cancel
Showing results for 
Search instead for 
Did you mean: 

DataSpii: The catastrophic data leak via browser extensions

Estimate your FICO® Score range for free

FICO® Score Estimator

Auto Loans for ANY Credit Situation. Immediate Response.
Advertiser disclosure
Moderator

DataSpii: The catastrophic data leak via browser extensions

Abstract

We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe. We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies. Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.

 

https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/

"If there's a lack of money in your life, understand that feeling worried, envious, jealous, disappointed, discouraged, doubtful or fearful about money can never bring more money to you, because those feelings come from a lack of gratitude for the money you have."

"Reactions are powerful creators because they contain every element needed to manifest—they're a combination of thought, belief, and feeling in action. Positive reactions create more positive things, and negative reactions create more negative things. If you can respond to negative situations calmly and lightly, instead of with emotional turbulence, what happens next in your life will be so much better."

- Rhonda Byrne

Message 1 of 13
12 REPLIES 12
Valued Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

You got my attention but it's waaaay over my head.

The only part I understood was "Chrome users". I use Chrome, but other than that, what does it all mean in Layman's terms?  Will we be notified?  How would we know, if at all?

Starting Score: 579
Current Score: 744, 738, 711
Goal Score: 850 x 3


Take the myFICO Fitness Challenge

Rebuild Oct. 2018
"My Take Home Pay Don't Take Me Home"

Synovus Tloc 75k/Savor 5.5k/Venture-3.5kAU/DiscoCB 5.5k/DiscoChrome 2k/Sportsman's Guide Visa 3k-AU/GoodSam's Visa 5k/Lowe's Pro 2.5k & Lowe's Advantage 30k-AU/Home Depot 10k-AU/Spark 2k-AU/Staples 1k/ Amazon Net 55 7.9k
Message 2 of 13
Moderator

Re: DataSpii: The catastrophic data leak via browser extensions

I should have linked this DataSpii page as well, it sums it up opposed to the raw data presented in the first link.

 

https://dataspii.com/

"If there's a lack of money in your life, understand that feeling worried, envious, jealous, disappointed, discouraged, doubtful or fearful about money can never bring more money to you, because those feelings come from a lack of gratitude for the money you have."

"Reactions are powerful creators because they contain every element needed to manifest—they're a combination of thought, belief, and feeling in action. Positive reactions create more positive things, and negative reactions create more negative things. If you can respond to negative situations calmly and lightly, instead of with emotional turbulence, what happens next in your life will be so much better."

- Rhonda Byrne

Message 3 of 13
Moderator Emeritus

Re: DataSpii: The catastrophic data leak via browser extensions

Nice catch. The browser Firefox caught my attention. Now after a light review of the information I was swimming in a world beyond my knowledge! Is there a Layman's terms version? The average user would likely be confused to say the least? Smiley Frustrated May need a degree in Information Technology except ... it changes so fast that there may be a need for "continuing education" to be in front of all this? The additional post really takes it home and works! Appreciate the knowledge.

Starting Score: 000
Current Score: 850
Goal Score: 850


Take the myFICO Fitness Challenge
Message 4 of 13
Valued Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

Thank you.  I don't have any of those ext., just checked.

Starting Score: 579
Current Score: 744, 738, 711
Goal Score: 850 x 3


Take the myFICO Fitness Challenge

Rebuild Oct. 2018
"My Take Home Pay Don't Take Me Home"

Synovus Tloc 75k/Savor 5.5k/Venture-3.5kAU/DiscoCB 5.5k/DiscoChrome 2k/Sportsman's Guide Visa 3k-AU/GoodSam's Visa 5k/Lowe's Pro 2.5k & Lowe's Advantage 30k-AU/Home Depot 10k-AU/Spark 2k-AU/Staples 1k/ Amazon Net 55 7.9k
Message 5 of 13
Valued Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

Scary. it's getting way to complicated trying to keep your info secret, especially with Google snooping into everything. And then selling it...

 

While I don't generally like adware/spam type of services having access to myb PC, I do have a few ext. mainly flash. But hopefully that is guenuine. lol

 

 

Message 6 of 13
Senior Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

This is why I am very careful with browser extensions... I have been around way too long and know that these things go wrong all the time (anyone remember the IE toolbars?! I had to clean up so many computers laden with those nasty things) so I only use a select few - Capital One's Eno, Honey, and SteamDB. 


Scores 1/2019:
Scores 8/2019:

Hover over my cards to see my limits!
Goal cards:
Message 7 of 13
Frequent Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

Yuck!  I continue to respect the mostly older people who still handle all personal and financial business through paper.  I'm a cross breed, learned from and aged enough before the internet.  But like most, convenience has mostly overtaken me although I "try" to be more conservative than my peers.  Although I do it, I knew and know this online world would eventually catch up with us.  Too vulnerable regardless of how safe they say it is.  We may just not find out until 10 years later or we're a victim.  

No shaming because I get it,  just my thoughts (and showing my age Smiley Tongue )



FICO 8 as of 08/02/19
FICO 9 as of 08/02/19
AoOA - 23Y5M | AoYA - 1Y | AAoA - 12Y
1 30 day late on EX (12/2012)
Open: 8 CC | 1 RC | 1 PLOC | 1 MTG loan | 1 Auto loan
Closed: 1 MTG loan | 1 Auto loan | 2 RC
Message 8 of 13
Frequent Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

I can't wait to find out, probably a couple years from now, what all these online banking/credit phone apps have been sharing. The data on a smartphone is the best of all, and there is no way they can resist.

 

Android apps are harvesting your data even after you tell them not to, says study

 

And this, from a different report:

"Overall, they found 79 percent of apps, including [popular apps Medscape, Ada, and Drugs.com], shared at least some user data outside of the app itself...."

"...When looking at these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies."

Watch out: Your private health app data may impact your credit report

27 FICO Scores + 3 VS3. MTG (Mortgage), AUT (Auto), and BKC (Bankcard) are scores 5,4, and 2 from the top.
Message 9 of 13
Valued Contributor

Re: DataSpii: The catastrophic data leak via browser extensions

Which is why I don't like using smartphones for a number of things. You basically agree to info sharing by accepting the terms when you activate said phone. The only thing "opting out" does, is to "limit" "some" info to "certain" 3rd parties. 

 

Then to go and add those electronic wallets, or apps from your bank or CC issuer. There's a TON of data there that shouldn't be shared.

Message 10 of 13
Advertiser Disclosure: The offers that appear on this site are from third party advertisers from whom FICO receives compensation.