Author Topic: My browser, the spy: How extensions slurped up browsing histories from 4M users  (Read 397 times)

0 Members and 1 Guest are viewing this topic.

Online PeteS in CA

  • Hero Member
  • ****
  • Posts: 816
My browser, the spy: How extensions slurped up browsing histories from 4M users

Quote
When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords—but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.)

According to the researcher who discovered and extensively documented the problem, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:

* Home and business surveillance videos hosted on Nest and other security services

* Tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services

* Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
...
The term DataSpii was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue. Jadali intended for the DataSpii name to capture the unseen collection of both internal corporate data and personally identifiable information (PII). (Ars has more technical details about DataSpii here.)

As the founder of Internet hosting service Host Duplex, Jadali first looked into Nacho Analytics late last year after it published a series of links that listed one of his client domains. Jadali said he was concerned because those URLs led to private forum conversations—and only the senders and recipients of the links would have known of the URLs or would have the credentials needed to access the discussion. So how had they ended up on Nacho Analytics?
...
Still curious how Nacho Analytics was obtaining these URLs from his client’s domain, Jadali tracked down three people who had initial access to the published links. He correlated time stamps posted by Nacho Analytics with the time stamps in his own server logs, which were monitoring the client’s domain. That’s when Jadali got the first indication he was on to something; two of his three users told him they had viewed the leaked forum pages with a browser that used Hover Zoom.
...
He set up a fresh installation of Windows and Chrome, then used the Burp Suite security tool and the FoxyProxy Chrome extension to observe how Hover Zoom behaved. This time, though, he found no initial sign of data collection, so he remained patient. Then, he said, after more than three weeks of lying dormant, the extension uploaded its first batch of visited URLs. Within a couple of hours, he said, the visited links, which referenced domains controlled by Jadali, were published on Nacho Analytics. Soon after, each URL was visited by a third party that often went on to download the page contents.

Jadali eventually tested browser extensions for Firefox and also set up test machines running both macOS and the Ubuntu operating system. In the end, he said, the extensions that he found to have collected browsing histories that later appeared on Nacho Analytics include:

* Fairshare Unlock ...

* SpeakIt! ...

* Hover Zoom ...

* PanelMeasurement ...

* Super Zoom ...

* SaveFrom.net Helper ...

* Branded Surveys ...

* Panel Community Surveys ...

Sorry about the lo-o-o-ooong quote, but there's a lot to this, and the article is much longer. It's also well worth reading. At home I use an uncommon browser, Vivaldi, not wanting to use MS Edge or IE, Firefox (or its derivative, Waterfox which is also a Mozilla project), or Chrome. But at work I do have to use 2 of those common browsers and will look over their extensions to see if any of those listed above are installed.

Bill Cipher

  • Guest
Thanks for posting.  That’s pretty damning. 

No more extensions for me.

Offline jmyrlefuller

  • J. Myrle Fuller
  • Hero Member
  • ****
  • Posts: 16,594
    • Fullervision
Thanks for posting.  That’s pretty damning. 

No more extensions for me.
Very rarely is there ever a need for you to use a "browser extension," "helper," or "toolbar." They've been known spyware fronts for about 20 years now, back to the days of the ol' Bonzi Buddy.
The enemy of my enemy is not necessarily my friend. It may just be that I have two enemies.

Online Elderberry

  • News/Opinions Cat MOD
  • TBR Contributor
  • *****
  • Posts: 7,590
The only extensions I use are Antivirus, Ad Blockers, and NoScript extensions.
He who makes an attempt to enslave me, thereby puts himself into a state of war with me.

Offline Sanguine

  • TBR Moderator
  • *****
  • Posts: 34,685
Bookmark.
"I ask, sir, what is the militia? It is the whole people, except for a few public officials." – George Mason, Virginia Ratifying Convention, June 1788

“Do right and risk the consequences.”

– Sam Houston

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
Sorry about the lo-o-o-ooong quote, but there's a lot to this, and the article is much longer. It's also well worth reading. At home I use an uncommon browser, Vivaldi, not wanting to use MS Edge or IE, Firefox (or its derivative, Waterfox which is also a Mozilla project), or Chrome. But at work I do have to use 2 of those common browsers and will look over their extensions to see if any of those listed above are installed.

This is nothing new, or remarkable.. Add-ons and BrowserHelperObjects (BHOs herein) have been vectors all the way along. In fact, when repairing an infected box, my software written for the purpose,  automatically removes all addons and BHOs as a matter of course, without even looking...

I am not against add-ons or BHOs - some can be very useful. But one must choose very, very carefully, with some support from browser and security communities. And another thing to bear in mind, the more add-ons and BHOs you install, the fatter and slower your browser is going to start, and run. So the idea is to use as few add-ons and BHOs as possible for good performance, balanced with value.

