Popular browser extensions in Google Chrome and Mozilla Firefox have been revealed to be selling highly sensitive data belonging to four million users as part of a "murky data economy".
The eight apps in question, some of which have more than a million users, warn users that they can "read and change all your data on the websites you visit" before installation, but fail to offer an opt-in or opt-out policy to have that data sold onto third-parties.
One of the third-parties singled out in the joint expos named 'DataSpii' between Security with Sam's Sam Jadali and the Washington Post, was Nacho Analytics, a company which claimed all data belonged to users who had opted-in to having their data sold - no such evidence exists.
Nacho Analytics allows anyone who is willing to pay its $49 per month subscription fee to access all the information on its database simply by searching a URL.
The types of data that were easily accessible to the researcher during the investigation included people's tax documents stored in Microsoft OneDrive, usernames, passwords, GPS coordinates, flight confirmation numbers with full names and even patient names along with their medication information.
According to Jadali, it only took an hour for the data harvested by these extensions to appear on an online data-selling website, some of which could just be accessed with a one-month free trial.
In the case of the OneDrive file being leaked, the researcher offered an explanation as to how this came to be.
Take a person who has filled out their tax return - they then share that return with their accountant using a public sharing link within OneDrive. If the accountant was running one of these leaky extensions which would send the tax return to the data-selling website, an attacker could search the database using the extension's POST request such as 1drv.ms. An attacker could then search for files using a 'tax' search term and they could then have access to the sensitive document.
The extent of the extensions' invasiveness was evidenced by a case in which one continued to share user data even after the vendor ceased the extension's functionality for all users.
"We continued to observe our browsing activity being sent via POST request to [dat-selling website's] servers," said Jadali. "Ultimately, the data collection stopped when we removed the extension."
In other notable discoveries, the researcher found 'top secret' files from many major Fortune 500 corporations whose employees had been unknowingly exposing their company's secret projects. Titles of memos, project reports and sensitive information including firewall codes and how the company's LAN network is mapped were readily available to any customer fo the data-selling website.
While conducting research, Jadali consistently referred to the issue of publicly available links, a phenomenon that's been called into question by security professionals in the past.
"While security through obscurity is better than nothing, it's certainly not great protection," said Rob Sobers, software engineer, Varonis. "Couple that with the likelihood of user or admin misconfiguration through lack of understanding and poor user interfaces and, as we've seen with Box and Amazon, risk is high, so proceed with caution."
Jadali said emailing Quickbooks links to customers is an easy way to send and complete invoices, but if these links were picked up by a rogue extension, information such as the invoice recipient's name, address and account details would be viewable, as would the name and address of the person who sent the invoice.
The browser extensions involved in the research, including Hover Zoom, PanelMeasurement and SpeakIt!, have since been removed from browser extension stores, citing policy violations as the reason.
These eight apps aren't thought to be the end of the issue; other similar extensions exist and are evading detection by using methods such as delaying their data collection by a few weeks, as observed by Jadali.
"Though prudent, short-term fixes will not ultimately protect data from threats such as DataSpii," said Jadali. "True data security will require the sustained collaboration of web developers, cybersecurity professionals, marketers, and browser vendors. The implications of our investigation transcend any one extension, website, Fortune 500 company, browser, or OS."
Channel Pro Newsletter
Stay up to date with the latest Channel industry news and analysis with our twice-weekly newsletter
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.