How browser extensions steal logins & browsing habits; conduct corporate espionage

Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data.

Many extensions conduct surveillance without any notification at all, but some do legal backflips to cover up their activities — characterizing your installation of the extension as explicit permission to spy; pretending that URLs are by nature anonymous and so on. The data is aggregated and sold to unnamed third parties, reputedly for $0.04/user/month. Many of the spying extensions have more than a million users. One of the extensions identified as conducting secret spying advertises itself as a privacy-enhancing tool (!).

Detectify Labs have posted a technical explanation of how Chrome extensions conduct surveillance, and note near the end of their analysis that Firefox extensions are just as prone to spying.

We signed up for one of the services which provides this information gathered by the Chrome extensions. We were able to see the following:

Common URLs used by employees on targeted companies.

Internal network URLs, exposing internal network structure as well as completely separated websites for internal use only.

Internal PDFs being placed on AWS S3 referencing competitors.

Pages which only one person had visited. We tested this out. One of the guys in the office using one of the plugins created a local website, page X, which didn't link anywhere, but while being on the site he changed the address bar to page Y. He was the only visitor of page X. Two weeks later page X ended up in the "Similar sites" of page Y with "Affinity: 0.01%".

Chrome Extensions – AKA Total Absence of Privacy [Detectify Labs]

(Thanks, Fipi Lele!)