Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
syloui

"DataSpii" Leak Exposes Browsing History and Embedded URLs Containing Private Data of 4M Users, including Apple, Tesla, Intuit, and Blue Origin

Recommended Posts

Posted · Original PosterOP

SOURCES:

ArsTechnica's Original Article

Deep Dive into DataSpii by ArsTechnica

Extensive Documentation of the Data Leak by Sam Jadali

WashingtonPost

 

Warning: The original article is quite a long read, but I highly recommend reading it if you have the time, it explains the matter better than I could. I will attempt to summarize the key points here.

 

For the last 7+ months several Browser Extensions for Chrome and Firefox have been collecting and exposing millions of people's browsing data, and sometimes even including embedded URLs that contain files with private information. The leak, coined "DataSpii" by researcher and founder of hosting service Host Duplex, Sam Jadali, was discovered through extensive research into Nacho Analytics, a paid service selling this data in "near real-time", and advertises itself as "God Mode for the Internet".

Quote

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

 

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords—but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.)

The leak resulted in the publishing of sensitive, private, and personally identifiable data from the effected users:

Quote

According to the researcher who discovered and extensively documented the problem, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:

  • Home and business surveillance videos hosted on Nest and other security services
  • Tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services
  • Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
  • Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
  • Travel itineraries hosted on Priceline, Booking.com, and airline websites
  • Facebook Messenger attachments and Facebook photos, even when the photos were set to be private.

And has also affected over 50 businesses leaking internal information:

 

Quote

In other cases, the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies, but that number was limited only by the time and money required to find more. Examples include:

  • URLs referencing teslamotors.com subdomains that aren’t reachable by the outside Internet. When combined with corresponding page titles, these URLs showed employees troubleshooting a “pump motorstall fault,” a “Raven front Drivetrain vibration,” and other problems. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public. (See image below)
  • Internal URLs for pharmaceutical companies Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks, and Trend Micro. Like the internal URLs for Tesla, these links routinely revealed internal development or product details. A page title captured from an Apple subdomain read: "Issue where [REDACTED] and [REDACTED] field are getting updated in response of story and collection update APIs by [REDACTED]"
  • URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin, Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company, discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds. Other JIRA customers exposed included security company FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

Sam Jadali found numerous extensions that resulted in eventual publications of tested URLs on Nacho Analytics:

Quote

Jadali eventually tested browser extensions for Firefox and also set up test machines running both macOS and the Ubuntu operating system. In the end, he said, the extensions that he found to have collected browsing histories that later appeared on Nacho Analytics include:

  • Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.)
  • SpeakIt!, a text-to-speech extension for Chrome.
  • Hover Zoom, a Chrome extension for enlarging images.
  • PanelMeasurement, a Chrome extension for finding market research surveys
  • Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later.
  • SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store.
  • Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys.
  • Panel Community Surveys, another app that offers rewards for answering online surveys.

 

If you've previously used any of these extensions and want to know more about the leak, how it happened, and how it effects you, I highly recommend reading the full ArsTechnica article. And if you want to go deeper into the data leak, please check out Sam Jadali's work, he's done an amazing job documenting his research into the matter.

I noticed while I was digging around the forums in google that several users have recommended extensions like Hover Zoom in the past, so if you know anyone who might be effected by this please spread the word!


My PC Setup:

Spoiler

The PC:

Case: Cougar Solution ATX Mid Tower

CPU: Intel Xeon E5-1620v3

Mobo: AsRock x99 Extreme4

RAM: 12GB (3x4GB) GeiL DDR4 2133MHz

GPU: AMD Radeon RX 580 4GB MSI Armor OC

PSU: EVGA 80+ 500w

Storage: Toshiba P300 1TB HDD + Hitachi HDS721016CLA382 160GB HDD (with the classic messy partition table)

Cooling: Zalman CNPS10X Extreme

Etc: LG Lite-On DVD+R Burner (i use optical media all the time for vintage computers, it's not dead yet! hell, floppy drive in here too but can't plug it into x99 :()

 

Outside the case:

Monitors (left to right):  Dell E176FP + Samsung Syncmaster 2253BW + AOC G2260VWQ6 Freesync

Keyboard: Lexmark (IBM) Model M-122

Mouse: Logitech G402

Headset: Samson SR850

DAC: Digidesign Mbox 2 Mini

Mic: Realistic Cardioid 33-992a

 

Main Laptop: 2009 Macbook (Recycling Haul)
Streaming Laptop: 2013 Samsung Series 7 Ultra 740U

 

 

 

Link to post
Share on other sites

Oh haven't heard of mostly every single one of those extensions but speakit even then I don't use that. I just saw it on the app store instead lol seemed useless to me as I myself would never use it often enough to download it.

