Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Browser Extensions Massively Collecting User Data

Security researchers have discovered eight Chrome and Firefox extensions that leak user data, including personally identifiable information (PII) and corporate information (CI). 

Security researchers have discovered eight Chrome and Firefox extensions that leak user data, including personally identifiable information (PII) and corporate information (CI). 

Referred to as DataSpii (pronounced data-spy), the leak was detected within the internal network environments of several Fortune 500 companies and resulted in browsing activity being sent to a service that would sell it to subscription members in near real-time, according to the “Security with Sam” blog. 

Personal and corporate data accessible via said online service includes personal interests, tax returns, GPS location, travel itineraries, gender, genealogy, usernames, passwords, credit card information, genetic profiles,company memos, employee tasks, API keys, proprietary source code, LAN environment data, firewall access codes, proprietary secrets, operational material, and zero-day vulnerabilities. 

The eight extensions found to engage in said behavior had a total user count of millions. They, however, state in either their terms of service, privacy policies, or descriptions that they may collect user data, either personally or non-personally identifiable. 

The offending extensions include Hover Zoom (800,000 Chrome users), SpeakIt! (1.4 million Chrome users), SuperZoom (329,000 Chrome and Firefox users), Helper (around 140,000 Firefox users), FairShare Unlock (1 million Chrome and Firefox users), PanelMeasurement (500,000 Chrome users), Branded Surveys (8 Chrome users), and Panel Community Surveys (1 Chrome user).

The Helper extension only engages in invasive data collecting behavior when installed from the vendor’s website using Firefox on macOS or Ubuntu, but not when installed from the browser store. FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys explicitly inform the user they collect browser activity data, Security with Sam explains. 

The highly sensitive user information is collected from URLs, page titles, and referrers and is filtered by domain name before being offered for sale. 

Advertisement. Scroll to continue reading.

“In one instance, we observed the widespread exposure of corporate project data and employee tasks from thousands of companies that use a popular project management provider,,” Security with Sam notes. 

During their investigation, the security researchers discovered that the collected metadata the online service was offering to customers included hostname, URL, page title, referrer, browser, browser version, city, state, country, Internet service provider (ISP), network domain, operating system (OS), OS version, date, and time. 

The service claims that all data collected remains anonymised, but that is not always the case, the researchers explain. What’s more, when a data-collecting browser extension is used on a company computer, the employee that uses it “may not have the authority to consent on behalf of his or her employer,” Security with Sam explains. 

The investigation did not establish a legal relation between the service and the data-collecting browser extensions, but it did reveal that much of the data collected by the extensions was made available to members of the service. 

The researchers also note they informed a browser vendor on the behaviour of one of the extensions, which resulted in the extension being disabled for all users, but the data-collecting activity did not stop. DataSpii, they found, would circumvent the most effective security measures, including authentication or encryption.

The data leak, Security with Sam says, impacted tech giants such as Apple, Facebook, Microsoft, and Amazon, and cybersecurity organizations such as Symantec, FireEye, Trend Micro, and Palo Alto Networks. 

“Based on our research, billions of analytics hits were collected from impacted users and corporations. When impacted users use browser sync features (e.g., Google Chrome Sync), the extensions can instantly spread to all logged-in locations of a user, (e.g., home and work computers),” the researchers say. 

Related: Trend Micro Admits That Its Mac Apps Collect User Data

Related: Facebook, Google ‘Manipulate’ Users to Share Data Despite EU Law: Study

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.