QuietBoost - Volume Booster extension: Silent Activation of a Commerce-Tracking SDK on Pre-Granted Permissions

Target

Executive Summary

Volume Booster is a Chrome extension with roughly 2 million weekly users, present since at least January 2025. Between versions 1.0.2 and 1.0.4, the developer activated a commerce-tracking and affiliate-monetization SDK (Give Freely, built on the Wildfire affiliate network) without ever triggering Chrome's permission re-consent flow. This was possible because the host permission the SDK depends on (all_urls) was already present in version 1.0.2, granted but unused. This report documents the deployment mechanism and the resulting gap between the extension's privacy declaration and its actual data flows.

Give Freely's monetization model itself (affiliate commissions, partly donated to user-selected charities) is a real, identifiable business. Several of its practices are not in dispute and are addressed directly in "What This Report Does Not Claim."

Scope

This report evaluates Volume Booster's deployment practice, specifically how a third-party SDK was activated without user consent. It is not an audit of Give Freely or the Wildfire affiliate network as a vendor. Give Freely presents itself publicly as a charity-funded affiliate platform with disclosed practices (no overwriting of existing affiliate attribution, commission donated to user-selected charities); we have not independently verified Give Freely's claims about its own operations, financials, or conduct across its full partner network. Findings here are limited to what Volume Booster's specific integration does and how it was disclosed, not to Give Freely's trustworthiness as a company.

Methodology & Discovery

The investigation began with a routine review of Volume Booster following the integration of Wildfire/GiveFreely-pattern fingerprints into the malext.io detection pipeline. Pulling the extension's version history (1.0.2, 1.0.3, 1.0.4) and diffing each manifest and bundle revealed a staged sequence: a dormant broad host permission, followed by an observability permission, followed by the monetization payload itself, each shipped as a separate, low-attention update.

Cross-referencing the Chrome Web Store listing's first Wayback Machine capture (2025-01-05) against the version timeline confirmed the 2M-user base predates all three versions under analysis. This rules out the possibility that the userbase was grown through, or as a result of, the monetization SDK.

Version Timeline

Manifest Diffs

1.0.2 → 1.0.3:

     "unlimitedStorage",
-    "windows"
+    "windows",
+    "webRequest"
   ],

1.0.3 → 1.0.4:

   "background": {
     "service_worker": "service-worker.js"
   },
+  "content_scripts": [
+    {
+      "matches": [ "<all_urls>" ],
+      "js": [
+        "vendor/GiveFreely-content.umd.js",
+        "content-script.js"
+      ]
+    }
+  ],
   "icons": {

host_permissions (all_urls) is unchanged across all three versions. No permissions or host_permissions entry changes between 1.0.3 and 1.0.4, only the content script is added, so this update triggered no re-consent prompt.

Architecture: Staged Activation on Dormant Permissions

The extension's permission and code history shows three distinct phases:

1. Dormant grant (1.0.2): all_urls is requested and granted, but no code in this version reads or acts on network traffic.
2. Observability (1.0.3): webRequest is added, backing a vmdebug-gated console logger of media requests. This is the first code to exercise the previously dormant host permission.
3. Monetization (1.0.4): A vendored Give Freely SDK is added as an all-sites content script, initialized in the background service worker:

self.importScripts('vendor/GiveFreely-background.umd.js');
const giveFreely = new GiveFreely.GiveFreelyService('volumeboosterprod');
void giveFreely.initialize();

Because the host permission required by phase 3 was acquired in phase 1, and no permission entries changed in phase 3, the SDK went live across the existing 2M-user install base with no Chrome permission warning and no user action.

Undisclosed Behavior: Commerce Tracking SDK

Once initialized, and independent of any popup or UI state, the SDK:

• Matches navigations against a cached Wildfire merchant list and opens a hidden, pinned tab to wild.link to set attribution cookies on matches
• Geolocates the user via geoip.maxmind.com, authenticated with a hardcoded MaxMind credential (account 913991)
• Registers a persistent anonymous device ID with Wildfire and a user record with api.givefreely.com
• Sends device-keyed event telemetry to events.givefreely.com
• On qualifying merchant checkouts, renders a donation popup for the user's selected charity

This is locally-evaluated merchant matching, not full browsing-history exfiltration: only activations on merchants already present in Wildfire's network are reported. Suppressing the popup ("don't show again") stops the UI only; device registration, geolocation, and affiliate matching continue running regardless.

Disclosure Discrepancy

The Chrome Web Store listing states the extension "will not collect or use" user data and transfers nothing "unrelated to core functionality." This does not hold up against the persistent cross-party device ID, IP-based geolocation, and continuous telemetry described above, none of which depend on the user ever seeing a popup. This mismatch has existed since version 1.0.4 and has not been corrected.

The listing does separately disclose, below a "Read More" toggle, that affiliate links support a named charity (Hearing Health Foundation, confirmed present in this partner's live configuration). That disclosure is accurate but incomplete: it covers the visible donation mechanism only, not the device, geolocation, or telemetry flows that run regardless of whether the popup ever appears, and it is positioned where most installing users will not see it.

Infrastructure

• cdn.givefreely.com: remote partner and global configuration
• api.givefreely.com: anonymous user registration
• events.givefreely.com: event telemetry
• wild.link: affiliate attribution routing
• wildlink.me: device registration
• geoip.maxmind.com: IP geolocation (MaxMind account 913991, hardcoded credential shipped in the SDK)

Reproducing the Configuration Fetch

curl 'https://cdn.givefreely.com/adunit/config/volumeboosterprod.json'

curl 'https://cdn.givefreely.com/adunit/config/global.json'

Diffing the two responses shows partner-level config overriding global defaults; for this partner, checkoutPopupMasterSwitch is enabled and the charity set is hearing-related, while Give Freely's global default ships with the popup disabled.

What This Report Does Not Claim

• No remote code execution. Behavior is driven by remote JSON configuration, not remotely fetched executable code.
• No cookie-stuffing. The SDK stands down when it detects an existing affiliate session or a competing extension already active, the opposite of attribution theft, and consistent with Give Freely's own stated policy.
• No deceptive UI mechanics. The popup's Shadow DOM is standard style isolation, open and inspectable, not a fraud-evasion measure.
• Opt-out works as described. "Don't show again" does suppress the popup as requested. The relevant point is narrower: it does not suppress the underlying tracking, and the listing does not make that distinction.
• The charity integration is genuine. The configured charities are real, hearing/deafness-themed, verifiable by EIN, and relevant to this extension's audience.

Summary

Volume Booster, installed by approximately 2 million weekly users since at least January 2025, gained a commerce-tracking SDK across versions 1.0.2 to 1.0.4 through a staged sequence of low-attention updates, ending with no permission prompt at the point the tracking activated. The extension's Chrome Web Store privacy declaration has not been updated to reflect the device registration, geolocation, and telemetry flows introduced. The pattern documented here, a broad host permission granted ahead of any feature using it, later activated via a permission-free update, is a detectable supply-chain signal independent of Give Freely specifically, and is recommended as a standalone detection heuristic for CWS review pipelines.

_Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | June 21, 2026_