We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe. We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies. Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
You got my attention but it's waaaay over my head.
The only part I understood was "Chrome users". I use Chrome, but other than that, what does it all mean in Layman's terms? Will we be notified? How would we know, if at all?
I should have linked this DataSpii page as well, it sums it up opposed to the raw data presented in the first link.
Nice catch. The browser Firefox caught my attention. Now after a light review of the information I was swimming in a world beyond my knowledge! Is there a Layman's terms version? The average user would likely be confused to say the least? May need a degree in Information Technology except ... it changes so fast that there may be a need for "continuing education" to be in front of all this? The additional post really takes it home and works! Appreciate the knowledge.
Thank you. I don't have any of those ext., just checked.
Scary. it's getting way to complicated trying to keep your info secret, especially with Google snooping into everything. And then selling it...
While I don't generally like adware/spam type of services having access to myb PC, I do have a few ext. mainly flash. But hopefully that is guenuine. lol
This is why I am very careful with browser extensions... I have been around way too long and know that these things go wrong all the time (anyone remember the IE toolbars?! I had to clean up so many computers laden with those nasty things) so I only use a select few - Capital One's Eno, Honey, and SteamDB.
Yuck! I continue to respect the mostly older people who still handle all personal and financial business through paper. I'm a cross breed, learned from and aged enough before the internet. But like most, convenience has mostly overtaken me although I "try" to be more conservative than my peers. Although I do it, I knew and know this online world would eventually catch up with us. Too vulnerable regardless of how safe they say it is. We may just not find out until 10 years later or we're a victim.
No shaming because I get it, just my thoughts (and showing my age )
I can't wait to find out, probably a couple years from now, what all these online banking/credit phone apps have been sharing. The data on a smartphone is the best of all, and there is no way they can resist.
And this, from a different report:
"Overall, they found 79 percent of apps, including [popular apps Medscape, Ada, and Drugs.com], shared at least some user data outside of the app itself...."
"...When looking at these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies."
Which is why I don't like using smartphones for a number of things. You basically agree to info sharing by accepting the terms when you activate said phone. The only thing "opting out" does, is to "limit" "some" info to "certain" 3rd parties.
Then to go and add those electronic wallets, or apps from your bank or CC issuer. There's a TON of data there that shouldn't be shared.