Recent reports have revealed that the Hide YouTube Shorts extension for Chrome has undergone a change in ownership and is now conducting fraudulent activities. According to a research, the plugin is involved in fraudulent activities with partner programs and is sending user data to an AWS server.
Moreover, it has been discovered that 11 other extensions developed by the same individuals either contain similar harmful functions or are at risk. One of these extensions is Karma Shopping, developed by Karma Shopping Ltd., a company that was established in 2013 and has received significant investments. This revelation comes after the transfer of ownership in mid-2023, with subsequent updates enabling data collection mechanisms without user consent.
Reviews on the Hide YouTube Shorts extension page on the Chrome Web Store indicate the possibility of redirects to phishing sites, confirming suspicions of the new developer’s malicious intentions. The extensions add tracking functions or install partnership tags with additional privileges often under false pretenses, operating in a stealth mode to avoid detection.
Of particular concern is the Karma extension, as its developer claims to collect and sell anonymous user data, while code analysis has revealed unique identifiers that raise doubts about the anonymity of the data. Karma Shopping Ltd. has been actively acquiring extensions, offering developers payment based on active users, suggesting a motive to increase user numbers for profit and marketing research purposes.
The Privacy Policy of Karma states that data may be used for marketing research and sold to partners in anonymized form. However, the collection method violates GDPR regulations by not properly obtaining user consent for data processing and failing to ensure true anonymity of the collected information.