DataSpii: ‘Catastrophic’ Browser Data Leak ‘Train Wreck’

It’s 11 p.m.—do you know where your browser histories are? If you’re not careful, sneaky extensions might be selling your private data to the highest bidder.

Nacho Analytics is being blamed for “deceptive … arrogant … negligent” actions that might violate GDPR and similar regulations. Those involved in stealing user data are described as “cancerous … bastards” who “lie.”

DevOps Connect:DevSecOps @ RSAC 2022

Don’t hold back, tell us how you really feel. In today’s SB Blogwatch, people do!

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Absoblume.

Nacho Father’s Spyware

What’s the craic? Geoffrey A. Fowler found your data. It’s for sale:

 Even more terrifying: It’s happening because of software you probably installed yourself. … As many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. … The root of this privacy train wreck is browser extensions.

People install them assuming that any software offered in a store run by Chrome or Firefox has got to be legit. [But] some extensions have a side hustle in spying. … Think about everything you do in your browser [and] imagine those clicks beaming out of your computer to be harvested for marketers, data brokers or hackers.

From DrChrono, a medical records service, … the names of patients, doctors, and … medications. …
From Southwest, we saw the first and last names, as well as confirmation numbers, of people checking into flights. …
From OneDrive, Microsoft’s cloud storage service, we saw a hundred documents named “tax.” …
Employees from more than 50 major corporations were exposing what they were working on.

Researchers recently tested how many of the 180,000 available Chrome extensions leak privacy-sensitive data. They found 3,800 such extensions — and the 10 most popular alone have more than 60 million users.

So why aren’t Google and Mozilla stopping it? … The companies say they vet what’s in their stores … but clearly it’s insufficient.

And Dan Goodin digs in—“More on DataSpii”:

 We want to offer more detail for the technically curious reader. … Discovering which browser extensions were responsible for siphoning up this data was … so difficult in part because the browser extensions appeared to obscure exactly what they were doing.

Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation … to begin collection. Then, once collection started, it was carried out by code that was separate from the extensions themselves.

The extensions received a 156KB payload, with 150KB of this being stored not in the extension folder, but in the Chrome browser system profile. … This payload contained a minified JavaScript file that was responsible for collecting a user’s browsing data and sending it to a developer-controlled server [making] it substantially harder … to detect the data collection.

The data collection was hard to track for other reasons. Four of the extensions uploaded visited URLs and page titles in batches ranging from 10 to 50, and the batch size changed regularly over the seven-month span.

Within about an hour of each visit … Nacho Analytics published each link. … Within three hours of being published on Nacho Analytics, a third-party … also visited each one of the URLs. … A division of Singaporean telecommunications company Singtel, Amobee is an advertising company.

Who discovered it? Sam Jadali calls DataSpii a “catastrophic data leak”:

 [It] occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI). … We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.

Our investigation uncovered an online service selling the collected browsing activity data … in near real-time. … To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.

Chrome and Firefox extensions identified: … Hover Zoom … SpeakIt! … SuperZoom … Helper … FairShare Unlock … PanelMeasurement … Branded Surveys … Panel Community Surveys.

[This is] a catastrophic leak on an unprecedented scale. … We recommend that browser vendors review their extension policies, [and] that corporations enact stronger browser security policies.

Who can we blame? Cory Doctorow calls them “deceptive browser extensions”:

 Nacho Analytics sells browsing data from more than 4m users (they advertise “See Anyone’s Analytics Account”), a service it calls “God mode for the internet.” [It] is harvested by embedding Nacho’s spyware.

Nacho — and the browser extensions … claim that everyone involved opts in, provides full consent, and [that the data] is anonymized first. [But] all of these claims are highly dubious.

“Consent” is often obtained through click-throughs that accede to lengthy sets of terms, which include cryptic notices. … The supposed anonymization is even more problematic: … Many services unwisely embed personal information in their URLs, and still more rely on secret URLs [to keep] personal data private.

Nacho’s incorrect belief that they can automatically cleanse the browsing history of compromising and sensitive data is … both arrogance and negligence.

Ouch. And Jonathan Zittrain—@zittrain—almost sounds impressed:

 The company’s web site today has a splash screen crafted in response. … It’s chef’s-kiss level denial and counter-charge. … Imagine hearing of a car model with bad steering, and the journalist and researcher who … confirm the problem are dismissed because they were “specifically seeking out flaws.”

This is a compelling account of data leakage through dodgy but popular browser extensions. … Thousands of extensions ask for and get … access from users who have no reason to know that … the URLs they click on will be shared for “marketing” purposes.

Long, un-guessable URLs are ways of referring to private Google Drive or OneDrive docs. They contain record locators and passenger names for airline flights. And those extensions read it all and pass it along.

Would those people agree to install a zoom-webpage-pictures extension if they knew that their entire … browsing history would be … sold? Have they meaningfully opted in? Of course not.

This system can’t be patched or retrofitted. Its success depends on the lie of informed consent.

Is this even legal? Matt Lonsdale suspects not:

 I suspect Nacho Analytics might learn a very expensive lesson about how GDPR-compliant their business really is.

But how can an extension execute arbitrary code? gorhill explains:

The manifest.json contained an entry which allows the extension to execute code not part of the package, in the context of the extension.

All extensions which ask for unsafe-eval should be removed from the Chrome store — they are essentially un-reviewable … as it can at any time download and execute code not part of the package. … The default script-src policy in extensions is self, no JavaScript code outside the package will be allowed.

It’s not just about the behavior right now, as fastest963 explains:

 Even if they’re not doing it now, who’s to say they won’t sell their extension next year to the highest bidder who will. … The average consumer that is installing these extensions are not aware of the risks.

And Photon_plumber agrees:

 There’s a game of ever-evolving cat and mouse going on. The extensions may sit passively for long periods of time, or they recieve random and fragmented puzzle-piece updates that make them go from innocuous to cancerous over a time period were most magnifying glass inspectors would declare them harmless.

It’s dirty for sure. And these bastards are coming up with new ways of masking their activities.

Another thing to worry about.

The bottom line? Shira Ovide has it:

 We should NOT allow the internet to remain a giant personal-information sucking nightmare. … There is no way that people who download a browser add-on to enlarge their photos are consenting in any real way to have their information sold to marketers [and] there is no way that people who take $10 from Amazon are truly consenting to having the company collect everything they do online, for any purpose.

Meanwhile, micah has this corny pun: [You’re fired—Ed.]

 “Nacho Analytics”
“Yeah, well, they’re not yours either.”

And Finally:


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Larry White (Pixabay)

Richi Jennings

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 368 posts and counting.See all posts by richi