Security researchers have discovered eight Chrome and Firefox extensions that leak user data, including personally identifiable information (PII) and corporate information (CI).
Referred to as DataSpii (pronounced data-spy), the leak was detected within the internal network environments of several Fortune 500 companies and resulted in browsing activity being sent to a service that would sell it to subscription members in near real-time, according to the “Security with Sam” blog.
Personal and corporate data accessible via said online service includes personal interests, tax returns, GPS location, travel itineraries, gender, genealogy, usernames, passwords, credit card information, genetic profiles,company memos, employee tasks, API keys, proprietary source code, LAN environment data, firewall access codes, proprietary secrets, operational material, and zero-day vulnerabilities.
The eight extensions found to engage in said behavior had a total user count of millions. They, however, state in either their terms of service, privacy policies, or descriptions that they may collect user data, either personally or non-personally identifiable.
The offending extensions include Hover Zoom (800,000 Chrome users), SpeakIt! (1.4 million Chrome users), SuperZoom (329,000 Chrome and Firefox users), SaveFrom.net Helper (around 140,000 Firefox users), FairShare Unlock (1 million Chrome and Firefox users), PanelMeasurement (500,000 Chrome users), Branded Surveys (8 Chrome users), and Panel Community Surveys (1 Chrome user).
The SaveFrom.net Helper extension only engages in invasive data collecting behavior when installed from the vendor’s website using Firefox on macOS or Ubuntu, but not when installed from the browser store. FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys explicitly inform the user they collect browser activity data, Security with Sam explains.
The highly sensitive user information is collected from URLs, page titles, and referrers and is filtered by domain name before being offered for sale.
“In one instance, we observed the widespread exposure of corporate project data and employee tasks from thousands of companies that use a popular project management provider, atlassian.net,” Security with Sam notes.
During their investigation, the security researchers discovered that the collected metadata the online service was offering to customers included hostname, URL, page title, referrer, browser, browser version, city, state, country, Internet service provider (ISP), network domain, operating system (OS), OS version, date, and time.
The service claims that all data collected remains anonymised, but that is not always the case, the researchers explain. What’s more, when a data-collecting browser extension is used on a company computer, the employee that uses it “may not have the authority to consent on behalf of his or her employer,” Security with Sam explains.
The investigation did not establish a legal relation between the service and the data-collecting browser extensions, but it did reveal that much of the data collected by the extensions was made available to members of the service.
The researchers also note they informed a browser vendor on the behaviour of one of the extensions, which resulted in the extension being disabled for all users, but the data-collecting activity did not stop. DataSpii, they found, would circumvent the most effective security measures, including authentication or encryption.
The data leak, Security with Sam says, impacted tech giants such as Apple, Facebook, Microsoft, and Amazon, and cybersecurity organizations such as Symantec, FireEye, Trend Micro, and Palo Alto Networks.
“Based on our research, billions of analytics hits were collected from impacted users and corporations. When impacted users use browser sync features (e.g., Google Chrome Sync), the extensions can instantly spread to all logged-in locations of a user, (e.g., home and work computers),” the researchers say.
Related: Trend Micro Admits That Its Mac Apps Collect User Data
Related: Facebook, Google ‘Manipulate’ Users to Share Data Despite EU Law: Study