Volume Booster (2M Chrome users) silently activated a commerce-tracking SDK with zero permission prompts
The Volume Booster Chrome extension, with approximately 2 million weekly users, silently activated a commerce-tracking SDK (Give Freely) between versions 1.0.2 and 1.0.4 without triggering Chrome's permission re-consent prompt. The extension had previously been granted broad host permissions that were dormant until the SDK was activated. This SDK collects device identifiers, geolocation data, and telemetry continuously, regardless of user interaction with the extension's visible UI. The Chrome Web Store listing's privacy declaration does not disclose these data flows, creating a discrepancy between declared and actual behavior.
AI Analysis
Technical Summary
Volume Booster is a Chrome extension with about 2 million weekly users that, between versions 1.0.2 and 1.0.4, activated a third-party commerce-tracking SDK (Give Freely) without requesting new permissions or user consent. The extension had previously obtained broad host permissions (all_urls) that were unused until the SDK was introduced. The SDK performs local merchant matching, opens hidden tabs for affiliate attribution, geolocates users via a hardcoded MaxMind credential, registers anonymous device IDs, and sends telemetry to remote servers. Although the extension's UI includes a donation popup for user-selected charities, the underlying tracking and telemetry run continuously and silently. The Chrome Web Store privacy statement claims no user data collection beyond core functionality, which conflicts with the actual data flows introduced by the SDK. The staged activation approach bypassed Chrome's permission re-consent mechanism, affecting the existing user base without explicit consent or updated disclosure.
Potential Impact
The extension collects and transmits persistent anonymous device identifiers, IP-based geolocation data, and event telemetry to third-party servers without explicit user consent or notification. This behavior violates the extension's privacy declaration and may expose users to privacy risks related to undisclosed data collection and tracking. The tracking is limited to merchant matching and affiliate attribution and does not involve full browsing history exfiltration or remote code execution. The silent activation of the SDK affects approximately 2 million users and undermines trust in the extension's stated privacy practices.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should consider removing or disabling the Volume Booster extension until the developer updates the privacy disclosures and addresses the silent activation of the tracking SDK. Chrome Web Store reviewers and security teams should monitor for staged permission activations that bypass re-consent prompts. No official fix or patch information is provided in the available data.
Volume Booster (2M Chrome users) silently activated a commerce-tracking SDK with zero permission prompts
Description
The Volume Booster Chrome extension, with approximately 2 million weekly users, silently activated a commerce-tracking SDK (Give Freely) between versions 1.0.2 and 1.0.4 without triggering Chrome's permission re-consent prompt. The extension had previously been granted broad host permissions that were dormant until the SDK was activated. This SDK collects device identifiers, geolocation data, and telemetry continuously, regardless of user interaction with the extension's visible UI. The Chrome Web Store listing's privacy declaration does not disclose these data flows, creating a discrepancy between declared and actual behavior.
Reddit Discussion
Diffed Volume Booster's last three versions (1.0.2 → 1.0.4).
-
<all_urls>host permission was granted in 1.0.2 and sat unused. webRequestwas added in 1.0.3.- The actual tracking SDK (Give Freely / Wildfire affiliate network) landed in 1.0.4, no new permissions requested, so Chrome pushed it silently to the existing 2M weekly users with no re-consent prompt.
Full writeup: https://malext.io/reports/QuietBoost
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Volume Booster is a Chrome extension with about 2 million weekly users that, between versions 1.0.2 and 1.0.4, activated a third-party commerce-tracking SDK (Give Freely) without requesting new permissions or user consent. The extension had previously obtained broad host permissions (all_urls) that were unused until the SDK was introduced. The SDK performs local merchant matching, opens hidden tabs for affiliate attribution, geolocates users via a hardcoded MaxMind credential, registers anonymous device IDs, and sends telemetry to remote servers. Although the extension's UI includes a donation popup for user-selected charities, the underlying tracking and telemetry run continuously and silently. The Chrome Web Store privacy statement claims no user data collection beyond core functionality, which conflicts with the actual data flows introduced by the SDK. The staged activation approach bypassed Chrome's permission re-consent mechanism, affecting the existing user base without explicit consent or updated disclosure.
Potential Impact
The extension collects and transmits persistent anonymous device identifiers, IP-based geolocation data, and event telemetry to third-party servers without explicit user consent or notification. This behavior violates the extension's privacy declaration and may expose users to privacy risks related to undisclosed data collection and tracking. The tracking is limited to merchant matching and affiliate attribution and does not involve full browsing history exfiltration or remote code execution. The silent activation of the SDK affects approximately 2 million users and undermines trust in the extension's stated privacy practices.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should consider removing or disabling the Volume Booster extension until the developer updates the privacy disclosures and addresses the silent activation of the tracking SDK. Chrome Web Store reviewers and security teams should monitor for staged permission activations that bypass re-consent prompts. No official fix or patch information is provided in the available data.
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":38,"reasons":["external_link","newsworthy_keywords:rce","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a386f0feed863c81e81c72d
Added to database: 06/21/2026, 23:09:03 UTC
Last enriched: 06/21/2026, 23:09:08 UTC
Last updated: 06/22/2026, 03:09:02 UTC
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.