Be careful around shady browser extensions. They might be collecting and leaking your most private data.
Eight browser extensions for Chrome and Firefox were recently shut down after a security researcher uncovered how they were secretly sending users’ private data to a marketing intelligence firm.
The data collected is pretty disturbing. The extensions were able to read and copy shareable web links from users’ browser sessions, including reports to people’s DNA testing services, personal photos hosted on Apple iCloud, and tax documents shared over Microsoft OneDrive.
“This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals,” wrote security researcher Sam Jadali, who has been investigating the activities for months.
The data collection also occurred in almost real time. The web links were forwarded within an hour to a marketing intelligence firm called Nacho Analytics, which specializes in helping clients measure traffic to different websites, according to Ars Technica.
“Millions and millions of people all over the world have opted-in to anonymously share their web browsing history with us,” Nacho Analytics claims on its website, which says the service is completely legal.
Indeed, browser extensions often have privacy policies that do mention that “anonymized” data collection can occur. However, Jadali discovered Nacho Analytics and its partners were failing to screen out web links to private user information from their collection processes. Paid and trial members of Nacho Analytics could then theoretically search for this data on the company’s website by inputting the related domain names.
The eight browser extensions had at least 4.1 million users in total, including consumers and business employees. As a result, big companies such as Apple, Facebook, Microsoft, and Amazon had corporate data lifted as well.
In response to the findings, Google and Mozilla shut down the extensions. Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys were all involved, according to Jadali, who recommends affected users uninstall the extensions immediately to prevent the continued data collection.
However, Nacho Analytics denies any wrongdoing. The company claims none of its customers ever accessed the sensitive web link data it had been storing. “This was not a hack. No private information was disclosed. No customer information (names, credit card, email, etc.) was seen or accessed,” Nacho Analytics said in a notice on the company’s website.
“However, in an abundance of caution, we are halting all access to any potentially sensitive data,” the company added. “We are not accepting new sign-ups on Nacho Analytics.”
The incident underscores a vulnerability with browser extensions; they often need the ability to read and write webpage data in order to work. However, this can expose the user to serious risk in the event an extension’s developer abuses those capabilities. It’s why Google is trying to make Chrome extensions safer to use. Later this year, the company is rolling out a change that’ll restrict extensions from intercepting and modifying sensitive data flowing through the Chrome browser.
Not everyone agrees with Google’s approach, though. The new restrictions also risk crippling legitimate extensions, such as ad blockers, according to developers.
To protect yourself, consider uninstalling extensions you no longer use. You can also check whether an extension provider has other software alternatives that don’t require access to all your webpage data.
Jadali also told PCMag Nacho Analytics isn’t the only marketing intelligence firm using browser extensions to collect people’s data. “There are other companies selling similar data collected through similar means,” he said in an email.
Editor’s Note: This story has been updated with comment from Jadali.