Skip to content
Naked Security Naked Security

Browser plug-ins peddled personal data from over 4m browsers

Nacho Analytics gathered data like passwords, tax and prescription data from browser add-ons - and those who bought it can keep it.

Eight catastrophically leaky browser extensions were discovered by researcher Sam Jadali.

He traced the privacy train wreck, dubbed DataSpii, to browser extensions (also known as add-ons or plug-ins) that run around doing things like making browsing better by finding coupons or remembering passwords or whatever.

Peel back the “whatever” and this is what you find: those extensions, offered up on stores run by Chrome and Firefox and therefore presumably legit, are running a side hustle, watching every click we make online and then putting it all up for sale.

Jadali published his findings last Thursday.

He found that the extensions were leaking, in near real-time, personal, sensitive data on the websites you’re browsing, primarily on Chrome but also on Firefox. Ditto for sensitive business information. Jadali’s Security with Sam firm found that the leaked data included these types of personal and corporate data:

Personal data

  • personal interests
  • tax returns
  • GPS location
  • travel itineraries
  • gender
  • genealogy
  • usernames
  • passwords
  • credit card information
  • genetic profiles

Corporate data

  • company memos
  • employee tasks
  • API keys
  • proprietary source code
  • LAN environment data
  • firewall access codes
  • proprietary secrets
  • operational material
  • zero-day vulnerabilities

As Ars Technica reported last Thursday, by Google’s account, we’re talking about data from as many as 4.1 million users. The extensions collected “the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited,” Ars reported.

They didn’t just slurp up web histories – some of the extensions then peddled them, publishing the histories through a fee-based service called Nacho Analytics that markets itself as “God mode for the Internet” and which uses the tag line “See Anyone’s Analytics Account.”

The extensions

  • Hover Zoom
  • SpeakIt!
  • SuperZoom
  • SaveFrom.net Helper
  • FairShare Unlock
  • PanelMeasurement
  • Branded Surveys
  • Panel Community Surveys

This is the data that one journalist says he found for sale after reading Jadali’s research report:

I’ve watched you check in for a flight and seen your doctor refilling a prescription.

I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.

I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.

Google removed the extensions from its Chrome Web Store a day after Jadali’s report was picked up by the media. It also remotely disabled those extensions on the millions of computers that had them installed. Mozilla removed and disabled its one DataSpii extension in February. About a week later, Nacho Analytics announced a “data outage.”

Ars reports that in an 11 July 2019 email, Nacho Analytics founder and CEO Mike Roberts told customers that the site had suffered a “permanent data outage” due to a third-party supplier no longer being available. He told customers that the site would no longer accept new customers or provide new data, but that customers who kept their accounts open would still be able to access any data they’d previously bought.

However, Nacho Analytics – which sells “links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers,” is still making the data available to existing customers.

Here’s how it works: URL data from websites is imported directly into customers’ Google Analytics accounts, which includes sensitive information that led to Nacho Analytics getting shut off in the first place, such as names of medical patients who got test results from a patient care cloud platform used by medical services.

Ars displayed a few redacted screenshots in its writeup: one shows data slurped by the extensions from inside Tesla’s network that was sent on to Nacho Analytics, and then imported into Google Analytics.

Once this type of data is out there, what are you supposed to do to get it back? Ars Security Editor Dan Goodin compares the situation to putting toothpaste back into a tube. Once data is out, it’s out, and it ain’t going back in. Such is the case with the Nacho Analytics customers who bought data: they can hold on to what’s potentially gigabytes’ worth of browsing histories collected from millions of people, thanks to the help of Nacho Analytics and Google Analytics.

Is any of this against Google’s terms of service? Here’s what a company spokesperson told Ars:

Passing data that personally identifies an individual, such as email addresses or mobile numbers, through Google Analytics is prohibited by our terms of service, and we take action on any account found doing so intentionally.

The spokesperson said that Google has suspended multiple Google Analytics properties owned by Nacho Analytics for violating Google terms of service and that Google’s investigating additional accounts that may be connected or integrated with Nacho Analytics.

What to do?

You can find out if DataSpii is spying on your every click by viewing your extensions.

In Chrome, manually enter this URL in your browser: chrome://extensions

In Firefox, manually enter this URL in your browser: about:addons

If you see any of the extensions from the list above, remove them. Note that in one instance, Jadali says, a remotely deactivated extension didn’t stop collecting data. You’ve got to remove the extension to make the data collection stop.

Besides removing the extensions, Jadali recommends that those who downloaded the addons change their passwords. Also, if you access services through an API via a URL, consider changing your API keys. Security by Sam has more recommendations in Section 4.6 of its report on DataSpii.

UPDATE: The original version of this story gave credit for this discovery where it wasn’t due so we have updated the article to reflect that.

4 Comments

And no one has been arrested for this? There is more than plenty of data, from what is listed, to construct a dossier on someone.

If this is not illegal, it should be. I’ll also wager that the extensions’ software agreement did not state they would copy everything you do in the browser and pass it around. If this data slurping was indeed illegal then prison time should be the verdict for whomever was responsible.

Another issue some folks are railing about is the use of:

“unsafe-eval”
and
“unsafe-inline”
in the manifest.json file.
This is supposed to indicate a malicious extension or malware.

I have found “unsafe-eval” in an extension but to do what it is supposed to be doing it needs elevated privileges. Is that not what this is for?
Extensions like the ones listed above do not seem to me to the kind that need elevated privileges so why would they have them except to monitor YOU/ME.
Extensions that enable secure browsing on the other hand may need elevated privileges to see if a key-logger is present, if screenshots are being taken, prevent the browser files to allow reading of sensitive information, to prevent specific banking malware from stealing login credentials, preventing loading of malicious files, blocking attempts to alter the browser’s process, etc
All this requires some type of elevated privilege, so the extension may not in fact be malicious.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?