Another day, another privacy risk. It just seems inescapable lately. While people are freaking out over the FaceApp app possibly keeping their photos on their server, they’re using browser extensions to do things such as aid productivity, and that’s putting their privacy at risk as well.
A Washington Post columnist and an independent security researcher determined that as many as 4 million people have been giving up their personal and business data through their Google Chrome and Firefox extensions and didn’t even know it. Their data is up for sale.
Chrome and Firefox Extensions Data Leak
Journalist Geoffrey A. Fowler reported on his research that as many as 4 million people unknowingly gave up their data through Chrome and Firefox. He indicated even the newsroom at Washington Post was caught up in losing its data.
To the strength of Google and Mozilla, as soon as he and the researcher made them aware of the leaks, they were closed immediately, but Fowler and the researcher fear “we probably identified only a fraction of the problem.”
He explains that some add-on and plug-in extensions sit in your browser and pass your data, such as your surfing habits and personal information, into a business for them. Asking readers to imagine everything they do in their browser at work and home, he noted “it’s a digital proxy for your brain” and that all those “clicks beaming out of your computer” can be “harvested for marketers, data brokers, and hackers.”
Even Amazon asked its customers to install the Assistant extension this week. Yet, the fine print says that through this Amazon collects your browsing history and the details of the pages you view. And that’s just a legitimate extension. Imagine what happens with illegitimate ones.
The researcher who aided Fowler in his research is Sam Jadali, who runs a website-hosting business. Earlier this year he found some of his clients’ data being sold online and worked to find how that was happening.
One place that collected data was the Nacho Analytics website that refers to itself as a marketing intelligence service. For as little as $49 per month, it offers data on what is being clicked on nearly any website.
The website claims the data is from people who opt in to being tracked this way and that it redacts all personal information. Although they are tracking websites, they sometimes contain other information that sites forget to protect.
Jadali found more than just websites in that data. He found usernames, passwords, and GPS coordinates, the information Nacho Analytics claimed they were wiping from the data. “I started realizing this was a leak on a catastrophic scale,” he said.
He found the names of patients, doctors, and medications from a medical records service. From airlines he found names, confirmation numbers, and passenger record numbers. From a cloud storage service, he found 100 documents named “tax.” There were top-secret projects mentioned in titles of memos and project reports and “information about internal corporate networks and firewall codes.”
Fowler asked Jadali if he could find data from inside The Washington Post. “Shortly after I asked, Jadali asked me if I had a colleague named Nick Mourtoupalas. Jadali could see him clicking on our internal websites. Mourtoupalas had just viewed a page about the summer interns.”
His colleague was surprised his browsing was being leaked and noted he’d never opted in. “What have I done wrong?” he asked. It turns out he’d installed 17 Chrome extensions.
One of those was a browser extension called Hover Zoom that says it’s a way to enlarge photos when you mouse over them. Mourtoupalas remembered learning of the extension on Reddit. At one point this year it had 800,000 users. When Hover Zoom is installed, a pop-up says it can “read and change your browsing history.” This is an indication of what they’re doing.
Fowler then offered himself up as a guinea pig. He installed an extension and watched as Jadali was able to access private iPhone and Facebook photos he’d opened in Chrome and also a OneDrive document he’d named “Geoff’s Private Document.” He only needed to find the document by searching on Nacho for “Geoff.”
After these discoveries, the two alerted Google and Mozilla, who both remotely deactivated extensions. There were more than 4 million users of the deactivated nine extensions. If you are one of those users, your extension is no longer working.
A few days after this, Nacho posted a notice that it had a “permanent” data outage and wouldn’t be able to take on new clients or provide their existing clients with new data.
Are Extensions Safe Now?
In one word, no. There are more extensions out there than just those nine that were shut down. North Carolina State University researchers tested how many of the available 180,000 Chrome extensions were leaking private data. They found more than 3,800 affected extensions, and the most popular 10 account for 60 million users. And that’s not even taking Firefox into consideration.
It’s unclear at this point to even know what the answer is to fixing this. It seems so widespread. And even if you shut it down now and delete all your extensions? There’s still all that other data out there about you that the data farmers already have. Your picture on the FaceApp server may be the least of your worries.
Do you use browser extensions? Does this news worry you? How do you think it can be prevented, other than deleting all extensions? Add your thoughts to the comments below.
Our latest tutorials delivered straight to your inbox