 

Looks like I am safe

Link to post
Share on other sites

I think we all know on some level that it's important to make sure you're using trusted, safe apps and add-ons and setting/limiting permissions where possible, but this makes real what can happen when you don't.  It's no longer just an obscure "well it's theoretically possible but ehhh what are the odds" sort of thing, more of a "this exact info can and has been harvested, tied to names, and made for sale in a relatively accessible fashion" sort of thing.

 

PS, there's now a statement on their site:

image.png.c7bcc171a15fee937a06278dd80bf41a.png

 

They seem to be making some effort to prevent this info from getting out there now, but as far as I'm concerned it's too little too late.  Surely they were aware of what they were doing and the flaws with it (implications on privacy)?  I would also still consider any add-on that was doing this harvesting for them or anyone else to be malware.


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites

oh, another one, we get  them one's every month or two now, so looks like situation getting better with security 

Link to post
Share on other sites
8 hours ago, syloui said:

Hover Zoom, a Chrome extension for enlarging images.

Goddamnit

Related image


"Put as much effort into your question as you'd expect someone to give in an answer"- @Princess Luna

Make sure to Quote posts or tag the person with @[username] so they know you responded to them!

Purple Build Post ---  Blue Build Post --- Blue Build Post 2018 --- RGB Build Post 2019 --- Project ITNOS --- P600S VS Define R6/S2

CPU i7-4790k    Motherboard Gigabyte Z97N-WIFI    RAM G.Skill Sniper DDR3 1866mhz    GPU EVGA GTX1080Ti FTW3    Case Corsair 380T   

Storage 1x Samsung EVO 250GB, WD Black 3TB, WD Black 5TB    PSU Corsair CX550M    Cooling Cryorig H7 with NF-A12x25

Link to post
Share on other sites
Quote

Hover Zoom, a Chrome extension for enlarging images.

 

!@#$

 

I think I STOPPED using this extension a couple years ago when I switched to ImageBoardNameX but I'm not 100% sure. Did I even uninstall it <_<


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
2 hours ago, rcmaehl said:

 

!@#$

 

I think I STOPPED using this extension a couple years ago when I switched to ImageBoardNameX but I'm not 100% sure. Did I even uninstall it <_<

but your a cyber security specialist. You can't fail at security!


I live in misery USA. my timezone is central daylight time which is either UTC -5 or -4 because the government hates everyone.

into trains? here's the model railroad thread!

Link to post
Share on other sites

I only use 3 extensions with Chrome on my PC. uBlock Origin, Honey, and KC3. In Safari on my MacBook I only have Wipr and Honey ? 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 8 Plus 64GB | Wearables: Apple Watch Sport Series 2 | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to post
Share on other sites
47 minutes ago, will4623 said:

but your a cyber security specialist. You can't fail at security!

Anyone can fail at security. In fact, humans are actually the easiest target.

 

I think I remember Hover Zoom having controversy a while ago and I may have switched away from it then, however I'm unsure about the timeline of events. I may have been affected by this breach early on but I have auditing to do of my older devices to get a full idea of my specific situation.


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
5 hours ago, rcmaehl said:

Anyone can fail at security. In fact, humans are actually the easiest target.

 

The biggest fail of most humans is not understand how often they're failures.  


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites

it leaks search history? thank god I didn't use the extensions man. phew.


QUOTE ME IF YOU WANT A REPLY!

