Wednesday, November 25, 2015

How Browser Extensions Steal Logins & Browsing Habits; Conduct Corporate Espionage

Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data.

Many extensions conduct surveillance without any notification at all, but some do legal backflips to cover up their activities -- characterizing your installation of the extension as explicit permission to spy; pretending that URLs are by nature anonymous and so on. The data is aggregated and sold to unnamed third parties, reputedly for $0.04/user/month. Many of the spying extensions have more than a million users. One of the extensions identified as conducting secret spying advertises itself as a privacy-enhancing tool (!).

Detectify Labs have posted a technical explanation of how Chrome extensions conduct surveillance, and note near the end of their analysis that Firefox extensions are just as prone to spying. more