Chrome, Firefox Extensions With Up to 4 Million Installs Found Leaking Sensitive Personal Data

Chrome, Firefox Extensions

Highlights:

    • Usernames, passwords, GPS coordinates, and more is up for grabs from data brokers
    • Millions of people’s data got grabbed and sold

Google Chrome and Firefox users are likely to use extensions such as adblockers to help make their browsing more comfortable and protected. But these are not always safe, as an independent security researcher can testify: We discovered eight browser extensions which is used by around 4 million Firefox and Chrome users were storing data.

The newest investigation into the dark life of the data is not a fire drill. The independent security researcher found as many as 4 million people have been leaking personal and corporate data through Firefox and Chrome. According to the report, a colleague in The Washington Post’s newsroom got caught up. When the people told browser makers Google and Mozilla, they shut these leaks immediately – but people probably identified only a fraction of the problem.

Chrome, Firefox Extensions With Up to 4 Million Installs Found Leaking Sensitive Personal Data

The “unprecedented data collection” impacts millions of the people as well as many Fortune 500 corporations, according to Jadali. The report says the leak originally affected Chrome and Firefox users with one of the eight invasive extensions. However, other Chromium-based browsers like Opera that can run Chrome extensions are also affected.

In an interview, Nacho CEO Mike Roberts claimed- would not say where he sourced his data. But Jadali, he said that violated Nacho’s terms of service by seeing at the personal data. “No actual Nacho Analytics customer was looking at this stuff. The only people that saw any private data was you guys,” Roberts said.

Many of the affected extensions were apps used by hundreds of thousands and in some cases, millions of people, including HoverZoom, SpeakIt!, and FairShare Unlock. The full list is available in the Jadali’s full report–which is titled very aptly Dataspii.

The report says around 50 businesses were also affected. Corporate data made accessible by DataSpii was extremely worrying. It included: real-time activity of employees, private LAN network structure, partial page content including hyperlinks embedded on a LAN website, API keys, proprietary source code, firewall access codes, and zero-day vulnerabilities.

If you are affected by these issues and still have extensions, you might want to eliminate them yourself and replace your password as the precaution. In addition, says Jadali: “If you access services through an API via a URL, you may recognize changing your API keys.”