 

PC #1

Ryzen 7 1700@3.9ghz | MSI X470 Gaming Pro Carbon | Crucial Ballistix 2x16gb (OC 3466mhz CL: 14)

MSI GTX 1080 8gb | SoundBlaster ZXR | Corsair HX850

Samsung 960 256gb | Samsung 860 1gb | Samsung 850 500gb

HGST 4tb, HGST 2tb | Seagate 2tb | Seagate 2tb

Custom CPU/GPU water loop

 

PC #2

AMD FX 8320@4.5ghz | Biostar TA970 | Vengeance Pro 1866 2x8gb DDR3

Sapphire R9 290x 4gb | Asus Xonar DS | Corsair RM650

Samsung 850 128gb | Intel 240gb | Seagate 2tb

Corsair H80iGT AIO

 

Laptop

Core i7 6700HQ | Samsung 2400mhz 2x8gb DDR4

GTX 1060M 3gb | FiiO E10k DAC

Samsung 950 256gb | HGST 1tb

Link to post
Share on other sites
8 hours ago, DrMacintosh said:

I only use 3 extensions with Chrome on my PC. uBlock Origin, Honey, and KC3. In Safari on my MacBook I only have Wipr and Honey ? 

Too bad google is crippling uBO in the name of money security.  #FFGang. ?


Resident Mozilla Shill.   Typed on my Ortholinear JJ40 custom keyboard
               __     I am the ASCIIDino.
              / _)
     _.----._/ /      If you can see me you 
    /         /       must put me in your 
 __/ (  | (  |        signature for 24 hours.
/__.-'|_|--|_|        
Link to post
Share on other sites
19 hours ago, syloui said:

SOURCES:

ArsTechnica's Original Article

Deep Dive into DataSpii by ArsTechnica

Extensive Documentation of the Data Leak by Sam Jadali

WashingtonPost

 

Warning: The original article is quite a long read, but I highly recommend reading it if you have the time, it explains the matter better than I could. I will attempt to summarize the key points here.

 

For the last 7+ months several Browser Extensions for Chrome and Firefox have been collecting and exposing millions of people's browsing data, and sometimes even including embedded URLs that contain files with private information.

 

I don;t have time to read the article and go through all of the posts to see if it's there at the moment.

 

But does anyone have a list of the plugins for firefox that are affected?

 

In particular I use

Noscript

Privacy Badger

Disconnect

Ghostery

Ublock Origin

Reverse image search

Honey

Video Blocker (for youtube)

Adblocker (for youtube)

Duckduckgo Privacy essentials

Facebook container (don't have a feacesbook account, but I still block everything to do with it and anything else it owns)

 


System 1: Gigabyte Aorus B450 Pro, Ryzen 5 2600X, 32GB Corsair Vengeance 3200mhz, Sapphire 5700XT, 250GB NVME WD Black, 2x Crucial MX5001TB, 2x Seagate 3TB, H115i AIO, Sharkoon BW9000 case with corsair ML fans, EVGA G2 Gold 650W Modular PSU, liteon bluray/dvd/rw.. NO RGB aside from MB and AIO pump. Triple 27" Monitor setup (1x 144hz, 2x 75hz, all freesync/freesync 2)

System 2: Asus M5 MB, AMD FX8350, 16GB DDR3, Sapphire RX580, 30TB of storage, 250GB SSD, Silverstone HTPC chassis, Corsair 550W Modular PSU, Noctua cooler, liteon bluray/dvd/rw, 4K HDR display (Samsung TV)

System 3 & 4: nVidia shield TV (2017 & 2019) Pro with extra 128GB samsung flash drives.

Link to post
Share on other sites
On 7/19/2019 at 11:51 AM, rcmaehl said:

I may have been affected by this breach early on but I have auditing to do of my older devices to get a full idea of my specific situation.

I dont have it installed on the computer anymore (thankfully) but I know at one point I had it (I just dont know from what year to what year). I might have gotten rid of it because it stopped working, or for security concerns. Either way, I thought it was still on my PC when I read this so I'm glad it's not


"Put as much effort into your question as you'd expect someone to give in an answer"- @Princess Luna

Make sure to Quote posts or tag the person with @[username] so they know you responded to them!

