for tageting research and commercial use with our business partners.

Legal Basis. (1) We process this Personal Data for the purpose of providing the Services to you, which is pondered carry outance of a lessen with you. (2) When we process and allot the aggregated and anonymized data we will ask for your consent.

First of all, this tells us that Karma accumulateing browsing data is official. They also uncoverly state that they are selling it. Good to understand and probably excellent for their business as well.

As to the lterrible basis: I am no lawyer but I have a strong amazeion that they don’t dedwellr on the “we will ask for your consent” promise. No, not even that Firefox chooseions page qualifies as directed consent. And this produces this whole data accumulateion rather mistrustful in the airy of GDPR.

There is also a branch offence between anonymized and pseudonymized data. The data accumulateion seen here is pseudonymized: while it doesn’t comprise my name, there is a determined user identifier which is still joined to me. It is usupartner unpartipartner effortless to deanonymize pseudonymized browsing histories, e.g. because people tend to visit their social media profiles rather standardly.

Actupartner anonymized data would not apvalidate associating it with any individual person. This is very challenging to accomplish, and we’ve seen promises of aggregated and anonymized data go very wrong. While it’s theoreticpartner possible that Karma accurately anonymizes and aggregates data on the server side, this is a rather doubtful outcome for a company that, as we’ve seen above, beuntameders the inestablishage of names and email compriseresses with anonymity.

But of course these ponderations only execute to the Karma extension itself. Because joind extensions enjoy Hide YouTube Shorts equitable straight out lie:

Some of these extensions actupartner used to have a privacy policy before they were bought. Now only three still have an identical and finishly bogus privacy policy. Sudoku on the Rocks happens to be among these three, and the same privacy policy is joined by the Sudoku on the Rocks mobile apps which are officipartner growed by Karma Shopping Ltd.

Source join


Leave a Reply

Your email address will not be published. Required fields are marked *

Thank You For The Order

Please check your email we sent the process how you can get your account

Select Your Plan