The Incidence:
On August 29, 2022 McAfee, a cyber security firm, publish a report with heading “Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users”. Flipshope Extension was one of those 5 extensions.
Not only this, they also made some allegations on Flipshope– a Google Chrome Extension, that it is a malware and stuffs cookies every time a user visits any e-commerce platform.
McAfee made the following allegations that Flipshope extension is:
- Sending user browsing history data to its server without any user facing functionality
- Adding affiliate
- Cookie stuffing
- 15 days time delay to avoid automated analysis
Following these allegations, many websites (around 400-500) including major publication houses and media channels published this news on their websites/YouTube channels. Many of them went one step ahead and claimed that these extensions can steal user card information and conduct phishing activities, which was totally irrelevant as browsing data just contains the website URLs, nothing more than that.
There was an interesting finding here that international media houses specially from USA researched their facts and published articles only after knowing the full details and policies of the Google web store. For e.g. few renowned media houses stated that the extensions were not doing anything illegal but we can say that such practices are unethical.
But why are all the media houses alleging the extensions to be malicious? Why are the extensions represented to be cyber criminals, data-stealers, phishing attackers etc.?
We believe that all this happened because a cyber security firm’s authors Oliver Devane and Vallabh Chole framed this article in such a way that only highly technical person could understood the technicalities and linked it with previous articles and incidence is such a way that these are the similar activities.
What’s more surprising is that the published article was based on the source code of a single chrome extension. And used “some of the extensions” are doing this without specifically mentioning which extensions. How can a single malicious extension be the base for the judgement of any other extension that exists on the web store?
Why McAfee Allegations are False:
Now let’s come to the point that why we claim that all four above mentioned allegations are false.
- Sending user data to its server without any user facing functionality:
“Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator.” McAfee claimed in its blog post.
Flipshope Extension suggests products based on user browsing history data and shows deals on their extension/website. We also need it for showing price graph of a product. This is the most common use-case and all of the extensions with a user facing functionality like Amazon’s Alexa, Similar web, Honey and many more send user browsing history to their server. As per chrome’s web store policy, at link: https://developer.chrome.com/docs/webstore/program_policies/
“Collection and use of web browsing activity is prohibited except to the extent required for a user-facing feature described prominently in the Product’s Chrome Web Store page and in the Product’s user interface.”
Although any of Flipshope chrome extension practices is not illegal either and doesn’t violate any chrome policy, Flipshope has shown every vital detail in their privacypolicy:- https://flipshope.com/privacy-policy/
- Adding affiliate:
Flipshope is a coupon/deals portal so we have all the right to add affiliates as we promote products and give user coupons. Affiliate is an integral part of any coupon/cashback website. Also, we get order reports from our affiliates which help us in identifying most sold products and help us in making a better recommendation. Again all shopping extensions and coupons/deals website does it as affiliate marketing is an approved and general strategy used by e-commerce businesses.
- Cookie stuffing:
This is a false and misleading claim; Flipshope isn’t involved in or does not even promote cookie stuffing. There isn’t a single incidence of using set cookies for affiliate purposes. McAfee also mentioned specifically that,“we were unable to find a response of ‘e’ during our analysis”. So, when you are unable to find a response, how can you make the headline that “five cookie stuffing extension” if you couldn’t find evidence. Just to make your article more lucrative and catch attention by making false allegations? Why create a fake doubtful suspect to question Google Security?
And then the whole media also covers and highlights baseless data with distorted and sensitive allegations which don’t have any proof or evidence. Also, please keep in mind that all these findings were for a different extension and got imposed on all other extensions in a very strategic manner that it looked valid for all 5 extensions.
- 15 day’s time delay to avoid automated analysis:
Again, they used “some extensions start it after 15 days,” we were not one of them. This allegation was based on some other extension’s code. We do not perform any malicious activity.
Even chrome team agrees with it and among the 5 extensions mentioned in the article, only Flipshope is currently live on the webstore and can be viewed here. Most of the other extensions got removed with a warning that they are all malware.
The consequences and our response:
We were being misinterpreted by the whole world and this led to an adverse effect on us and we faced a massive loss in brand value and revenue, and users started uninstalling our extension. Also, it sent a wrong impression to our partnered brands. So, we tried to contact McAfee via mail several times and explained them that their allegations were not true.
They kept telling us that they were looking into it and circled around the issue without any proper response that why their general allegations stand valid in case of Flipshope Extension and why our explanation is not good enough for them to remove our name from the article.
After few days of conversations and discussion, they partially agreed to update their article, with partial facts. As per their update on September 9, 2022, they stated:
“Since the original publication of this blog on August 29, 2022, the Flipshope browser extension was updated in the Chrome Store on September 6, 2022 with a version that no longer contains the potentially harmful features originally discussed in this blog.”
Even, the previous version of Flipshope was harmless and free from malware but we updated to a new version because we had received a warning from chrome on 12th Aug that the older version’s description had “Ten brand names are used in the description” and, it violated web store’s policy.
The fact that even McAfee owned extension McAfee Endpoint Security Web Control Chrome Extension with more than 90 lakh users got removed from the chrome web store for 7 days due to policy violations went unnoticed. As removal and updation of extension is very general process and Chrome always keeps an eye on all the extensions and removes them from webstore for even a simple policy violation which can be reinstated by updating the new version.
We tried to contact as many publications as we could but most of them either didn’t respond or replied that we took it from McAfee blog. None of them explained where they got words like malware, cyber criminals, phishing attacker or card stealers. Maybe because cyber laws are not that effective in India so anyone can write anything and get away with it.
We are very thankful to some of the media websites like Bleeping Computer, News18, Techradar, The Hacker News, Gizmo China, etc. who either removed the article or removed Flipshope from it. Some of them at least mentioned that Flipshope don’t agree with McAfee’s finding and let their readers know our point of view in this. Unlike most of other who didn’t even acknowledge our mails and didn’t take any action.
Conclusion
Flipshope is one of the most trusted and most downloaded shopping extensions and has been serving users for more than 8 years, without any inconvenience. Google itself pays attention to the permissions that it is requesting and ensures the safety of users’ data.
Many renowned Indian as well as international websites have removed/updated their article after checking facts. But the loss of value and trust cannot be replaced and the hard work we did in the last 8 years has been questioned.
Even after showing all the privacy concerns for the users, a false accusation by McAfee ruined the brand value of Flipshope. It will now be difficult for the Google Chrome Extension’s users to build their trust again.