Volume Booster (2M Chrome users) silently activated a commerce-tracking SDK with zero permission prompts
Diffed Volume Booster’s last three versions (1.0.2 → 1.0.4). <all_urls> host permission was granted in 1.0.2 and sat unused. webRequest was added in 1.0.3. The actual tracking SDK (Give Freely / Wildfire affiliate network) landed in 1.0.4, no new permissions requested, so Chrome pushed it silently to the existing 2M weekly users with no re-consent prompt. Full writeup: https://malext.io/reports/QuietBoost submitted by /u/Huge-Skirt-6990 [link] [comments]Technical Information Security Content & DiscussionRead More