Browser extensions help extend the functionality or stop annoying aspects of web browsers. However, several popular extensions for Mozilla Firefox and Google Chrome have reportedly been collecting and hoarding a lot of data from the users of these browsers. The extensions have not only been collecting data, but they also appear to be profiting from the same as well. Incidentally, millions of users still actively download, install and activate the browser extensions without knowing about the extra processes these extensions are running. Besides the consumption of bandwidth and threatening data integrity, the extensions could also be hindering productivity.
DataSpii Report Reveals How Some Popular Browser Extensions Collected Data While Avoiding Suspicion and Detection
The data collection and attempts to profit from the same is quite serious. However, what’s equally concerning is the methods deployed by the developers who designed and deployed these popular browser extensions for Google Chrome and Mozilla Firefox. The extensions had some clever programming to lay dormant in the initial days, post-installation. This most likely fooled the users into assuming the extensions were safe and reliable.
The report chronicling the guilty browser extension is dubbed ‘DataSpii‘. The expansive report has been compiled by security researcher Sam Jadali. The DataSpii report mentions the culprits that managed to collect data of millions of Mozilla Firefox and Google Chrome web browser users. Moreover, the report also reveals how these seemingly innocent and productivity-boosting browser extensions managed to get away with data collecting for so long. The report also details the techniques deployed by the developers.
Browser extension vulnerabilities led to DataSpii and 4 million users' browser histories being exposed https://t.co/kXTFd4wTFV
— Camden Kelly Corp. (@CamdenKellyCorp) July 19, 2019
Jadali is the founder of the Internet hosting service Host Duplex. He noticed something wasn’t quite right when he found private forum links of clients published by analytics firm Nacho Analytics. Moreover, the platform also had information on internal link data of major corporations such as Apple, Tesla, or Symantec. Needless to mention, these are quire private links. In other words, no third-party vendor, website or online platform in general, should own the same. After extensive analysis, the security researcher was convinced that it was some of the extensions that users had unwittingly downloaded and installed on the web browsers that were collecting or leaking information.
Data Grabbing Browser Extensions Had Inbuilt Code To Obfuscate Their Secondary Purpose
The hunt for platforms or programs that collect data is in itself a difficult task. However, collecting evidence to zero in on browser extensions was even trickier. This is because the extensions followed a systematic process that was quite sequential and gradual. In other words, the extensions worked slowly and quietly to avoid detection and deletion. Additionally, the extensions communicated with their master servers in a very different and complex way.
After the browser extension was downloaded, it continued to perform its intended duties quite well. The extension continued to work for about three weeks to create an impression of trust and ensure the browser user would not delete the same. However, just after installation, the extensions contacted developer-designated servers and reported their installation time, installation version, current version, and unique extension ID. After about two weeks, the extensions received an automatic update, but they still didn’t collect any browsing history.
— ghacksnews (@ghacksnews) July 19, 2019
Unless a researcher takes pain to focus on minute changes in the system profile of the browser on the victim’s device, it is not possible to simply analyze the browser, its installation folder, and the extensions folder, to discover suspicious behavior, noted, Jadali: “If people examine the extension itself, they’re not going to see that data collection instruction set. It’s in an entirely different place. We repeated this experiment six times, under numerous scenarios. Each time we obtained the same result. In the past, similar [delaying] tactics have been used to avoid data collection by other browser extensions.”
In addition to the above-mentioned techniques to avoid detection, the browser extensions used base64 encoding and data compression techniques. Together, the pieces of software neatly obfuscated the data being uploaded. This intensified the complexity of the data being sent, and hence made it even more difficult to ascertain if data was being collected and sent to remote servers discreetly. Essentially, the data was routinely morphed and masked. Some of the developers behind the extensions regularly tweaked the encoding and compression before collecting and uploading data.
Which Popular Browser Extensions Were Guilty Of Collecting And Possibly Selling User Data?
In all, the researcher discovered about eight offending browser extensions that were collecting data, sending them to remote servers, and possibly helping their developers make money. It is not immediately clear if there are more. However, it is interesting to note that the majority of the data collecting browser extensions were designed for Google Chrome. Only three of the eight offending extensions were meant to be installed on Mozilla Firefox.
Of the three browser extensions for Mozilla Firefox, two of the extensions collected data only if installed from third-party sites and not Mozilla AMO. As a precaution, users are strongly cautioned not to download browser extensions from untrusted websites. It is best to avoid all such add-ons from third-party platforms.
8 browser extensions are responsible for revealing the private information of 45 major companies and millions of individuals. https://t.co/2C9fuGqiFV
— Lifehacker (@lifehacker) July 19, 2019
A quick search for the data-stealing browser extensions reveals that all have been taken down. While there was only one on Mozilla AMO, the five extensions for Google Chrome are absent from the Chrome Web Store. Incidentally, this is not the first instance of browser extensions attempting to steal data. Google, as well as Mozilla, routinely catch and ban such extensions from their store. However, experts argue that browser makers could make the security checks even more stringent, and some internal analysis and processes for extensions downloaded from third-party websites.