Browser Extensions Spying On You - Security Warning
Google Chrome Extensions: Data Tracking and Privacy Concerns
Recent reports have highlighted the sale of Google Chrome extensions compromised with adware. However, a more significant issue has come to light: many extensions are actively monitoring user activity and selling browsing data to third-party companies.
Here’s a concise summary of the situation:
- Browser extensions for Chrome, Firefox, and potentially other browsers are recording every webpage visited. This data is then transmitted to external companies in exchange for payment.
- Certain extensions are also injecting advertisements into visited webpages, a practice Google permits provided it’s “clearly disclosed”.
- A vast number of users are unaware that their online activity is being tracked in this manner.
Defining the Issue: Is it Spyware?
The question arises whether this practice constitutes spyware. While a strict definition of spyware, as outlined by Wikipedia, involves unauthorized information gathering and transmission, the situation is nuanced. Not all data collection is inherently malicious.
However, when an extension developer deliberately conceals the fact that all visited pages are being recorded and sold, framing it as “anonymous usage statistics” buried within settings, a clear problem emerges. Users reasonably expect usage tracking to pertain only to the extension itself, not their entire browsing history.
This practice is further complicated by the use of the term “anonymous”. This suggests data is scrubbed of identifying information, but this isn’t necessarily the case. While an anonymous token may be used instead of a name or email, every webpage visited is still linked to that token for the duration of the extension’s installation.
Prolonged tracking of browsing history can ultimately reveal an individual’s identity.
Consider how often users access personal profiles on platforms like Facebook, Pinterest, or Google+. URLs often contain identifying information. Even without visiting such sites, determining a user’s identity remains possible.
Many individuals consider their browsing history to be private, and access should be restricted to themselves. The use of passwords and browser history deletion are common practices to protect this personal information. Online activity is inherently personal, and the list of visited pages should remain confidential.
Google’s Policies and Privacy
The Google Developer Program Policies for Chrome extensions explicitly prohibit the publication of personal information:
We don't allow unauthorized publishing of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, or any other information that is not publicly accessible.
Given this policy, how can browsing history not be considered personal information? It is certainly not publicly available!
The Pervasive Issue of Ad Injection by Browser Extensions
A significant concern arises from the widespread practice of browser extensions inserting advertisements into webpages. These extensions often inject ads indiscriminately, placing them in various locations on a page.
The disclosure requirement for these advertisements is minimal, typically limited to a small text identifier indicating the source. This subtlety often goes unnoticed by users, as most individuals do not actively scrutinize advertisements.
The Role of Cookies in Advertising
The presence of advertisements invariably leads to the deployment of cookies. It’s important to acknowledge that this website, like the vast majority of online platforms, relies on advertising revenue and utilizes cookies for this purpose.
While we do not consider cookies to be a major privacy threat, users concerned about them can readily manage their cookie settings within their browser.
Adware vs. Tracking: A Matter of Transparency
Interestingly, adware extensions may present a lesser problem than tracking extensions. The actions of adware are generally apparent to users, prompting potential feedback and requests for modification from the developer.
We advocate for Google and Mozilla to revise their policies to explicitly prohibit such intrusive behavior, though this remains outside of our direct control.
The Stealthy Nature of Tracking
Tracking, conversely, is often conducted covertly. Details regarding tracking activities are frequently obscured within the legal jargon of extension descriptions.
Consequently, users rarely review these lengthy descriptions to determine if an extension is engaged in data collection practices.
Here's a breakdown of the key concerns:
- Ad Injection: Extensions adding unwanted ads to webpages.
- Cookie Usage: Advertisements relying on cookies for tracking.
- Lack of Transparency: Tracking activities hidden in extension descriptions.
Data Collection Practices Hidden Within Agreements
Many browser extensions are permitted to track user activity due to disclosures made within their description pages or settings menus. For example, the HoverZoom extension, utilized by over a million individuals, includes the following statement at the bottom of its description:
Hover Zoom collects anonymous usage statistics. This functionality can be deactivated within the options page without impacting core features. By maintaining this feature enabled, users consent to the collection, transfer, and utilization of anonymous usage data, potentially including transfer to third-party entities.
