Everybody on the internet is out to get your data. Some Chrome and Firefox extensions have now been revealed to harvest your data without your consent. This changes how we treat freeware – if it’s free, you should know that you are are the product.
The Washington Post posted findings from researchers who investigated how Chrome and Firefox extensions that had up to 4 million installs. The top 10 extensions were downloaded by more than 60 million users.
What makes this data useful — saleable — is not separable from what makes it invasive. This is a peek into a pervasive but hidden ecosystem. A duck's feet madly paddling beneath the surface, while all most see is it serenely gliding across a pond. Read the marketing: pic.twitter.com/Hy00Zk0aYA
— Jonathan Zittrain (@zittrain) July 18, 2019
These extensions leaked sensitive data from names and passwords to Nacho Analytics who then sell it.
… Thousands of extensions ask for and get that access from users who have no reason to know that, say, the URLs they click on will be shared for "marketing" purposes, eventually finding their way to brokers like Nacho Analytics, who then sell the data to anyone who pays …
— Jonathan Zittrain (@zittrain) July 18, 2019
The marketing intelligence service argued that “this is how the internet works”
It's like a service that rummages through millions of people's curbside garbage — "They put it out there! They consented!" — digitizes all the tossed paperwork, and sells the contents. Is the problem that the people were "less secure" by not burning their receipts and bills?
— Jonathan Zittrain (@zittrain) July 18, 2019
Browser extensions can be fun to install and help you with productivity but when they start putting your privacy at risk, then it becomes a high priority to counter check all the extensions you have.
Nacho Analytics's cheery testimonials describe the value of such raw, granular data from "millions and millions of people all over the world." pic.twitter.com/7JzWwM3mVc
— Jonathan Zittrain (@zittrain) July 18, 2019
Some of these extensions masquerade as utility extensions with innocent-sounding names.
There is no way that people who take $10 from Amazon are truly consenting to having the company collect everything they do online, for any purpose Amazon wants.
(Also DO NOT do this, people.) pic.twitter.com/EHkqXsByUJ
— Shira Ovide (@ShiraOvide) July 18, 2019
The extensions are then able to lift login credentials, cookies, financial and medical data.
From DrChrono, a medical records service, we saw the names of patients, doctors, and even medications. From another service, called Kareo, we saw patient names.https://t.co/qHs3vWEC7C Shocking! What’s your data worth?
— Timicoin/TimiDNA (@timicoin) July 18, 2019
Here are some of them:
- SaveFrom.net: This extension helps users download files from Facebook, Vimeo and YouTube. It had 140,000 installs
- SuperZoom:
- HoverZoom: This extension downloaded by over 800,000 users helped them zoom in on photos and videos by hovering the mouse cursor
- SpeakIt!: This extension converted text for users to speech for any website and had over 1.4 million installs.
- FairShare Unlock: This extension let users view premium content for free and had over 1 million installs.
- PanelMeasurement: This extension looked for market research surveys and alerted users. It had been downloaded 500,000 times.
- Others include: Branded Surveys and Panel Community Surveys.
All these extensions have been deactivated by both Google and Mozilla.
Google is already working on improving the security and privacy for the users who install extensions from its browser which that takes the largest share of the market at 60% followed by Firefox.
Sam Jadali did an extensive report on these browser extensions which you can read here.
What do I do?
To protect yourself, delete all your browser extensions and reinstall the necessary ones and from trusted sources. Comb through the permissions you’re are granting these extensions and if they ask anything out of the blue such as asking for access to features that they don’t need, uninstall them on the spot.
Be on the lookout on the extensions(copy-paste this chrome://extensions/ to your address bar to view them)you’ve downloaded in case they drop the good boy hat and start snooping around.
Firefox also has a Recommended Extensions program that curates extensions it deems safe for users and you can find them here.
[…] following the recent revelation that there are extensions on the web store that have been stealing user data which gets sold without your consent. Google is setting new privacy standards for Chrome extensions […]