DataSpii begins with browser extensions—available largely for Chrome however in additional restricted cases for Firefox as well—that, by Google’s account, had as several as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of each page that the browser user visited. Most of those collected internet histories were then revealed by a fee-based service known as nacho Analytics, which markets itself as “God mode for the Internet” and uses the line “See Anyone’s Analytics Account.”
Immediately uninstall if you have any of the following extensions.
| Extension name | Number of users (as of Feb/Mar 2019) |
Browser vendor | Chrome extension ID (if applicable) |
|---|---|---|---|
| Hover Zoom | 800,000+ users | Chrome | nonjdcjchghhkdoolnlbekcfllmednbl |
| SpeakIt! | 1.4+ million users | Chrome | pgeolalilifpodheeocdmbhehgnkkbak |
| SuperZoom | 329,000+ users | Chrome and Firefox | gnamdgilanlgeeljfnckhboobddoahbl |
| SaveFrom.net Helper† | ≤140,000 users | Firefox | N/A |
| FairShare Unlock‡ | 1+ million users | Chrome and Firefox | alecjlhgldihcjjcffgjalappiifdhae |
| PanelMeasurement‡ | 500,000+ users | Chrome | kelbkhobcfhdcfhohdkjnaimmicmhcbo |
| Branded Surveys‡ | 8 users (June 2019) | Chrome | dpglnfbihebejclmfmdcbgjembbfjneo |
| Panel Community Surveys‡ | 1 user (June 2019) | Chrome | lpjhpdcflkecpciaehfbpafflkeomcnb |
DataSpii (pronounced data-spy) denotes the ruinous data leak that occurred via eight Chrome and Firefox browser extensions (see the table above). “This leak exposed personally identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting countless people. The collected information was then created obtainable to members of a nameless service, that we have a tendency to discuss within our report as Company X. each paid and trial members of this service had access to the leaked information. when we reported our findings to Google and Mozilla, the browser vendors remotely disabled the extensions. what is more, the web service is currently defunct.”
The eight extensions that Jadali identified hid their assortment in different ways. All used base64 encryption and information compression that obfuscated the information being uploaded. The image immediately below shows what data uploaded by Hover Zoom seemed like to the naked eye; the second image below shows its contents when being decoded.
Web histories might not sound particularly sensitive, however, a set of the revealed links led to pages that don’t seem to be protected by passwords—but solely by a hard-to-guess sequence of characters (called tokens) enclosed within the URL. Thus, the revealed links might enable viewers to access the content at these pages. (Security practitioners have long discouraged the publication of sensitive info on pages that are not word protected, however, the practice remains widespread.)