If You’re Using These Browser Extensions Uninstall Them ASAP, They’re Stealing Your Data

Not all browser extensions are used for good. It was recently discovered that several Chrome and Firefox browser extensions were stealing data from individual users and corporations. The data included everything from passwords to genetic information. 

hacker encryption

Sam Jadali of securitywithsam.com revealed that the following browser extensions were leaking data:

Chrome Extensions
  • Branded Surveys
  • HoverZoom
  • Panel Community Surveys
  • PanelMeasurement
  • SpeakIt!
Firefox Extensions
  • SaveFrom.net Helper
Chrome and Firefox Extensions
  • FairShare Unlock
  • SuperZoom
The extensions affected macOS, Windows, Chrome OS, and Ubuntu operating systems and Chromium-based browsers like Opera and Yandex. The collected data was sold to any interested buyer. The data included typical information like usernames and passwords and less typical information like tax returns, genetic information, and genealogy. Some of the extensions like FairShare Unlock and SpeakIt! have been installed by over one million users. It is also believed that the data leak has affected over 45 major companies such as Apple, Amazon, Walmart, Dell, and Uber.

The extensions were rather sneaky and employed a variety of tactics to avoid discovery. Some of the extensions would wait 24 hours after installation to begin siphoning data. The extensions also continued to share data with third parties even after they had been disabled and removed from their marketplaces.
dataspii data leak chart
Flow chart from Sam Jadali via securitywithsam.com

Shared links were the main key to the data leak. For example, many companies will use Zoom or Skype to host virtual meetings. The meeting organizer will send a unique invite link URL to other participants. The extensions allowed third-parties to eavesdrop on private company meetings. Other sites like 23andMe and iCloud also allow users to share information with links. The extensions were therefore able to collect and sell users’ ancestry, DNA, and other biomedical information, iCloud photos, and users’ iCloud account information.

It was also recently revealed that websites were able to track Chrome users who were using Incognito Mode. According to Google, their FileSystem API is disabled in when a user is in Incognito Mode. Websites are able to check for the availability of the FileSystem API and deliver a different experience to the user if the website receives an error message. Google promises that this kind of behavior will not be allowed in Chrome 76.

If you have been affected by this latest leak, you should disable and/or uninstall these extensions, review your account activity, and change your log-in information. Always read the fine print. Unfortunately users need to be wary of extensions that even pop up in reputable and official marketplaces.