Google Chrome and Firefox users are likely to use extensions such as adblockers to help make their browsing more convenient and secure. But these aren’t always safe, as an independent security researcher can testify: He discovered eight browser extensions used by around 4 million Firefox and Chrome users were harvesting data.
The extensions collected people’s data through capturing titles and URLs, or web addresses, every time a user clicked on a page. This data collection, which wasn’t authorized by the browser, included sensitive information such as medical records and credit card information, researcher Sam Jadali’s report first detailed by Dan Goodin at Ars Technica found.
Worse still, Goodin reported, most of these collected web histories were then published by a fee-based service called Nacho Analytics, which uses the tag line “See Anyone’s Analytics Account”.
The “unprecedented data collection” impacts millions of individuals as well as many Fortune 500 corporations, according to Jadali. The report says the leak primarily impacted Chrome and Firefox users with one of eight invasive extensions. However, other Chromium-based browsers such as Opera that can run Chrome extensions are also impacted.
Many of the affected extensions were apps used by hundreds of thousands and in some cases, millions of people, including HoverZoom, SpeakIt!, and FairShare Unlock. The full list is available in Jadali’s full report–which is titled very aptly Dataspii.
Thankfully, the extensions have now been removed from or disabled in people’s browsers by Google and Firefox owner Mozilla and they are no longer available for download.
Whether you are an individual or a business, the data available was pretty sensitive. Personal data made accessible by DataSpii included: Tax returns, GPS location, cloud services and data, file attachments, credit card information, genetic profiles and online shopping history.
The report says around 50 businesses were also affected. Corporate data made accessible by DataSpii was extremely worrying. It included: real-time activity of employees, private LAN network structure, partial page content including hyperlinks embedded on a LAN website, API keys, proprietary source code, firewall access codes, and zero-day vulnerabilities.
I contacted Google and Mozilla for a response. Both confirmed that the extensions violated their policies. A Google spokesperson sent the following statement: “We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort.”
The spokesperson highlighted announced technical changes to how extensions work that “will mitigate or prevent this behavior,” and “new policies that improve user privacy.”
The changes to extensions, dubbed Manifest V3 will see many ad blockers break in Chrome, which has angered many people. However, it seems in this case that the changes can help improve security as Google has argued.
But Jadali says Google’s Manifest V3 does not solve this specific issue: “It has some improvements however it explicitly states that server communication (potentially changing extension behavior) will still be allowed. This doesn’t really solve the issue.”
A Mozilla spokesperson says the firm has blocked all of the extensions found to be in violation of its policies. “We are aware of the changing security landscape and as such have created a list of Recommended Extensions which are editorially vetted, security-reviewed, and monitored for safety and privacy by Mozilla,” the spokesperson says.
Mozilla is also trying to make it easier to report problematic extensions and says it “will continue to invest in security mitigations and product features that make users more aware of the risks that come with extension use.”
If you are affected by the issue and still have extensions, you might want to remove them yourself and change your password as a precaution. In addition, says Jadali: “If you access services through an API via a URL, you may consider changing your API keys.”
There are also some general steps you can take to avoid being caught out in the future. Before installing any third-party extension, Mozilla recommends following these safety tips.
For example, if you are installing an extension from a website other than addons.mozilla.org (AMO), you should verify the integrity of the source.
Meanwhile, you should be aware of the permissions you grant to extensions. “Extensions are pieces of software that run within your browser and in most cases have access to the data which loads in there,” says security researcher Sean Wright. He says “it’s wise to do your homework” and “try to ensure that the extension is legitimate and done for the right purposes–not created to slurp up your data.”
Another thing to consider, says Wright is that extensions can potentially access data from pages loaded in your browser and modify it. “Attackers can modify legitimate extensions to inject their payload into sites,” he warns. “To me, this is perhaps more alarming.”