Popular Browser Extensions For Google Chrome and Mozilla Firefox Collecting And Possibly Profiting From User Data?

Browser extensions help extend the functionality or stop annoying aspects of web browsers. However, several popular extensions for Mozilla Firefox and Google Chrome have reportedly been collecting and hoarding a lot of data from the users of these browsers. The extensions have not only been collecting data, but they also appear to be profiting from the same as well. Incidentally, millions of users still actively download, install and activate the browser extensions without knowing about the extra processes these extensions are running. Besides the consumption of bandwidth and threatening data integrity, the extensions could also be hindering productivity.

There are several popular browser extensions. Millions of Internet users eagerly search for and download them to infuse additional functionality. Several extensions simplify browsing, eliminate clutter, block advertisements or annoying JavaScript applets, making browsing more productive or visually appealing, and many other things. While the majority of browser extensions for popular web browsers are developed and maintained by dedicated developers, some are designed and deployed with ulterior motives. A recently published report included an analysis of a few browser extensions and their illicit behavior that jeopardizes users and their data. The report revealed that several popular browser extensions for Google Chrome and Mozilla Firefox used a sophisticated browser data collecting scheme.

DataSpii Report Reveals How Some Popular Browser Extensions Collected Data While Avoiding Suspicion and Detection

The data collection and attempts to profit from the same is quite serious. However, what’s equally concerning is the methods deployed by the developers who designed and deployed these popular browser extensions for Google Chrome and Mozilla Firefox. The extensions had some clever programming to lay dormant in the initial days, post-installation. This most likely fooled the users into assuming the extensions were safe and reliable.

The report chronicling the guilty browser extension is dubbed ‘DataSpii‘. The expansive report has been compiled by security researcher Sam Jadali. The DataSpii report mentions the culprits that managed to collect data of millions of Mozilla Firefox and Google Chrome web browser users. Moreover, the report also reveals how these seemingly innocent and productivity-boosting browser extensions managed to get away with data collecting for so long. The report also details the techniques deployed by the developers.

Jadali is the founder of the Internet hosting service Host Duplex. He noticed something wasn’t quite right when he found private forum links of clients published by analytics firm Nacho Analytics. Moreover, the platform also had information on internal link data of major corporations such as Apple, Tesla, or Symantec. Needless to mention, these are quire private links. In other words, no third-party vendor, website or online platform in general, should own the same. After extensive analysis, the security researcher was convinced that it was some of the extensions that users had unwittingly downloaded and installed on the web browsers that were collecting or leaking information.

Data Grabbing Browser Extensions Had Inbuilt Code To Obfuscate Their Secondary Purpose

The hunt for platforms or programs that collect data is in itself a difficult task. However, collecting evidence to zero in on browser extensions was even trickier. This is because the extensions followed a systematic process that was quite sequential and gradual. In other words, the extensions worked slowly and quietly to avoid detection and deletion. Additionally, the extensions communicated with their master servers in a very different and complex way.

After the browser extension was downloaded, it continued to perform its intended duties quite well. The extension continued to work for about three weeks to create an impression of trust and ensure the browser user would not delete the same. However, just after installation, the extensions contacted developer-designated servers and reported their installation time, installation version, current version, and unique extension ID. After about two weeks, the extensions received an automatic update, but they still didn’t collect any browsing history.

After three weeks had passed and the extensions were still installed, they would receive a second automatic update after they reestablished the contact with the designated servers and updated their status. However, this time around, they would download their first data packet or payload. This payload contained a minified JavaScript file. It was this script that collected user’s browsing data and sent it to a developer-controlled server.

Interestingly, the payload was never downloaded or stored in the extension folder. Instead, they landed in the browser’s primary system profile folder. Needless to add, because the payloads or JavaScript are stored in the system profile of the browser, the extensions make it substantially harder for investigators to catch the culprits sooner. Incidentally, the scripts don’t update or even touch the actual extension that downloaded them. Hence everything looks normal on the surface.

Unless a researcher takes pain to focus on minute changes in the system profile of the browser on the victim’s device, it is not possible to simply analyze the browser, its installation folder, and the extensions folder, to discover suspicious behavior, noted, Jadali: “If people examine the extension itself, they’re not going to see that data collection instruction set. It’s in an entirely different place. We repeated this experiment six times, under numerous scenarios. Each time we obtained the same result. In the past, similar [delaying] tactics have been used to avoid data collection by other browser extensions.

In addition to the above-mentioned techniques to avoid detection, the browser extensions used base64 encoding and data compression techniques. Together, the pieces of software neatly obfuscated the data being uploaded. This intensified the complexity of the data being sent, and hence made it even more difficult to ascertain if data was being collected and sent to remote servers discreetly. Essentially, the data was routinely morphed and masked. Some of the developers behind the extensions regularly tweaked the encoding and compression before collecting and uploading data.

Which Popular Browser Extensions Were Guilty Of Collecting And Possibly Selling User Data?

In all, the researcher discovered about eight offending browser extensions that were collecting data, sending them to remote servers, and possibly helping their developers make money. It is not immediately clear if there are more. However, it is interesting to note that the majority of the data collecting browser extensions were designed for Google Chrome. Only three of the eight offending extensions were meant to be installed on Mozilla Firefox.

Of the three browser extensions for Mozilla Firefox, two of the extensions collected data only if installed from third-party sites and not Mozilla AMO. As a precaution, users are strongly cautioned not to download browser extensions from untrusted websites. It is best to avoid all such add-ons from third-party platforms.

A quick search for the data-stealing browser extensions reveals that all have been taken down. While there was only one on Mozilla AMO, the five extensions for Google Chrome are absent from the Chrome Web Store. Incidentally, this is not the first instance of browser extensions attempting to steal data. Google, as well as Mozilla, routinely catch and ban such extensions from their store. However, experts argue that browser makers could make the security checks even more stringent, and some internal analysis and processes for extensions downloaded from third-party websites.


Close