Here's All You Need to Know About DataSpii and the 8 Extensions That Could Leak Information About You

DataSpii Data Leak

We don't pay nearly as much attention as we should to our browsers. A web browser is our gateway to the online world, and often, going about our everyday lives without it is impossible. Because it's such an inseparable part of our online existence, however, it's also often the attack vector of choice for hackers who are out to steal information or do harm. We tend to forget about this.

For a variety of different reasons, many people continue to use outdated browsers which leave them vulnerable to attacks. Even those who have their automatic updates turned on, however, can still inadvertently put themselves at risk. The extensions we install on our browsers can also be used for nefarious purposes. Last week, independent security researcher Sam Jadali proved just how dangerous they can be sometimes.

DataSpii – a large-scale data leak

Jadali found eight browser extensions that were leaking personal and corporate data. He called the operation DataSpii, and he wrote a very extensive report on it. Before we see how it worked, here's the list of offending extensions:

  • Hover Zoom
  • SpeakIt!
  • SuperZoom
  • Helper
  • FairShare Unlock
  • PanelMeasurement
  • Branded Surveys
  • Panel Community Surveys

Most of the extensions listed above were available for Chrome (and could be installed on Opera), with some having versions for Firefox as well. If you use any of them, make sure you uninstall them as quickly as possible.

The extensions were collectively downloaded more than 4 million times before they were taken offline, and as we'll find out in a minute, the amount of data they leaked was enormous. It's still unknown whether or not the information has been used for any nefarious reasons, but we can safely say that the potential damage DataSpii could have caused was significant.

Your browsing history may be more sensitive than you think

Sam Jadali found the data leak when he was using a marketing service which, upon further inspection, turned out to collect quite a lot of information. The DataSpii extensions were mostly interested in people's browsing history, which doesn't sound like the worst thing in the world. Despite this, Jadali described the leak as "catastrophic". What was so bad about it?

According to ArsTechnica, the collected data was sent to a company called Nacho Analytics. Anyone could go to Nacho Analytics, pay a fee, and have a look at what sort of web pages the people affected by DataSpii were visiting. Again, on the face of it, you might not be worried about the fact that someone will learn how often you check your email. Having seen some of the pages Nacho Analytics was collecting, however, Jadali realized that the situation was much more serious.

The URLs indicated that the DataSpii extensions were collecting data while people were viewing extremely sensitive documents, including billing invoices, tax returns, vehicle registration papers, etc. In some cases, the said documents weren't very well protected, which meant that they could expose the data they contained to anyone.

Worse still, the leak would often affect people who didn't even have one of the extensions installed. For example, even if you've always used an out-of-the-box browser with no addons, if your accountant had one of the DataSpii extensions installed, your OneDrive-hosted tax return documents could have been put at risk. In a similar fashion, the DataSpii extensions could leak travel arrangements, business documents, and medical data. Users' personal details would sometimes be included in the URLs themselves, and although most of the extensions tried to scrub the data, in many instances, they didn't do a very good job. There was even more to it than that, though.

Jadali found out that thanks to the DataSpii extensions, Nacho Analytics had collected quite a lot of corporate data as well. Employees of nearly 50 Fortune 500 companies had been using the DataSpii extensions while interacting with their employer's internal resources. As a result, portions of the backend infrastructure of companies like Tesla, Blue Origin, NBCdigital, BuzzFeed, Reddit, TMobile, Trend Micro, FireEye, and many others were revealed. Because the extensions also collected the names of the web pages, the people viewing the data could get a pretty good understanding of what the affected employees were seeing.

Shortly after his discovery, Jadali started notifying all the people responsible for taking the extensions down. They disappeared from the browsers' official marketplaces, and Nacho Analytics announced that it's halting new sales because their data partner had ended its operations. Even so, Jadali noticed that some of the DataSpii extensions were still sending out information. Even now, uninstalling them is extremely important. The same goes for being careful with the addons you put on your browser in the future.

July 24, 2019

Leave a Reply