As Many as 4 Million People Use Browser Extensions that Are Putting Privacy at Risk

News Browser Extensions Privacy Featured

Another day, another privacy risk. It just seems inescapable lately. While people are freaking out over the FaceApp app possibly keeping their photos on their server, they’re using browser extensions to do things such as aid productivity, and that’s putting their privacy at risk as well.

A Washington Post columnist and an independent security researcher determined that as many as 4 million people have been giving up their personal and business data through their Google Chrome and Firefox extensions and didn’t even know it. Their data is up for sale.

Chrome and Firefox Extensions Data Leak

Journalist Geoffrey A. Fowler reported on his research that as many as 4 million people unknowingly gave up their data through Chrome and Firefox. He indicated even the newsroom at Washington Post was caught up in losing its data.

To the strength of Google and Mozilla, as soon as he and the researcher made them aware of the leaks, they were closed immediately, but Fowler and the researcher fear “we probably identified only a fraction of the problem.”

He explains that some add-on and plug-in extensions sit in your browser and pass your data, such as your surfing habits and personal information, into a business for them. Asking readers to imagine everything they do in their browser at work and home, he noted “it’s a digital proxy for your brain” and that all those “clicks beaming out of your computer” can be “harvested for marketers, data brokers, and hackers.”

Even Amazon asked its customers to install the Assistant extension this week. Yet, the fine print says that through this Amazon collects your browsing history and the details of the pages you view. And that’s just a legitimate extension. Imagine what happens with illegitimate ones.

News Browser Extensions Privacy Desktop

The researcher who aided Fowler in his research is Sam Jadali, who runs a website-hosting business. Earlier this year he found some of his clients’ data being sold online and worked to find how that was happening.

One place that collected data was the Nacho Analytics website that refers to itself as a marketing intelligence service. For as little as $49 per month, it offers data on what is being clicked on nearly any website.

The website claims the data is from people who opt in to being tracked this way and that it redacts all personal information. Although they are tracking websites, they sometimes contain other information that sites forget to protect.

Jadali found more than just websites in that data. He found usernames, passwords, and GPS coordinates, the information Nacho Analytics claimed they were wiping from the data. “I started realizing this was a leak on a catastrophic scale,” he said.

He found the names of patients, doctors, and medications from a medical records service. From airlines he found names, confirmation numbers, and passenger record numbers. From a cloud storage service, he found 100 documents named “tax.” There were top-secret projects mentioned in titles of memos and project reports and “information about internal corporate networks and firewall codes.”

Fowler asked Jadali if he could find data from inside The Washington Post. “Shortly after I asked, Jadali asked me if I had a colleague named Nick Mourtoupalas. Jadali could see him clicking on our internal websites. Mourtoupalas had just viewed a page about the summer interns.”

His colleague was surprised his browsing was being leaked and noted he’d never opted in. “What have I done wrong?” he asked. It turns out he’d installed 17 Chrome extensions.

News Browser Extensions Privacy Google

One of those was a browser extension called Hover Zoom that says it’s a way to enlarge photos when you mouse over them. Mourtoupalas remembered learning of the extension on Reddit. At one point this year it had 800,000 users. When Hover Zoom is installed, a pop-up says it can “read and change your browsing history.” This is an indication of what they’re doing.

Fowler then offered himself up as a guinea pig. He installed an extension and watched as Jadali was able to access private iPhone and Facebook photos he’d opened in Chrome and also a OneDrive document he’d named “Geoff’s Private Document.” He only needed to find the document by searching on Nacho for “Geoff.”

After these discoveries, the two alerted Google and Mozilla, who both remotely deactivated extensions. There were more than 4 million users of the deactivated nine extensions. If you are one of those users, your extension is no longer working.

A few days after this, Nacho posted a notice that it had a “permanent” data outage and wouldn’t be able to take on new clients or provide their existing clients with new data.

Are Extensions Safe Now?

In one word, no. There are more extensions out there than just those nine that were shut down. North Carolina State University researchers tested how many of the available 180,000 Chrome extensions were leaking private data. They found more than 3,800 affected extensions, and the most popular 10 account for 60 million users. And that’s not even taking Firefox into consideration.

