A massive data leak was recently discovered by cybersecurity researcher Sam Jidali, revealing private information for 45 major companies and millions of individuals.
Dubbed “DataSpii” by Jidali and his team, the leak was perpetrated by innocent-looking Chrome and Firefox browser extensions that collected and distributed users’ browsing data — URLs that revealed private information about both users and a long list of companies, including Apple, Walmart, Amazon, 23AndMe, SpaceX and Skype. (The full list is included in Jidali’s report.)
The eight extensions used to carry out the leak are:
- Branded Surveys (Chrome)
- FairShare Unlock (Chrome and Firefox)
- HoverZoom (Chrome)
- Panel Community Surveys (Chrome)
- PanelMeasurement (Chrome)
- SaveFrom.net Helper (Firefox)
- SpeakIt! (Chrome)
- SuperZoom (Chrome and Firefox)
Jidali reported the tracking activity to Chrome and Mozilla, who responded by remotely disabling the add-ons and removing them from their marketplaces. However, Jidali continued to monitor the activity of these now-disabled browser add-ons, only to find that they were still tracking user data even though their main functionality was disabled.
In other words, uninstall any of the extensions listed above if you’re using any of them. While some of these extensions had fewer than 10 users, at least two had over a million, and the rest had tens-to-hundreds of thousands of users.
Each of these extensions tracked data differently and used sneaky tactics — such as waiting until 24 days after installation to begin tracking — to obfuscate the data collection process. The collected data was then sold to any interested buyers, wrapping up a process that Jidali diagrams in his full report:
Jidali also alerted companies whose information was exposed, and they were able to corroborate Jidali’s findings. Leaked data included sensitive corporate information and compromising user data such as employee names, addresses, credit card information, passwords and PIN numbers; stored cloud files; and much more — even tax returns, genetic information and medical history in some cases.
In one example, here’s a list of publicly available iCloud Photos that were archived by the malicious extensions, all easily searchable via Google Analytics:
Consider the nuclear option to protect yourself against bad extensions
While impacted users have been alerted, it’s always wise to review your account activity and/or change info when a leak such as this occurs — even if your data wasn’t specifically compromised.
Going forward, there’s one piece of advice we recommend above all: Limit the number of extensions you use in your browser. Just because an extension shows up on an official marketplace doesn’t necessarily mean it’s safe.
While there are plenty of amazing and useful third-party browser extensions, there are also plenty that are looking to take advantage of you. We’re not saying use zero extensions, which would be the safest practice, but be mindful about those you do install in your browser.
Maybe you don’t need 30 extensions to do most of your work, and a barebones setup of five — from official companies you recognise — could get you through the day.