Together with a Washington Post columnist, Geoffrey A. Fowler, they discovered a disastrous situation about privacy, dubbed DataSpii, to add-ons or plug-ins of the browsers (extentions) that make browsing better by finding coupons or remembering passwords.
Those extensions, offered up on stores run by Chrome and Firefox and therefore presumably legit, are also watching every click and then putting it all up for sale.
Jadali found that the extensions were leaking, in near real-time, personal, sensitive data on the websites we’re browsing, primarily on Chrome, but also on Firefox. The leaked data included the following types of personal and corporate data:
Personal data: personal interests, tax returns, GPS location, travel itineraries, gender, genealogy, usernames, passwords, credit card information, genetic profiles.
Corporate data: company memos, employee tasks, API keys, proprietary source code, LAN environment data, firewall access codes, proprietary secrets, operational material andzero-day vulnerabilities.
According to Ars Technica, it was about data from more than four million users. The extensions collected “the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited,” Ars reported.
They didn’t just steel web histories, but some of these extensions peddled them, publishing the histories through a fee-based service called Nacho Analytics that uses the tag line “See Anyone’s Analytics Account.”
– Hover Zoom
– SaveFrom.net Helper
– FairShare Unlock
– Branded Surveys
– Panel Community Surveys
Fowler says that they found for sale the following data:
I’ve watched you check in for a flight and seen your doctor refilling a prescription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
Google decided to remove extensions from its Chrome Web Store a day after Jadali and the Post published their stories. It also remotely disabled those extensions on the millions of computers that had them installed. Mozilla removed and disabled its one DataSpii extension in February. A week later, Nacho Analytics announced a “data outage.”
According to Ars, Nacho Analytics’ founder and CEO – Mike Roberts announced in an email that the site would no longer accept new customers or provide new data, but that the existing customers would be able to still access any data they’d previously bought. Also, he explained that the site had suffered a “permanent data outage” due to a third-party supplier no longer being available.
How it works
Sam Jadali says that the URL data from websites is imported directly into customers’ Google Analytics accounts, which includes sensitive information, such as names of medical patients who got test results from a patient care cloud platform used by medical services.
Ars offered some redacted screenshots showing data slurped from Tesla’s network and then sent to Nacho Analytics and eventually imported in Google Analytics.
According to a spokesperson from Google, the company decided to suspend multiple Analytics properties owned by Nacho Analytics for violating Google terms of service and is investigating additional accounts which could be connected or integrated with Nacho Analytics.
What to do?
Find out if DataSpii is spying on your clicks, by viewing your extentions:
in Chrome, enter this URL in your browser: chrome://extentions
in Firefox, enter this URL in your browser: about: addons
If you see any of the extensions listed above, just remove them. Still, Jadali mentioned that a remotely deactivated extension did not stop the data collecting process. You need to remove the extention to stop the data collection.
Moreover, Jadali advises those who used the addons to change their passwords.