The description fails to explicitly state that every webpage visited will be monitored and the corresponding URL transmitted to a third party in exchange for compensation. Instead, the extension emphasizes revenue generation through affiliate links, obscuring its data surveillance practices.
Furthermore, the extension injects advertisements across various webpages. The question then becomes whether users are more concerned with the presence of advertisements or the transmission of their complete browsing history to external parties.
This practice is enabled by a small, often overlooked checkbox within the extension’s options panel labeled "Enable anonymous usage statistics." It’s important to note that this option is pre-selected by default.
This specific extension has a documented history of questionable behavior. The developer was recently discovered collecting browsing data, including information submitted through forms. Previously, they were also found to have sold typed data to another organization. A privacy policy has since been implemented to provide more detailed explanations, but relying on a privacy policy to uncover surveillance is a significant concern.
In essence, a substantial user base – one million people – are currently subject to monitoring by this single extension. This represents just one instance among numerous extensions employing similar tactics.
Browser Extensions: Hidden Risks of Ownership Changes and Updates
It’s virtually impossible to determine when a browser extension has been altered to incorporate spyware. Many extensions require extensive permissions simply to function correctly.
This pre-existing broad access makes them vulnerable to becoming ad-injecting or data-collecting tools without your explicit consent. Users are often not notified when these updates occur.
Recent Trends in Extension Ownership
Over the past year, a significant number of browser extensions have been sold to new owners. Developers are receiving numerous offers from potentially malicious actors seeking to acquire their extensions.
These acquisitions often lead to the injection of unwanted advertisements or the implementation of user tracking mechanisms. Because these changes don’t necessitate requests for new permissions, they go unnoticed.
Protecting Yourself from Malicious Extensions
Going forward, a cautious approach to browser extensions is highly recommended. Consider avoiding their installation altogether, or exercise extreme diligence when selecting which ones to use.
Permissions are a key indicator of risk. If an extension requests access to all data on your computer, it’s best to cancel the installation and avoid potential security compromises.
Here are some preventative measures you can take:
- Regularly review the extensions installed in your browser.
- Be wary of extensions with vague or overly broad permission requests.
- Research the developer before installing an extension.
- Keep your browser and extensions updated to benefit from security patches.
Concealed Tracking Mechanisms with a Remote Activation Feature
Numerous browser extensions incorporate comprehensive tracking code within their structure, though this code remains presently inactive. These extensions periodically, approximately every seven days, connect to their servers to receive configuration updates.
Certain extensions are designed to transmit an expanded range of data, specifically quantifying the duration for which each tab is open and the time spent on individual websites.
Testing Reveals Data Transmission
Our investigation involved one such extension, Autocopy Original, where we simulated an enabled tracking state. This immediately triggered a substantial flow of data being sent back to the developers’ servers.
A total of 73 extensions exhibiting this characteristic were identified within the Chrome Web Store, with additional instances found in the Firefox add-ons repository.
Identifying the Extensions
These extensions can be readily recognized as they originate from either "wips.com" or affiliated "wips.com partners".
The Concern with Dormant Tracking
Why is attention focused on tracking code that is currently disabled? The issue lies in the lack of transparency; the extensions’ descriptions make no mention of the embedded tracking functionality.
This tracking capability is concealed within a checkbox setting on each extension, leading users to install them under the assumption of a reputable origin.
Potential for Future Activation
The activation of this tracking code is a matter of when, not if.
It is important to be aware of these practices and review the permissions requested by browser extensions before installation.
Uncovering Browser Extension Surveillance
Many internet users are unaware of the data collection occurring through browser extensions – they won’t observe direct server requests or recognize the activity. A significant portion of the millions utilizing these extensions remain unaffected, aside from the surreptitious collection of their personal information. But how can individuals independently verify this?
The answer lies in utilizing a tool called Fiddler. This web debugging proxy captures and logs all requests, allowing for detailed examination of network traffic. By installing a potentially intrusive extension, such as Hover Zoom, users will observe multiple requests directed towards domains like t.searchelper.com and api28.webovernet.com with each page visited.
Decoding the Data
Inspection of the requests reveals base64-encoded text, curiously encoded twice. Upon successful decoding, the transmitted data becomes apparent. The extension is relaying the current and previous web pages visited, a unique user identifier, and additional information.
Alarmingly, this tracking persists even on secure, HTTPS-encrypted websites, such as online banking platforms.
s=1809&md=21&pid=mi8PjvHcZYtjxAJ&sess=23112540366128090&sub=chrome
&q=https%3A//secure.bankofamerica.com/login/sign-in/signOnScreen.go%3Fmsg%3DInvalidOnlineIdException%26request_locale%3Den-us%26lpOlbResetErrorCounter%3D0&hreferer=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&prev=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&tmv=4001.1&tmf=1&sr=https%3A//secure.bankofamerica.com/login/sign-in/signOn.go
The Tracking Destination
Investigating the destination of requests to api28.webovernet.com and similar domains reveals they redirect to the API of Similar Web. This company, among others, engages in data tracking and sells the collected information to businesses for competitive intelligence purposes.
Inspecting Extension Code
Users can examine extension code directly by navigating to chrome://extensions, enabling Developer mode, and inspecting the extension’s background script (e.g., html/background.html). This provides insight into the extension’s ongoing operations.
Within the inspected code, the files tr_advanced.js and tr_simple.js are particularly noteworthy. These files typically contain the tracking code, indicating potential surveillance. However, the absence of these files doesn't guarantee privacy, as extensions may employ diverse tracking methods.
The tracking URL can vary between extensions, reflecting the complexity of the underlying code and the individualized tracking implementations.
Disabling Automatic Updates for a Browser Extension (Advanced Users)
For extensions you have vetted and determined to be safe, preventing automatic updates can safeguard against potential future issues like the inclusion of unwanted spyware. However, this process is quite involved and may not be suitable for all users.
Chrome Extension Update Prevention
If you wish to proceed, begin by accessing the Extensions panel within Chrome. Locate the specific extension and identify its unique ID.
Next, navigate to the following directory: %localappdata%\google\chrome\User Data\default\Extensions. Within this folder, find the directory corresponding to your chosen extension.
Inside the extension's folder, open the manifest.json file. Modify the update_url line.
Replace clients2.google.com with localhost. While this method hasn't been extensively tested, it is theorized to effectively block automatic updates.
Firefox Extension Update Prevention
The process for Firefox is considerably more straightforward. Access the Add-ons screen within the browser.
Click the menu icon, typically represented by three horizontal lines or dots.
Uncheck the option labeled "Update Add-ons automatically". This will disable automatic updates for all installed extensions.
This ensures that extensions will only be updated when you manually initiate the process, providing greater control over your browser environment.
Important Note: Disabling automatic updates means you will not receive critical security patches or bug fixes for your extensions unless you manually update them.
Current State of Browser Extensions
It has become increasingly apparent that numerous browser extensions are undergoing updates that incorporate tracking and spying functionalities, as well as ad injection. These extensions are often sold to questionable entities, or their developers are incentivized with financial gain.
After installation, it’s impossible to guarantee an extension won’t later include spyware. Evidence suggests a significant number of extensions are already engaging in these practices.
We have received requests for a comprehensive list of problematic extensions. However, our investigations have revealed so many instances of this behavior that creating a complete list independently is challenging.
Therefore, we will be compiling a list within the forum discussion linked to this article, encouraging community contributions to expand its scope.
Access the Complete List and Share Your Insights
The potential risks associated with browser extensions are substantial. Users should exercise caution and carefully evaluate the extensions they choose to install.
Ongoing monitoring and community collaboration are crucial to identifying and addressing these security concerns effectively.