In a recent post, we went into a few ways to check up on your browser’s privacy settings to ensure a measure of security. Today we are looking deeper into the browser extension as a security risk for both businesses and individuals.
Recently, a site called Nacho Analytics was knocked offline because of what they called a “data-outage.” And the data they were displaying included the output of anyone’s Google Analytics account, with such things as web traffic, sales results, marketing data and more. All info we thought was private, but was unlocked by the browser extensions listed below and available to competitors or evil doers of any kind. Worse yet, the content of private pages visited by users of these browser extensions were also visible (including tax returns, doctor-patient communications, and links to Nest cameras).
These extensions were selling your data to Nacho Analytics who then turned around and sold the data to its subscribers.
Here’s is a partial list of extensions known to have security concerns:
- Fairshare Unlock, Chrome extension for accessing premium content for free. (Firefox version, available here, collects the same browsing data.)
- SpeakIt!, text-to-speech extension to Chrome.
- Hover Zoom, Chrome extension that enlarges images.
- PanelMeasurement, Chrome extension to find market research surveys
- Super Zoom, another image extension for Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after its data collection behavior was reported.
- SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier.
- Branded Surveys, offers the chance to receive cash and other prizes in return for completing online surveys.
- Panel Community Surveys, another app offering rewards for answering online surveys.
When a researcher reported findings on this issue to Google, they disabled the extensions and removed them from the Google store. But the toothpaste was already out of the tube. What could be gigabytes’ worth of browsing histories collected from millions of people have been distributed by this breach.
According to Ars Technica, when asked if the arrangement violates any of Google’s terms of service, a company representative wrote: “Passing data that personally identifies an individual, such as email addresses or mobile numbers, through Google Analytics is prohibited by our terms of service, and we take action on any account found doing so intentionally.” The representative also said that Google has suspended multiple Google Analytics properties owned by Nacho Analytics for violating Google terms of service. Google employees continue to investigate additional accounts that may be connected or integrated with Nacho Analytics.
What can you do?
The moral of this story is simply, read the fine print before you install that browser extension.