IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Popular Chrome and Firefox extensions leak sensitive user information to third-party resellers

The researcher investigated after he found his customers' details freely available to attackers

Data protection

Popular browser extensions in Google Chrome and Mozilla Firefox have been revealed to be selling highly sensitive data belonging to four million users as part of a "murky data economy".

The eight apps in question, some of which have more than a million users, warn users that they can "read and change all your data on the websites you visit" before installation, but fail to offer an opt-in or opt-out policy to have that data sold onto third-parties.

One of the third-parties singled out in the joint expos named 'DataSpii' between Security with Sam's Sam Jadali and the Washington Post, was Nacho Analytics, a company which claimed all data belonged to users who had opted-in to having their data sold - no such evidence exists.

Nacho Analytics allows anyone who is willing to pay its $49 per month subscription fee to access all the information on its database simply by searching a URL.

The types of data that were easily accessible to the researcher during the investigation included people's tax documents stored in Microsoft OneDrive, usernames, passwords, GPS coordinates, flight confirmation numbers with full names and even patient names along with their medication information.

According to Jadali, it only took an hour for the data harvested by these extensions to appear on an online data-selling website, some of which could just be accessed with a one-month free trial.

In the case of the OneDrive file being leaked, the researcher offered an explanation as to how this came to be.

Take a person who has filled out their tax return - they then share that return with their accountant using a public sharing link within OneDrive. If the accountant was running one of these leaky extensions which would send the tax return to the data-selling website, an attacker could search the database using the extension's POST request such as 1drv.ms. An attacker could then search for files using a 'tax' search term and they could then have access to the sensitive document.

The extent of the extensions' invasiveness was evidenced by a case in which one continued to share user data even after the vendor ceased the extension's functionality for all users.

"We continued to observe our browsing activity being sent via POST request to [dat-selling website's] servers," said Jadali. "Ultimately, the data collection stopped when we removed the extension."

In other notable discoveries, the researcher found 'top secret' files from many major Fortune 500 corporations whose employees had been unknowingly exposing their company's secret projects. Titles of memos, project reports and sensitive information including firewall codes and how the company's LAN network is mapped were readily available to any customer fo the data-selling website.

While conducting research, Jadali consistently referred to the issue of publicly available links, a phenomenon that's been called into question by security professionals in the past.

"While security through obscurity is better than nothing, it's certainly not great protection," said Rob Sobers, software engineer, Varonis. "Couple that with the likelihood of user or admin misconfiguration through lack of understanding and poor user interfaces and, as we've seen with Box and Amazon, risk is high, so proceed with caution."

Popular accounting software Quickbooks is one such program to make use of publicly available links and was referenced in the researcher's report.

Jadali said emailing Quickbooks links to customers is an easy way to send and complete invoices, but if these links were picked up by a rogue extension, information such as the invoice recipient's name, address and account details would be viewable, as would the name and address of the person who sent the invoice.

The browser extensions involved in the research, including Hover Zoom, PanelMeasurement and SpeakIt!, have since been removed from browser extension stores, citing policy violations as the reason.

These eight apps aren't thought to be the end of the issue; other similar extensions exist and are evading detection by using methods such as delaying their data collection by a few weeks, as observed by Jadali.

"Though prudent, short-term fixes will not ultimately protect data from threats such as DataSpii," said Jadali. "True data security will require the sustained collaboration of web developers, cybersecurity professionals, marketers, and browser vendors. The implications of our investigation transcend any one extension, website, Fortune 500 company, browser, or OS."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022