My Browser, the Spy: How Extensions Slurped Up Browsing Histories From 4M Users (arstechnica.com) 43
Dan Goodin, reporting for ArsTechnica: When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people's browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head. DataSpii begins with browser extensions -- available mostly for Chrome but in more limited cases for Firefox as well -- that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as "God mode for the Internet" and uses the tag line "See Anyone's Analytics Account."
Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords -- but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.) Further reading: More on DataSpii: How extensions hide their data grabs -- and how they're discovered.
Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords -- but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.) Further reading: More on DataSpii: How extensions hide their data grabs -- and how they're discovered.
Thank you WebRequest API (Score:1)
Re:Thank you WebRequest API (Score:4, Informative)
Nah. Google and Firefox both run walled gardens for the extensions. They're on the hook for everything that happens because of extensions that they've allowed in.
Re: (Score:2)
Nah. Google and Firefox both run walled gardens for the extensions. .
They don't, actually. You can install arbitrary extensions. Also, Google doesn't claim to pre-screen the extensions in the web app store, and I don't think Mozilla does either.
Re: (Score:2)
I cannot figure out where this thread is going or what it is trying to say, though right now I'm inclined to the theory that it [for almost any value of it] is ultimately the google's fault. My initial reaction to the story was "Oh yeah? How do you think that compares to the browser history data the google is collecting? Like a match to an H-bomb, eh?"
Then again, the google doesn't need to do it the easy way, though the money probably drives them to that position (per swillden's OP?) because the google can
Wait, Chrome doesn't ask for permissions? (Score:1)
Btw: Android has a feature in the developer settings, to lie about the GPS location.
Why isn't there a "Lie" option for every permission for every app and extension in browsers and simpleton (aka "smartphone") OSes?
Re:Wait, Chrome doesn't ask for permissions? (Score:5, Interesting)
Why isn't there a "Lie" option for every permission for every app and extension in browsers and simpleton (aka "smartphone") OSes?
Because it would just create an arms race between OSes trying to craft convincing lies and libraries that sort the lies from the truth, and there's really no benefit to it. If you want to deny permission to access some data, just deny it.
And to answer the question in your subject, yes, Chrome asks for permissions, including permission to use the WebRequest API. But users happily click "okay" and go on with their day.
Btw: Android has a feature in the developer settings, to lie about the GPS location.
Yes, that's useful when developing apps that depend on location. It's a pain in the ass to test your app if you actually have to travel to different places (leaving your desk and test infrastructure) to see if it's working.
Re: (Score:2)
Why isn't there a "Lie" option for every permission for every app and extension in browsers and simpleton (aka "smartphone") OSes?
Because it would just create an arms race between OSes trying to craft convincing lies and libraries that sort the lies from the truth, and there's really no benefit to it. If you want to deny permission to access some data, just deny it.
You're implying that such an arms race would be a bad thing - while in fact I would welcome it. In an arms race like this, sometimes your side does get ahead for a bit of time. As it is, we're being continouously shafted.
I'm saying it would be a waste of resources which could be better applied to work that has a much greater likelihood of success at improving security and/or privacy. If the fake-generating side of the arms race were free, then sure, why not? But it isn't.
Re: (Score:2)
'Improving security' would imply that apps were obtaining your data covertly, such as by exploiting loopholes, software bugs or undocumented backdoors and the like. But they don't have to do any of that, they can request that very data from your device, 100% legally and legitimately, using APIs which were provided by the OS maker, for that explicit purpose. If you block those requests, then the people who made the app can simply have it not run.
Absolutely. And if your OS feeds them fake data, they'll identify that it's fake... and do the same damned thing.
The way to win this is just to stick to your guns. Don't share the data you don't want to share. If the app developer doesn't like that, then find another app. You might have to pay money for it... TANSTAAFL.
Re: (Score:2)
There's an alternative permission Google could add that should have almost the same effect: Permission to access third-party sites not accessed by the site being visited. This should be possible because in-page JavaScript blocks third-party xmlhttprequests. They could even require a list of third-party sites the extension can access.
On the other hand, extensions could just inject webbugs (invisible images) or JavaScript calls in the resulting page instead. But that would be rather more obvious than a beh
Re: (Score:2)
There's no mention in the report (either the ArsTechnica article or the full report) about WebRequest at all.
In this tweet the author of uBlock Origin points to a Chrome-only api as one of the attack points https://twitter.com/gorhill/st... [twitter.com]
Deliberately Installed Spyware (Score:1)
So, let me see if I understand this.
A bunch of dweebs install software with overtly dodgy purposes, and then complain that the software is dodgy?
What a bunch of maroons! They got what they asked for -- dodginess!
HOST FILES (Score:3)
This could all be avoided by the installation of software that provides proper management of HOST FILES. I should work on some software that does that.
Re: (Score:1)
Re: (Score:2)
I am Polish!
List of extensions (Score:1)
For those too busy to RTFA, here's the extensions mentioned:
* Fairshare Unlock
* SpeakIt!
* Hover Zoom
* PanelMeasurement
* Super Zoom
* SaveFrom.net Helper
* Branded Surveys
* Panel Community Surveys
To me the worst part is the researcher found they lay dormant for about 3 weeks before slurping up your data. Now why would they do that? Nothing suspicious about that at all.
article (Score:1)