Browser plug-ins peddled personal data from over 4m browsers

Eight catastrophically leaky browser extensions were discovered by researcher Sam Jadali.

He traced the privacy train wreck, dubbed DataSpii, to browser extensions (also known as add-ons or plug-ins) that run around doing things like making browsing better by finding coupons or remembering passwords or whatever.

Peel back the “whatever” and this is what you find: those extensions, offered up on stores run by Chrome and Firefox and therefore presumably legit, are running a side hustle, watching every click we make online and then putting it all up for sale.

Jadali published his findings last Thursday.

He found that the extensions were leaking, in near real-time, personal, sensitive data on the websites you’re browsing, primarily on Chrome but also on Firefox. Ditto for sensitive business information. Jadali’s Security with Sam firm found that the leaked data included these types of personal and corporate data:

Personal data

• personal interests
• tax returns
• GPS location
• travel itineraries
• gender
• genealogy
• usernames
• passwords
• credit card information
• genetic profiles

Corporate data

• company memos
• employee tasks
• API keys
• proprietary source code
• LAN environment data
• firewall access codes
• proprietary secrets
• operational material
• zero-day vulnerabilities

As Ars Technica reported last Thursday, by Google’s account, we’re talking about data from as many as 4.1 million users. The extensions collected “the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited,” Ars reported.

They didn’t just slurp up web histories – some of the extensions then peddled them, publishing the histories through a fee-based service called Nacho Analytics that markets itself as “God mode for the Internet” and which uses the tag line “See Anyone’s Analytics Account.”

The extensions

• Hover Zoom
• SpeakIt!
• SuperZoom
• SaveFrom.net Helper
• FairShare Unlock
• PanelMeasurement
• Branded Surveys
• Panel Community Surveys

This is the data that one journalist says he found for sale after reading Jadali’s research report:

I’ve watched you check in for a flight and seen your doctor refilling a prescription.

I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.

I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.

Google removed the extensions from its Chrome Web Store a day after Jadali’s report was picked up by the media. It also remotely disabled those extensions on the millions of computers that had them installed. Mozilla removed and disabled its one DataSpii extension in February. About a week later, Nacho Analytics announced a “data outage.”

Ars reports that in an 11 July 2019 email, Nacho Analytics founder and CEO Mike Roberts told customers that the site had suffered a “permanent data outage” due to a third-party supplier no longer being available. He told customers that the site would no longer accept new customers or provide new data, but that customers who kept their accounts open would still be able to access any data they’d previously bought.

However, Nacho Analytics – which sells “links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers,” is still making the data available to existing customers.

Here’s how it works: URL data from websites is imported directly into customers’ Google Analytics accounts, which includes sensitive information that led to Nacho Analytics getting shut off in the first place, such as names of medical patients who got test results from a patient care cloud platform used by medical services.

Ars displayed a few redacted screenshots in its writeup: one shows data slurped by the extensions from inside Tesla’s network that was sent on to Nacho Analytics, and then imported into Google Analytics.

Once this type of data is out there, what are you supposed to do to get it back? Ars Security Editor Dan Goodin compares the situation to putting toothpaste back into a tube. Once data is out, it’s out, and it ain’t going back in. Such is the case with the Nacho Analytics customers who bought data: they can hold on to what’s potentially gigabytes’ worth of browsing histories collected from millions of people, thanks to the help of Nacho Analytics and Google Analytics.

Is any of this against Google’s terms of service? Here’s what a company spokesperson told Ars:

Passing data that personally identifies an individual, such as email addresses or mobile numbers, through Google Analytics is prohibited by our terms of service, and we take action on any account found doing so intentionally.

The spokesperson said that Google has suspended multiple Google Analytics properties owned by Nacho Analytics for violating Google terms of service and that Google’s investigating additional accounts that may be connected or integrated with Nacho Analytics.

What to do?

You can find out if DataSpii is spying on your every click by viewing your extensions.

In Chrome, manually enter this URL in your browser: chrome://extensions

In Firefox, manually enter this URL in your browser: about:addons

If you see any of the extensions from the list above, remove them. Note that in one instance, Jadali says, a remotely deactivated extension didn’t stop collecting data. You’ve got to remove the extension to make the data collection stop.

Besides removing the extensions, Jadali recommends that those who downloaded the addons change their passwords. Also, if you access services through an API via a URL, consider changing your API keys. Security by Sam has more recommendations in Section 4.6 of its report on DataSpii.

UPDATE: The original version of this story gave credit for this discovery where it wasn’t due so we have updated the article to reflect that.