Nearly 100,000 Facebook users have been duped into installing third-party Chrome plugins over the past few weeks that have access to all of their data on every Web site they visit. According to research recently conducted by security firm Barracuda Networks, the unsuspecting users were tricked into thinking the plugins could block Timeline, a new profile feature Facebook first introduced at the end of 2011.
There are six different Google Chrome plugins that claim to revoke Facebook’s much-maligned Timeline feature. While half of the plugins worked as expected and required access to data on Facebook.com, the other half required users to give the plugins complete access to data on all websites, including access to users’ tabs and browsing activity, Jason Ding, a research scientist at Barracud, said in a post on the company’s Internet Security blog.
While it doesn’t appear the plugins aren harvesting users’ credentials, two of the three suspicious ones try to entice Facebook users into filling out a fake survey and joining a fake Facebook event in hopes of further spreading the plugin.
To make the situation even more confusing, those two plugins are hosted on sites run by Amazon’s Simple Storage Service (S3), which hides information about the plugins’ authors.
According to Barracuda, at the time of the blog entry’s publication, 90,184 Chrome users in total had granted the plugins access to their browsing history. While Chrome reportedly blocked access from one of the Amazon S3 URLs, it’s not too far-fetched to believe the number of scammed users may have surpassed 100,000 by now.