As an instance, two add-ons will always be found in my browsers - Script blocking, and ad blocking are done through add-ons. I use NoScript for script-blocking and AdBlockPlus for ad blocking myself, though Ublock and Ghostery, as instances, work just as well... But the point is, script and ad blocking are truly useful add-ons that everyone should understand and use competently.

Likewise, most anti-virus systems will use an add-on or BHO for their 'internet protection' schema. So it is hardly a surprise to find them to be serving an important function.

Furthermore, something you implied should be corrected @PeteS in CA ...
Your implication that using an uncommon browser will be a protection is somewhat in question, especially when recommending a browser that uses a chrome engine. By far and away, the biggest info gathering, privacy wrecking ball  ON THE PLANET is Google. To recommend a browser that uses Google's browser engine (parts of which are closed-source) is quite literally putting the fox in charge of the chickens. Vivaldi is an Opera fork, using the Chrome engine.

The only open source browser I am aware of is Mozilla, other than variants of Linux browsers...
Firefox code is open, for all to see, and I would trust it way, way further than I would ever trust Google anything. Especially since everything else (MS Edge, Google Chrome, Opera and their variants) is using the Chrome engine, or are fixin to (MS Edge).

It is certainly wise to know which add-ons you are using, and purposefully inspect them now and then, to be sure that others have not been installed without your knowledge, and certainly care should be taken in which add-ons you use, not only for safety's sake, but for performance reasons also. But by the same token, let's not throw the baby out with the bathwater.


Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
Very rarely is there ever a need for you to use a "browser extension," "helper," or "toolbar." They've been known spyware fronts for about 20 years now, back to the days of the ol' Bonzi Buddy.

You are right, but with too much emphasis. There are reasons to use them. Old folks often need an image zoom - text sizes can be adjusted, but pics do not likewise scale - so for someone with weak eyes, an image zoom utility can be a godsend.

There are good reasons to use add-ons, and there are many that are benign and useful. But they must be selected with much care.

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
SOLUTIONS for the uninformed:

Anti-virus will normally detect malicious scripting when inspecting browser add-ons and BHOs, so you are probably safer from these vectors than the OP suggests.

But additionally:
There is somewhat of a rift between what is called 'virus' and what is called 'adware' which oddly enough goes all the way back to the rift between virus software and trojan hunting software... Back in the day, trojan hunters were better at ripping adware than their virus software counterparts. These privacy stealers, or spyware are descendant from the adware, which are in turn descendant from trojans, roughly speaking.

So, like in kind, adware protection software, such as Malwarebytes, Spybot Search and Destroy, SuperAntiSpyware, and others, often have an edge over antivirus based software in the methods they use, and offer a more aggressive means against adware, which includes a very aggressive routine against Browser vectors.

I have always maintained that a good antivirus should be backed up with a good anti-spyware (anti-adware) software. Now, that anti-spyware does not need to be running all the time, and on my boxen, they don't. I use Malwarebytes primarily, and it is set up to only run manually, with none of the bells and whistles otherwise engaged.

In part that is because any antivirus will do a fair job anyway, and you are only looking for a pinch-hitter... And in part, it is to keep my manual hands involved in this very important aspect of computing... And lastly in part, because the performance hit from running yet another background scanner would piss me off.

So I just make it a point to schedule a time for a nice cup of tea, supervising manual scans on all my hardware every couple weeks, and leave the realtime scanners off (other than antivirus which runs all the time).

In addition, I maintain an anti-virus/trojan cleanup engine, in the same manner. A cleanup engine is a hardened manual scanner that is used my people like me to clean up already-infected machines.
EmsiSoft's EEK Emergency kit lives in the root of my drive, and during that manual scan session, I always wake it up too, letting it update itself, and occasionally, like maybe every third or fourth time, I will let it scan too. Just like with doctors, a second opinion is always good, and just like with coats, layered protection is always the best choice.

EEK is descended from the magnificent A-Squared trojan hunter and that is still very much in its DNA. If you run into a problem that your AV can't fix, or if something detects and stops your AV from running, EEK is standing at the ready, and may very well fix the issue (it is one of the things I will use if you pay me to fix it for you).


In addition sommore, I will always recommend CCleaner which, while technically not any sort of anti-virus or anti-spyware, is really pretty important wrt spyware and tracking...

CCleaner is a one-stop, one-push, trash dumping machine. It not only dumps your trash can, but also a myriad of other caches in your machine. Almost all tracking still defaults to cookies when other methods falter, so cleaning out the cookie jar is every bit as important as ever. And additionally many viruses and spyware set themselves up in your machine's temp directory (a place to download temporary files to), which CCleaner also empties every time you run it... which can in fact delete nasties in the doing of it.

All of these recommendations can be free to use, can be totally non-invasive, and can sit by waiting until you call them up manually - And I would highly recommend they are used that way... All you need is the discipline to sit down and run them from time to time, which can be a very peaceful and pleasant experience (see hot tea above)...

They will take a bit of setting up on installation, and I would be happy to help, if there is enough call for it...



Online Elderberry

  • News/Opinions Cat MOD
  • TBR Contributor
  • *****
  • Posts: 7,590
That was very informative @roamer_1  . I'm going to look into EEK and CCleaner.
He who makes an attempt to enslave me, thereby puts himself into a state of war with me.

Online PeteS in CA

  • Hero Member
  • ****
  • Posts: 816
Looking into it some, Vivaldi does seem to be a hybrid of Opera and Chromium - Google's open-source browser that is the base for Chrome, which is not.

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
That was very informative @roamer_1  . I'm going to look into EEK and CCleaner.

@Elderberry
Happy to help...

EEK== RTFM. Self Explanatory.

CCleaner== GET TE FREE ONE. It will try like crazy to rope you into paying, but pay attention,and get the free. Also ease through the install... IIRC it can have riders, so take care.

Options=>Smart Cleaning: Shut everything off.
Options=>Cookies: *NO* 'cookies to keep'.



Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
Looking into it some, Vivaldi does seem to be a hybrid of Opera and Chromium - Google's open-source browser that is the base for Chrome, which is not.

Chrome's engine, Chromium or Chrome, is not fully open source.

Offline InHeavenThereIsNoBeer

  • TBR Advisory Committee
  • ***
  • Posts: 3,783
You are right, but with too much emphasis. There are reasons to use them. Old folks often need an image zoom - text sizes can be adjusted, but pics do not likewise scale - so for someone with weak eyes, an image zoom utility can be a godsend.

There are good reasons to use add-ons, and there are many that are benign and useful. But they must be selected with much care.

But, if you don't want to install an add on, you can right click on the image, View Image, and then zoom in that tab using your favorite text zoom methods.  Firefox, of course.

I avoid any add on I can't live without.  I just don't trust em.  Heck, I barely trust me on a good day.
My avatar shows the national debt in stacks of $100 bills.  If you look very closely under the crane you can see the Statue of Liberty.

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
But, if you don't want to install an add on, you can right click on the image, View Image, and then zoom in that tab using your favorite text zoom methods.  Firefox, of course.

I avoid any add on I can't live without.  I just don't trust em.  Heck, I barely trust me on a good day.

That's right - and healthy thinking...

Online PeteS in CA

  • Hero Member
  • ****
  • Posts: 816
I'm going to update Pale Moon on my computer. It's been a while, but there was something in my browsing habits that didn't work well. Maybe whatever it was has been taken care of . My imperfect understanding is that Pale Moon is based on a fork off a fork off Firefox. It's open source. I don't love Google or Mozilla, but Pale Moon seems a bit farther from Mozilla than Vivaldi is from Google.

BTW, my work computer doesn't have the extensions called out in the OP article.
« Last Edit: July 20, 2019, 12:30:01 AM by PeteS in CA »

Online Sighlass

  • Hero Member
  • ****
  • Posts: 2,278
  • I'm Christian, WODer, NeverTrumper. Offended Yet?
I'm going to update Pale Moon on my computer. It's been a while, but there was something in my browsing habits that didn't work well. Maybe whatever it was has been taken care of . My imperfect understanding is that Pale Moon is based on a fork off a fork off Firefox. It's open source. I don't love Google or Mozilla, but Pale Moon seems a bit farther from Mozilla than Vivaldi is from Google.

BTW, my work computer doesn't have the extensions called out in the OP article.

I ran Pale Moon for a long time until they stopped supporting my XP operating system. I liked it, most of my Firefox add-ons worked... and I still use a browser that operates on an old Firefox build...

My add-ons... I like Click&Clean (cookie deleter), DictionarySearch (lets you highlight a word and search for meaning online), Flashblock, Remove it Permanently (hide stuff you don't want to see), and Ublock Origin... Being my operating system is so old, sometimes I have to find the "legacy" version of the add-ons...


BTW... I agree with Roamer (he put out some very good information)...
« Last Edit: July 20, 2019, 12:56:37 AM by Sighlass »
Older men are to be temperate, dignified, self controlled, and sound in faith, love and perseverance. - Titus 2:2

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
I'm going to update Pale Moon on my computer. It's been a while, but there was something in my browsing habits that didn't work well. Maybe whatever it was has been taken care of . My imperfect understanding is that Pale Moon is based on a fork off a fork off Firefox. It's open source. I don't love Google or Mozilla, but Pale Moon seems a bit farther from Mozilla than Vivaldi is from Google.

BTW, my work computer doesn't have the extensions called out in the OP article.

My only complaint with Mozilla is that they quit supporting java.
FF is still my primary browser, but it is unfortunately true that java is not exiting the building like everyone supposed would happen, and many websites I need to get at still use java.

For that reason, Chrome is now on all my PCs
I do use it otherwise, for the 'official' me... 'Messages for the Web', a droid interface for putting android texting onto your PC is used with Chrome (I know it works in FF), and my youtube login is in Chrome, for the convenience, while leaving FF without it - any embedded vids I play while on message boards and such in FF do not effect my normal browsing in Youtube...

It could very easy be the lack of java that was messing with you.
likewise, you should be aware that flash compatibility needs to be installed into any Mozilla based browser or you can see no Adobe Flash.

That being said, I am not a fan of forks. There is a value in updates that come regularly, and forks seldom are as timely. That is a big problem when relying upon forks.

Online Sighlass

  • Hero Member
  • ****
  • Posts: 2,278
  • I'm Christian, WODer, NeverTrumper. Offended Yet?

That being said, I am not a fan of forks. There is a value in updates that come regularly, and forks seldom are as timely. That is a big problem when relying upon forks.

PaleMoon is updated quite frequently.... very active branch and community... Two updates in July...

https://www.palemoon.org/releasenotes.shtml
« Last Edit: July 20, 2019, 01:18:25 AM by Sighlass »
Older men are to be temperate, dignified, self controlled, and sound in faith, love and perseverance. - Titus 2:2

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
PaleMoon is updated quite frequently.... very active branch and community... Two updates in July...

https://www.palemoon.org/releasenotes.shtml

All well and good - but still relying on Mozilla... So why not stay at the wellspring?

Online Sighlass

  • Hero Member
  • ****
  • Posts: 2,278
  • I'm Christian, WODer, NeverTrumper. Offended Yet?
All well and good - but still relying on Mozilla... So why not stay at the wellspring?

I think they basically have little to do with Mozilla now days other than the early work of Gecko which was an fork of Mozilla... now they basically work off of Goanna which is open source...

So I don't think they really are much Mozilla anymore other than some style borrowed from them.

I just liked it cause it seemed to center on privacy and light weight back when I used it... Think the kids still use it. I switched to Pale Moon when Firefox was getting bloated (and fired their leader who dared donate to a pro-marriage group that didn't kiss the butt of the LGBT).... also at one time Firefox was putting in a google cookie I didn't care for that tracked you and you couldn't delete it.. (I made a thread about it here a couple years ago)...

Funny my weird little xp browser (MyPal) is based on Pale Moon...
« Last Edit: July 20, 2019, 02:05:06 AM by Sighlass »
Older men are to be temperate, dignified, self controlled, and sound in faith, love and perseverance. - Titus 2:2

Online roamer_1

  • Hero Member
  • ****
  • Posts: 17,310
I think they basically have little to do with Mozilla now days other than the early work of Gecko which was an fork of Mozilla... now they basically work off of Goanna which is open source...

So I don't think they really are much Mozilla anymore other than some style borrowed from them.

I just liked it cause it seemed to center on privacy and light weight back when I used it... Think the kids still use it. I switched to Pale Moon when Firefox was getting bloated (and fired their leader who dared donate to a pro-marriage group that didn't kiss the butt of the LGBT).... also at one time Firefox was putting in a google cookie I didn't care for that tracked you and you couldn't delete it.. (I made a thread about it here a couple years ago)...

Funny my weird little xp browser (MyPal) is based on Pale Moon...

It's been a while since I was on PaleMoon, but at the time, since FF add ons all worked in PM, and since Java and Flash Moz extensions worked in PM, it's pretty much the same dang thing. If that ain't so anymore, then more power to em...

In fact, if they support java, I will happily give them a second look...

Online Fishrrman

  • Hero Member
  • ****
  • Posts: 19,369
    • Fishrrman Speaks!
Chrome?
Why would anybody want to use google's browser? Use it, and they've got their hooks into you, big time.

I use Safari, mainly. I supplement it with adblocking and anti-tracking software (Ghostery). I use "Cookie" to kill all [but my whitelisted] cookies after each session.

If I want a higher level of "privacy/anonymity", I use the Epic privacy browser (which actually uses the Chrome engine, but with all of the google stuff stripped out).

I also keep around Firefox (rarely use it), iCab, Opera, and even the new Microsoft Edge browser.


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf