SEVA77🐱‍👤

‼️ A Chrome extension called Volume Booster, with roughly 2 million weekly users, activated a commerce-tracking SDK across its entire base without ever prompting for consent. The trick: a broad all-sites permission was granted in an earlier version and left unused, then a later update switched on the Give Freely affiliate SDK without requesting any new permission, so Chrome shipped it silently. The SDK registers a persistent device ID, geolocates users by IP, and sends telemetry continuously, while the store's privacy declaration still claims no data collection beyond core functionality. A broad permission granted early and activated later via a prompt-free update is a detectable supply-chain signal.