Browser extensions are more powerful and deceptive than what we have thought them to be. Besides adding features to our browser system, they have an early advantage of accessing our private information about pages, history and website details.
A recent report published by Ars Technica informs how sophisticated browser extensions are spying on our data and selling them. With the updated concept of DataSpii, Nacho Analytics sells browser data of more than 4 million users across the web using Chrome or Mozilla. The company advertises “See Anyone’s analytics Account” And names itself The God Mode of the Internet.
Extremely problematic is the Anonymization. The company extracts personal identifiers from the harvested URL and many services that are likewise provided in the personal data segment and still rely on secret URL to keep the data private. Surprisingly, that is the only way they ensure that your information is safe with their organization.
The research was done by Sam Jadali who discovered that the secret URLs can be logged in to extract people’s medical electronic health records, sensitive organizational documents, legal files, tenders and trade secrets. The documents also include the tax payment records from a number of reputed websites, the key to which is personally handed over to the user alone. The websites from which the data were Pirated are : Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, AthenaHealth, Epic Systems, FireEye, Symantec, Palo Alto Networks, Trend Micro, Amazon, FireEye, BuzzFeed, NBC digital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.
While most of the web developers are getting blamed for the leak of sensitive information, the browser history also allows access to data to the extensions with a false display of concern that actually steals your data and sells them in exchange of heavy revenue.
The excellent documentation by Ars Technica not it opened up our eyes to the years of stealing happening under the umbrella of “consent” of browsing history user policy. However, this is not only about Nacho Analytics, the extensions include Hover Zoom, an extension that already disturbed millions in 2013, Super Zoom, SaveFrom.net Helper, FairShare Unlock, and PanelMeasurement.
In defense of the exposure that the research made, Nacho spokesperson commented :
Your report is personally disturbing to me–and [publishing sensitive data] is definitely not the purpose of Nacho Analytics. We work hard to remove personally identifiable information from URLs and page titles and exclude sites with serious security issues. When we learn of a new issue, we have a system to remove it immediately. We’ve stopped all new sign-ups for Nacho until we can get more information on this issue. If you give me a list of the sites that have these issues, we’ll immediately disable those sites and work on a permanent solution.Nacho spokesperson
He also pushed back on the idea that Nacho Analytics had ever been used by customers to harvest sensitive information. Jadali, he claimed, was the only one who had done so. (He also claimed that Jadali had violated Nacho Analytics’ terms of service in doing the research.)
“Jadali looked at hundreds of websites, only a tiny fraction of which any legitimate Nacho Analytics customer ever viewed,”
“In fact, none of the sites with the issues you’ve made me aware of have been viewed by any legitimate Nacho Analytics customer.”Nacho spokesperson
Malicious extensions are discovered every now and then either by accident or by security researchers. Mozilla banned 23 snooping extensions in 2018 and a wave of malware extensions in 2019; Google removed four malicious Chrome extensions after researchers reported them to the company, and had to remove others throughout the years.