DataSpii: 'Even the most responsible' Firefox & Chrome users at risk from browser extension data leak

News by Rene Millman

"Catastrophic" leak of personally identifiable information from eight extensions used by around four million Firefox and Chrome users. Even the largest cyber-security corporations proved vulnerable to DataSpii.

A security researcher has unearthed eight browser extensions used by around four million Firefox and Chrome users harvesting data.
According to a blog post by Sam Jidali, the extensions collected and distributed users’ browsing data, exposing private data about users and 45 companies, including Apple, Walmart, Amazon, 23AndMe, Zoom, Skype, Nest, and others. The add-ons leaked data from more than four million individuals to a fee-based service called "Nacho Analytics."
The extensions have been dubbed "DataSpii" by Jidali and his team. The browser extensions that stole users’ data are: HoverZoom (Chrome), SpeakIt! (Chrome), Branded Surveys (Chrome), FairShare Unlock (Chrome and Firefox), Panel Community Surveys (Chrome), PanelMeasurement (Chrome), Helper (Firefox), and SuperZoom (Chrome and Firefox)
The data included information such as medical records and credit card information as well as collects tax returns, GPS locations, cloud services and data, file attachments, credit card information, genetic profiles, and online shopping history.
Jidali said the extensions also collected  corporate data such as company memos, employee tasks, API keys, proprietary source code, LAN environment data, firewall access codes, proprietary secrets, operational material, and zero-day vulnerabilities.
The researcher reported this activity to Chrome and Mozilla, who responded by remotely disabling the add-ons and removing them from their app stores. 
Jiladi said that he recommended  further research using novel methods to replicate, qualify, or extend findings.
"Second, we recommend that browser vendors review their extension policies. Third, we recommend that corporations enact stronger browser security policies. Fourth, we recommend that web developers remove PII and CI from metadata such as URLs," he added.
"DataSpii arose from hazardous assumptions about data security. It circumvented some of the best technological safeguards (eg, authentication and encryption) against data leaks. Even the most responsible individuals proved vulnerable to DataSpii; with vast budgets and myriad experts on hand, even the largest cyber-security corporations proved vulnerable to DataSpii. Our data is only as secure as those with whom we entrust it. It takes just one party to unwittingly leak another party’s data."
Joseph Carson, chief security scientist & advisory CISO at Thycotic, told SC Media UK that when you enable a browser extension it is like inviting someone into your home, as you are sharing all details of your online activity.  
"Treat browser extensions with caution and be suspicious about whether or not you need it. By simply saying yes to that unsuspecting browser extension, you could be sending everything you do on your device to the command and control server. This could be all of your personal data, including your webcam and microphone access or even full access to your entire device including data," he said.
Stuart Sharp, global director of solution engineering at OneLogin, told SC Media UK that using managed devices is really the only way to prevent individuals from deploying Browser PlugIns and installing non-approved software. 
"This is because you can control the rights an individual has associated with the bowser and the OS . We are now seeing corporations enforcing certificate-based authentication so that Enterprise SaaS Applications can only be accessed via these managed devices," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews