It turns out that more than 4 million personal information has been leaked from Chrome and Firefox extensions and sold online



Cybersecurity researcher

Sam Jadary said on July 20, 2019 that 'a catastrophic data breach via browser extensions' DataSpii ( Data spy ) Reported a security issue. According to Jadari, some of Google Chrome and Mozilla Firefox's extensions collect browsing history including personal information and sell the information obtained over the Internet.

DataSpii-A global catastrophic data leak via browser extensions
https://securitywithsam.com/2019/07/7 dataspii-leak-via-browser-extensions /


My browser, the spy: How extensions slurped up browsing histories from 4M users | Ars Technica
https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dish-private-data-from-apple-tesla-blue-origin-and-4m-people/


DataSpii is a catastrophic data breach that has occurred through eight Chrome and Firefox extensions, and it is believed that millions of personally identifiable information (PII) have been leaked. The information collected by the extension is not only browser browsing history, but also GPS location information and credit card information, online shopping history, cloud services and their data, tax forms, genealogy, genetic information, Facebook photos, cars It was said that vehicle identification number etc. were included. These are the sites of a web analytics company called Nacho Analytics, and it has been published as a service called ' See Anyone's Analytics Account '.

The following screen is a list of URL links of Apple iCloud among the published information. iCloud can generate a publicly accessible unique link, which you can access to view and download photos. In addition, the link will not only show the photo, but it may also show the iCloud user's first and last name.



In addition, not only individuals but also companies are suffering from information leaks, and employee attendance information, private LAN structure, personal information in the cloud platform, videos of surveillance cameras, etc. were also disclosed in Nacho Analytics. . For example, the screen below shows where personal surnames and boarding dates have leaked as URLs for Southwest Airlines, United Airlines, and American Airlines. Southwest Airlines had already been renovating the system following the spill with DataSpii.



In addition, the URL path when a company purchases an

Amazon S3 bucket leaks out as shown in the image below. The authentication string and temporary link that only the user should know only is open to the public.



In fact, when Mr. Jadari experimentally leaked personal information with the extension and monitored web traffic in the specific domain, it seems that access from a third party was confirmed. I reported the issue to Google and Mozilla, and the extension with the problem was immediately disabled remotely, and the delivery was also stopped.

The following extensions are related to DataSpii: Jadari said that if you use the following extensions, you should not only uninstall, but also restrict access to sharable links and remove personal information from metadata.

Extended function browser Affected number of people
Hover Zoom Chrome Over 800,000 people
SpeakIt! Chrome Approximately 1.4 million people
SuperZoom Chrome · Firefox More than 329,000
SaveFrom.net Helper Firefox Up to 140,000 people
FairShare Unlock Chrome · Firefox Over 1 million people
PanelMeasurement Chrome Over 500,000 people
Branded Surveys Chrome 8 people
Panel Community Surveys Chrome 1 person



In addition, Nacho Analytics has previously performed 'Real-time web analytics for any website,' 100% legally compliant, fully compliant with Google's Terms of Service and EU General Data Protection Rules (GDPR) 'And appealed. Nacho Analytics seems to have a similar appeal in YouTube's promotional movie, but it seems that the movie has been deleted soon after Ars Technica published an article about DataSpii.

in Software,   Security, Posted by log1i_yk