It’s unclear at this point to even know what the answer is to fixing this. It seems so widespread. And even if you shut it down now and delete all your extensions? There’s still all that other data out there about you that the data farmers already have. Your picture on the FaceApp server may be the least of your worries.

Do you use browser extensions? Does this news worry you? How do you think it can be prevented, other than deleting all extensions? Add your thoughts to the comments below.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. As you have said in another article, there is only one sure way to prevent data being harvested from your computer and that is to never connect that computer to the Internet.

    “Do you use browser extensions? ”
    I do but I always assume that each and every one is a potential data harvester. I try to make sure that there is as little personal information on my computer as possible. Any transactions that involve the transfer of personal data I try to do in person or by snail mail.

    “Does this news worry you?”
    Yes and no.
    Yes, it worries me where the trend is taking us. Pretty soon we will all effectively live in glass houses.
    No, it does not worry me because I have resigned myself to the inevitable. I consider anything I post on the ‘Net to be equivalent to placing it on the front page of newspaper with a nationwide circulation (NY Times, LA Times, Washington Post, etc)

    “How do you think it can be prevented, other than deleting all extensions?”
    It cannot be prevented unless there are MAJOR changes in the law. However, I do not foresee that happening because too many special interests have too much money invested in the status quo.
    Deleting extensions or even totally giving up the use of a computer is a futile gesture. Your personal data is already stored on dozens of servers.
    Actually, an ElectroMagnetic Pulse event that wipes out all the computer storage in the world would drastically slow down the data accumulation. Unfortunately it would also cause a major world-wide crises since we have become so dependent on computers.

  2. Sad isn’t it? That somewhere in mankind’s past, someone thought it would be a good idea to just collect information on people NON-STOP. I use a computer, I do use extensions, and as Dragonmouth has mentioned there’s not much you can do individually to stop the harvesting of your data. And I’ve heard it all…..from encrypted VPN’s (which really don’t do as much as one would think! doubt me?….well check this out!:

    I guess eventually I’ll just stop using the Internet (which I think would also be impossible since it seems they’re pushing for an always on / always connected kind of society) I guess just don’t visit questionable sites…and you should be fine. And understand….everyone thinks of porn when someone says something like that, well the gov’t doesn’t care what your sexual fetishes are,….(unless its like…child porn or something illegal!) but don’t dare visit sites that have anything to do with “terrorism”..bombs….or other certain “trigger” words…(at least by the government’s standards….like “Muslim”…”Jihad”…Iraq” etc) that’s a sure fire way to become a “Person Of Interest”.

    1. “someone thought it would be a good idea to just collect information ”
      Knowledge is Power.

      “it seems they’re pushing for an always on / always connected kind of society”
      As Pogo famously said “We have met the enemy and he is us.” It is not some amorphous “they”, it is we, the users, that crave to be connected 24/7/365. Have you seen the panic in people when the power goes out or their phone dies or the WiFi drops out? How many people have you seen that NEVER let go of their smartphones? I am surprised that someone (Apple? Google?) hasn’t yet come out with an implantable smartphone that is wired directly into the owner’s nervous system.

  3. Now THAT I would revile against!…..but thinking about it?….. I think that’s EXACTLY what will happen! And of course it will come “disguised” as either a health issue “want to be able to always know where your children are at all times? get the Bio-Watcher chip surgically implanted in your kids!….want to keep an eye on an elderly loved one? Bio-Watcher is the answer!”
    or else they’ll try to use it as a law-enforcement tool
    “It is now mandatory that all persons convicted of felonies, misdemeanors, or other crimes to be implanted so that the government and law agencies can find them at a moment’s notice should there be a crime and they are in the vicinity”. Either way….it does not bode well for the law abiding citizen!
    Eventually?….this whole “One World Currency”?….will mean dollars will be done away with….and the only way you’ll be able to pay bills….get paid at work….buy anything….will be through the chip!…..scary when you think about it…and I think this is why im not keen on the “smart home” thing…. I prefer “dumb-as-a-box-of-dirt” appliances…and “stupid” TV’s…LoL!!!

Comments are closed.