‘Some Chrome and Firefox extensions sell browsing behavior and other data’

Some extensions for Firefox and Chrome collect data about their users in the background. It would be things like browser history, OAuth tokens, cookies and request headers. The data would be sold to analytics services.

The findings are reported by Frans Rosén and Linus Särud of Sweden’s Detectify Labs. The extensions in question would use third-party scripts to collect the data and regularly send it to the analytics services. The extensions access the web pages that the user visits under the guise of their own functionality. Even extensions like Ghostery, which are intended to prevent tracking, don’t help these extensions because they target the web and not other extensions.

The authors cite multiple Chrome extensions that would make use of the tracking scripts. This includes extensions such as HoverZoom, SpeakIt and Free Smileys & Emoticons. These examples have between 750,000 and 1.1 million users. It would in any case be about twenty Chrome extensions. As an example of a Firefox extension that works with this, the company cites Ant Video Downloader, which has 409,000 users.

The Swedes say they have been able to verify with tests that the browsing behavior of individual users with the extensions in question can be found after two weeks at an undisclosed analytics service. Even links within private internal networks and PDF file names appeared in the service’s databases. Google Drive and Dropbox file sharing links are also sent with the extensions. When these files are accessible to everyone who has the link, the files are no longer private.

According to the researchers, in some cases the extensions would even have a tracking script SDK on board, which is able to download, save and run new Javascript code. This would be separate from the functionality of the extension itself and is only there to perform the tracking. By downloading the tracking code outside the Chrome Web Store and Firefox Add-ons website, the filters against these types of scripts from those two distribution points can also be bypassed.

In some cases, users can disable tracking within the options of the extensions, but it can also happen that an update for the extensions reverts this option back to its default setting. Detectify states that the administrators of the extensions in question get about 4 cents per install per month, which translates to 40,000 dollars per month for one million installs.

Some extensions mention the data collection in the descriptions on the Web Stores, while others do not. However, the aggressive data collection practices violate the Chrome Web Store’s Content Security Policy rules. A similar situation also occurred on iOS and Android in October. There, the Youmi advertising sdk would also contain tracking scripts. Then about 250 apps were removed from the App Store.