Purple Build Post ---  Blue Build Post --- Blue Build Post 2018 --- RGB Build Post 2019 --- Project ITNOS --- P600S VS Define R6/S2

CPU i7-4790k    Motherboard Gigabyte Z97N-WIFI    RAM G.Skill Sniper DDR3 1866mhz    GPU EVGA GTX1080Ti FTW3    Case Corsair 380T   

Storage 1x Samsung EVO 250GB, WD Black 3TB, WD Black 5TB    PSU Corsair CX550M    Cooling Cryorig H7 with NF-A12x25

Link to post
Share on other sites

With all these going on, how do we know that any of the ad blocker addons are safe?  they have access to usernames and passwords you type in for any given URL.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
7 hours ago, mr moose said:

With all these going on, how do we know that any of the ad blocker addons are safe?  they have access to usernames and passwords you type in for any given URL.

We don't for any of the closed source ones, and the open source ones are only guaranteed to be safe if you review the code of the extension and it's dependencies AND build from source instead of your chosen browser's app store.


Resident Mozilla Shill.   Typed on my Ortholinear JJ40 custom keyboard
               __     I am the ASCIIDino.
              / _)
     _.----._/ /      If you can see me you 
    /         /       must put me in your 
 __/ (  | (  |        signature for 24 hours.
/__.-'|_|--|_|        
Link to post
Share on other sites
On 7/19/2019 at 7:57 AM, floofer said:

It's a real shame stuff like this happens and there is hardly a way to bring justice to the organisation. 

I wonder what the chances are of some of their employees' data being in the leak and whether it would be useful for some sort of social engineering attack against their infrastructure...

 

 

H Y P O T H E T I C A L L Y


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

Don't install extensions unless you can trust their publisher. Lean towards open source. 

The only extensions I have installed come from either my employer (and only used at work where I assume I'm key-logged anyway, even though I'm probably not) or are FOSS and privacy related. 


R9 3900x; 64GB RAM | RTX 2080 | 1.5TB Optane P4800x

1TB ADATA XPG Pro 8200 SSD | 2TB Micron 1100 SSD
HD800 + SCHIIT VALI | Topre Realforce Keyboard

Link to post
Share on other sites

This is why I only use UBlock and Grammarly. 


PC - NZXT 340 Black, Intel i7 6700k, Noctua NH-U9S, 16GB Corsair DDR 4 2133mhz, Asus H170 Pro Gaming , Gigabyte 1080 OC Windforce, Samsung 860 250GB (OS) Samsung 850 Evo 250GB (Games) Samsung 840 Evo 500GB (games)

 

Mac - 1.4ghz i5, 4GB DDR3 1600mhz, Intel HD 5000.  x2

 

Endlessly wishing for a BBQ in space.

Link to post
Share on other sites
8 minutes ago, Kierax said:

Grammarly. 

So a keylogger...

https://tosdr.org/#grammarly

I'm not saying don't use it... I would say quarantine all of your usage of it to a web browser that you seldom use. 

If you're worried about your grammar, go study for the GMAT. 


R9 3900x; 64GB RAM | RTX 2080 | 1.5TB Optane P4800x

1TB ADATA XPG Pro 8200 SSD | 2TB Micron 1100 SSD
HD800 + SCHIIT VALI | Topre Realforce Keyboard

Link to post
Share on other sites

This is one of the reasons I use different Chrome profiles for extensions I only use on occasion, and only have my top two or so extensions (the ones I use every day or use passively) on my main profile. That and I love splitting things up across Chrome profile anyways (work related on one, personal "main" profile, and a bunch of others).

 

Even then though, always be aware of the risks of using extensions, particularly those that manipulate user experience in some way.


There is no spoon.

Link to post
Share on other sites
43 minutes ago, comander said:

So a keylogger...

https://tosdr.org/#grammarly

I'm not saying don't use it... I would say quarantine all of your usage of it to a web browser that you seldom use. 

If you're worried about your grammar, go study for the GMAT. 

That is that uninstalled. 


PC - NZXT 340 Black, Intel i7 6700k, Noctua NH-U9S, 16GB Corsair DDR 4 2133mhz, Asus H170 Pro Gaming , Gigabyte 1080 OC Windforce, Samsung 860 250GB (OS) Samsung 850 Evo 250GB (Games) Samsung 840 Evo 500GB (games)

 

Mac - 1.4ghz i5, 4GB DDR3 1600mhz, Intel HD 5000.  x2

 

Endlessly wishing for a BBQ in space.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×