"DataSpii" Leak Exposes Browsing History and Embedded URLs Containing Private Data of 4M Users, including Apple, Tesla, Intuit, and Blue Origin

[syloui]

SOURCES:

ArsTechnica's Original Article

Deep Dive into DataSpii by ArsTechnica

Extensive Documentation of the Data Leak by Sam Jadali

WashingtonPost

 

Warning: The original article is quite a long read, but I highly recommend reading it if you have the time, it explains the matter better than I could. I will attempt to summarize the key points here.

 

For the last 7+ months several Browser Extensions for Chrome and Firefox have been collecting and exposing millions of people's browsing data, and sometimes even including embedded URLs that contain files with private information. The leak, coined "DataSpii" by researcher and founder of hosting service Host Duplex, Sam Jadali, was discovered through extensive research into Nacho Analytics, a paid service selling this data in "near real-time", and advertises itself as "God Mode for the Internet".

Quote

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

 

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords—but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.)

The leak resulted in the publishing of sensitive, private, and personally identifiable data from the effected users:

Quote

According to the researcher who discovered and extensively documented the problem, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:

• Home and business surveillance videos hosted on Nest and other security services
• Tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services
• Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
• Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
• Travel itineraries hosted on Priceline, Booking.com, and airline websites
• Facebook Messenger attachments and Facebook photos, even when the photos were set to be private.

And has also affected over 50 businesses leaking internal information:

 

Quote

In other cases, the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies, but that number was limited only by the time and money required to find more. Examples include:

• URLs referencing teslamotors.com subdomains that aren’t reachable by the outside Internet. When combined with corresponding page titles, these URLs showed employees troubleshooting a “pump motorstall fault,” a “Raven front Drivetrain vibration,” and other problems. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public. (See image below)
• Internal URLs for pharmaceutical companies Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks, and Trend Micro. Like the internal URLs for Tesla, these links routinely revealed internal development or product details. A page title captured from an Apple subdomain read: "Issue where [REDACTED] and [REDACTED] field are getting updated in response of story and collection update APIs by [REDACTED]"
• URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin, Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company, discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds. Other JIRA customers exposed included security company FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

Sam Jadali found numerous extensions that resulted in eventual publications of tested URLs on Nacho Analytics:

Quote

Jadali eventually tested browser extensions for Firefox and also set up test machines running both macOS and the Ubuntu operating system. In the end, he said, the extensions that he found to have collected browsing histories that later appeared on Nacho Analytics include:

• Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.)
• SpeakIt!, a text-to-speech extension for Chrome.
• Hover Zoom, a Chrome extension for enlarging images.
• PanelMeasurement, a Chrome extension for finding market research surveys
• Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later.
• SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store.
• Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys.
• Panel Community Surveys, another app that offers rewards for answering online surveys.

 

If you've previously used any of these extensions and want to know more about the leak, how it happened, and how it effects you, I highly recommend reading the full ArsTechnica article. And if you want to go deeper into the data leak, please check out Sam Jadali's work, he's done an amazing job documenting his research into the matter.

I noticed while I was digging around the forums in google that several users have recommended extensions like Hover Zoom in the past, so if you know anyone who might be effected by this please spread the word!

[rawrdaysgoby]

Oh haven't heard of mostly every single one of those extensions but speakit even then I don't use that. I just saw it on the app store instead lol seemed useless to me as I myself would never use it often enough to download it.

 

Looks like I am safe

[vanished]

I think we all know on some level that it's important to make sure you're using trusted, safe apps and add-ons and setting/limiting permissions where possible, but this makes real what can happen when you don't.  It's no longer just an obscure "well it's theoretically possible but ehhh what are the odds" sort of thing, more of a "this exact info can and has been harvested, tied to names, and made for sale in a relatively accessible fashion" sort of thing.

 

PS, there's now a statement on their site:

 

They seem to be making some effort to prevent this info from getting out there now, but as far as I'm concerned it's too little too late.  Surely they were aware of what they were doing and the flaws with it (implications on privacy)?  I would also still consider any add-on that was doing this harvesting for them or anyone else to be malware.

[Guest]

It's a real shame stuff like this happens and there is hardly a way to bring justice to the organisation. 

[TVwazhere]

8 hours ago, syloui said:

Hover Zoom, a Chrome extension for enlarging images.

Goddamnit

[rcmaehl]

Quote

Hover Zoom, a Chrome extension for enlarging images.

