by Martin Brinkmann on July 19, 2019 in Firefox, Google Chrome – Last Update: July 19, 2019 – 9 comments
Browser extensions may be very powerful; they may add features to web browsers, make browsing more productive, and do all sorts of things. While most browser extensions are safe to use, there have always been some that are not.
A recently published analysis on the behavior of several popular browser extensions for Google Chrome and Mozilla Firefox provides evidence that these extensions used a sophisticated browser data collecting scheme.
Dubbed DataSpii by the researcher Sam Jadali, it uncovers how eight browser extensions installed by millions of users managed to get away with the data collecting for so long and how they did it.
The extensions include Hover Zoom, an extension that was at the heart of a scandal in 2013 already, as well as SuperZoom, SaveFrom.net Helper, FairShare Unlock, and PanelMeasurement.
While some of the extensions started to collect data right away, others used an elaborate scheme instead. Extensions would not start to collect data right away and the researcher discovered that it took on average 24 days before the data collecting part was initialized for the first time.
The delay made detection much more complicated; users who installed the extension would not be pointed at it with a finger right away if they spotted something and researchers, including Google or Mozilla staff looking at the extensions, would not be able to find any code or traces of data collecting either after installation.
The researcher discovered that the extensions would download a JavaScript payload from Internet servers after that initial period that included the data collecting code. The developers of the extensions used various methods to obfuscate what they were doing, e.g. by using base64 encoding and data compression.
Jadali, who is the founder of the Internet hosting service Host Duplex, noticed that something was wrong when he found private forum links of clients published by analytics firm Nacho Analytics. He discovered that Nacho Analytics had information on internal link data of major corporations such as Apple, Tesla, or Symantec.
These private links should never have accessible by third-parties. After some investigation into the matter, he discovered that browser extensions were the most likely source of the leak.
Most of the extensions are available for Google Chrome only but three are also available for Firefox. The researcher found out that two of the Firefox extensions collected data only if installed from third-party sites and not Mozilla AMO.
A quick check of all eight extensions showed that they have all been removed from the Chrome Web Store; all return a 404 not found error.
You can check out Arstechnica’s article on DataSpii for additional information.
Closing Words
There is not really any protection against this kind of behavior short of not installing any extensions in the web browser. Even trusted extensions may turn rogue, e.g. when they are sold to another company, a fact that is not highlighted to the user by any of the browsers.
It is still a good idea to verify Chrome extensions before you install them, it would not have helped you discover the shady nature of some of the extensions mentioned in this article as they started the data collecting weeks after installation.
Malicious extensions are discovered every now and then either by accident or by security researchers. Mozilla banned 23 snooping extensions in 2018 and a wave of malware extensions in 2019; Google removed four malicious Chrome extensions after researchers reported them to the company, and had to remove others throughout the years.
Browser makers need to implement safeguards against this behavior as it is the only way to deal with the threat once and for all. Maybe add better logging to make things like downloaded payloads easier to detect.
Now You: How many extensions have you installed? Do you trust them all?