A team of security researchers have found malware in a popular Chrome extension which may have sent the browsing data of over 1.2m users to a single IP address.
ScrapeSentry credits its researchers with uncovering "a sinister side-effect to a free app [...] which potentially leaks [users'] personal information back to a single IP address in the USA".
Martin Zetterlund, one of ScrapeSentry's founders, told The Register that the extension's malicious functions would have been difficult to recognise through an automated auditing service because the sneaky developer had ensured this functionality is not downloaded until seven days after being installed..
ScrapeSentry analysed the dodgy Chrome extension last week and submitted its findings to Google.
The offending malware, Webpage Screenshot, was removed from the Chrome Extension web store on Tuesday. The extension apparently allowed users to capture screenshots and save them for later editing.
In a canned statement Zetterlund said: "We recently identified an unusual pattern of traffic to one of our client’s sites which alerted our investigators that something was very wrong."
He added: "Everything downloaded from the internet needs to be treated with suspicion, it's a good idea to look what others have to say about programs and extensions first if you don't have the knowledge to pick them apart yourself."
Cristian Mariolini, the ScrapeSentry analyst who headed up the team that found the rogue extension, noted: “The repercussions of this could be major for the individuals who have downloaded the extension. What happens to the personal data and the motives for wanting it sent it to the US server is anyone’s guess, but ScrapeSentry would take an educated guess it’s not going to be good news."
"And of course, if it’s not stopped, the plug-in may, at any given time, be updated with new malicious functionality as well. We would hope Google will look into this security breach with some urgency," he added.
A spokesman for Webpage Screenshot told the Beeb there was nothing malicious about the data it gathered. Instead, said the company man, it was used to understand who the extension's users were and where they were located to help drive development of the code.
"Users could opt out of sharing data," he said.
The Register has contacted Google for comment and will update this story if and when we hear from them. ®