 

!@#$

 

I think I STOPPED using this extension a couple years ago when I switched to ImageBoardNameX but I'm not 100% sure. Did I even uninstall it <_<

[The King of the Undead]

2 hours ago, rcmaehl said:

 

!@#$

 

I think I STOPPED using this extension a couple years ago when I switched to ImageBoardNameX but I'm not 100% sure. Did I even uninstall it <_<

but your a cyber security specialist. You can't fail at security!

[DrMacintosh]

I only use 3 extensions with Chrome on my PC. uBlock Origin, Honey, and KC3. In Safari on my MacBook I only have Wipr and Honey  

[rcmaehl]

47 minutes ago, will4623 said:

but your a cyber security specialist. You can't fail at security!

Anyone can fail at security. In fact, humans are actually the easiest target.

 

I think I remember Hover Zoom having controversy a while ago and I may have switched away from it then, however I'm unsure about the timeline of events. I may have been affected by this breach early on but I have auditing to do of my older devices to get a full idea of my specific situation.

[mr moose]

5 hours ago, rcmaehl said:

Anyone can fail at security. In fact, humans are actually the easiest target.

 

The biggest fail of most humans is not understand how often they're failures.  

[BigDamn]

it leaks search history? thank god I didn't use the extensions man. phew.

[FezBoy]

8 hours ago, DrMacintosh said:

I only use 3 extensions with Chrome on my PC. uBlock Origin, Honey, and KC3. In Safari on my MacBook I only have Wipr and Honey  

Too bad google is crippling uBO in the name of money security.  #FFGang.

[Anomnomnomaly]

19 hours ago, syloui said:

SOURCES:

ArsTechnica's Original Article

Deep Dive into DataSpii by ArsTechnica

Extensive Documentation of the Data Leak by Sam Jadali

WashingtonPost

 

Warning: The original article is quite a long read, but I highly recommend reading it if you have the time, it explains the matter better than I could. I will attempt to summarize the key points here.

 

For the last 7+ months several Browser Extensions for Chrome and Firefox have been collecting and exposing millions of people's browsing data, and sometimes even including embedded URLs that contain files with private information.

 

I don;t have time to read the article and go through all of the posts to see if it's there at the moment.

 

But does anyone have a list of the plugins for firefox that are affected?

 

In particular I use

Noscript

Privacy Badger

Disconnect

Ghostery

Ublock Origin

Reverse image search

Honey

Video Blocker (for youtube)

Adblocker (for youtube)

Duckduckgo Privacy essentials

Facebook container (don't have a feacesbook account, but I still block everything to do with it and anything else it owns)

 

[TVwazhere]

On 7/19/2019 at 11:51 AM, rcmaehl said:

I may have been affected by this breach early on but I have auditing to do of my older devices to get a full idea of my specific situation.

I dont have it installed on the computer anymore (thankfully) but I know at one point I had it (I just dont know from what year to what year). I might have gotten rid of it because it stopped working, or for security concerns. Either way, I thought it was still on my PC when I read this so I'm glad it's not

[mr moose]

With all these going on, how do we know that any of the ad blocker addons are safe?  they have access to usernames and passwords you type in for any given URL.

[FezBoy]

7 hours ago, mr moose said:

With all these going on, how do we know that any of the ad blocker addons are safe?  they have access to usernames and passwords you type in for any given URL.

We don't for any of the closed source ones, and the open source ones are only guaranteed to be safe if you review the code of the extension and it's dependencies AND build from source instead of your chosen browser's app store.

[Sauron]

On 7/19/2019 at 7:57 AM, floofer said:

It's a real shame stuff like this happens and there is hardly a way to bring justice to the organisation. 

I wonder what the chances are of some of their employees' data being in the leak and whether it would be useful for some sort of social engineering attack against their infrastructure...

 

 

H Y P O T H E T I C A L L Y

[Tieox]

This is why I only use UBlock and Grammarly. 

[Sir.gg]

This is one of the reasons I use different Chrome profiles for extensions I only use on occasion, and only have my top two or so extensions (the ones I use every day or use passively) on my main profile. That and I love splitting things up across Chrome profile anyways (work related on one, personal "main" profile, and a bunch of others).

 

Even then though, always be aware of the risks of using extensions, particularly those that manipulate user experience in some way.

[Tieox]

43 minutes ago, comander said:

So a keylogger...

https://tosdr.org/#grammarly

I'm not saying don't use it... I would say quarantine all of your usage of it to a web browser that you seldom use. 

If you're worried about your grammar, go study for the GMAT. 

That is that uninstalled.