A cybersecurity researcher is calling for people to stop trusting browser extensions after he found out that some of the ad-blocking extensions currently downloadable and installable in both Google Chrome and Mozilla Firefox browsers are collecting data without user consent and behind the browsers’ back.
Security researcher, Sam Jadali from SecurityBySam.com, called it a “catastrophic data leak via browser extensions,” and revealed that several ad-blocking extensions in Chrome and Firefox are collecting data from every webpage that a user visits. The leaked, named by the researcher as the DataSpii, is set to have compromised data of millions of users around the world.
“We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users,” the researcher wrote in his report.
According to Jadali, he discovered an online service that is selling collected browsing activity data to its subscription members in near real-time.
The study reveals that the said extensions are collecting user data by capturing titles and URLs, or web addresses, every time a user clicks on a web page. This method of data collection was said to be unauthorized by the browsers and is collecting information ranging from medical records to financial and credit card information, to exact geolocation, which is being sold in an underground market in real-time.
The online service provider that publishes this information was traced to an analytics provider named Nacho Analytics, which promises its users to “See Anyone’s Analytics Account.” According to the researcher, the operation has been going on for quite some time and has exposed sensitive information, including:
- Home and business surveillance videos hosted on Nest and other security services
- Tax returns, billing invoices, business documents, and presentation slides posted to or hosted on, Microsoft OneDrive, Intuit.com, and other online services
- Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
- Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
- Travel itineraries hosted on Priceline, Booking.com, and airline websites
- Facebook Messenger attachments and Facebook photos, even when the photos were set to be private.
In other cases, according to Jadali, some URLs don’t necessary allow access without authentication or at least a passwords; but the study has shown that even in these cases there is still a huge possibility that personal data will be exposed.
For example, “URLs referencing teslamotors.com subdomains that aren’t reachable by the outside Internet. When combined with corresponding page titles, these URLs showed employees troubleshooting a “pump motor stall fault,” a “Raven front Drivetrain vibration,” and other problems. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public.
According to Jadali’s research, the breach has impacted millions of people as well as at least 50 Fortune 500 companies. While the main targets of the DataSpii are browsers like Chrome and Firefox, other Chromium-based browsers such as Opera that can run Chrome extensions are also impacted. Many of the affected extensions were apps used by hundreds of thousands and in some cases, millions of people, including HoverZoom, SpeakIt!, and FairShare Unlock.
As of writing, Google and Mozilla have already removed the extensions in question are already disabled from users’ browsers. In a statement to Forbes, Google and Mozilla both confirmed that the said extensions indeed violated their privacy.
“We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort,” said a Google spokesperson.
Additionally, the spokesperson announced what they are doing to “mitigate or prevent this behavior,” and “new policies that improve user privacy.”
However, according to Jadali, Google’s Manifest V3 does not solve this specific issue: “It has some improvements however it explicitly states that server communication (potentially changing extension behavior) will still be allowed. This doesn’t really solve the issue.”
Meanwhile, a Mozilla spokesperson has said that they have already blocked the malicious extensions in their system. “We are aware of the changing security landscape and as such have created a list of Recommended Extensions which are editorially vetted, security-reviewed, and monitored for safety and privacy by Mozilla,” the spokesperson says.