Massive Data Breach: 287 Chrome Extensions Secretly Harvest Browsing Histories of 37.4 Million Users
In a significant privacy breach, 287 Chrome extensions have been discovered covertly collecting browsing histories from approximately 37.4 million users worldwide. This alarming revelation underscores the vulnerabilities inherent in browser extensions and the potential risks they pose to user privacy.
Discovery and Methodology
The breach was uncovered by a researcher operating under the alias qcontinuum1. Utilizing an automated scanning system, the researcher employed Docker containers and a man-in-the-middle (MITM) proxy to monitor outbound traffic from various Chrome extensions. This approach enabled the detection of suspicious network activities, particularly focusing on data transmissions that correlated with URL lengths—a key indicator of exfiltrated browsing history.
Obfuscation Techniques Employed
To evade detection, the malicious extensions implemented sophisticated obfuscation methods:
– ROT47 Encoding: Some extensions utilized ROT47, a simple substitution cipher, to encode the data before transmission.
– AES-256 Encryption with RSA Key Pairs: Others employed advanced encryption techniques, combining AES-256 encryption with RSA key pairs, to secure the exfiltrated data.
These methods highlight the lengths to which malicious actors will go to conceal their activities and bypass security measures.
Notable Extensions Involved
Several popular extensions were identified among the offenders, including:
– Poper Blocker
– Stylish
– BlockSite
These extensions, often installed for legitimate purposes, were found to be secretly harvesting user data.
Data Brokers and Corporate Involvement
The investigation revealed that multiple data brokers were collecting user information through these extensions:
– Similarweb: A prominent web analytics company operating multiple extensions, including its official Website Traffic & SEO Checker, which boasts one million users.
– Big Star Labs: Believed to be affiliated with Similarweb, controlling extensions affecting 3.7 million users.
– Curly Doggo: Impacting 1.2 million users.
– Offidocs: Affecting 1.7 million users.
Even legitimate security tools like Avast Online Security, with six million installations, were flagged for data collection.
Privacy Implications
The unauthorized collection of browsing data poses severe risks beyond targeted advertising:
– Corporate Espionage: Employees installing seemingly innocent productivity extensions may inadvertently expose internal URLs, intranet addresses, and SaaS dashboard links, facilitating corporate espionage.
– Personal Identification: URLs often contain personal identifiers, enabling malicious actors to target specific individuals.
Researchers set up honeypot traps and detected third-party scrapers actively collecting the stolen data. Multiple IP addresses associated with companies like Kontera repeatedly accessed these honeypots, suggesting a broader ecosystem monetizing user browsing histories.
Recommendations for Users
To safeguard personal information, users are advised to:
1. Review Installed Extensions: Regularly audit and remove any extensions identified in the research report.
2. Install Open-Source Extensions: Opt for open-source extensions that can be reviewed for security.
3. Check Permissions: Carefully examine permission requests before installing any extension.
The Chrome Web Store hosts approximately 240,000 extensions, making manual verification challenging. Therefore, exercising caution and due diligence is crucial.
Conclusion
This massive data exfiltration operation serves as a stark reminder of the potential privacy risks associated with browser extensions. Users must remain vigilant, regularly reviewing and managing their extensions to protect their personal information from unauthorized access and misuse.
