The two most popular browsers, Chrome and Firefox, have created stores and online marketplaces where their users can find and download extensions that range from ad blockers to utility add-ons to grammar check extensions. But what about when the innocuous extension you downloaded begins capturing your online activities and sending your browsing activity data to a database? The DataSpii report documents the unprecedented data collection impacting millions of individuals as well as many Fortune 500 corporations.
DataSpii is the catastrophic data leak that occurred when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII), corporate information (CI) — from unwitting Chrome and Firefox users. This data was then disseminated to members of an online service, where it may have been appropriated or exploited by any member.
What data is at risk?
Personal data made accessible by DataSpii included:
- personal interests
- tax returns
- GPS location
- cloud services and data
- file attachments
- credit card information
- genetic profiles
- travel itineraries
- online shopping history
Corporate data made accessible by DataSpii included:
- real-time activity of employees, including the corporate tasks they were assigned
- private LAN network structure (e.g., server type, firmware revisions, LAN IPs)
- partial page content (includes hyperlinks embedded on a LAN website)
- company memos
- API keys
- proprietary source code
- firewall access codes
- proprietary secrets
- operational material
- zero-day vulnerabilities
What browsers are impacted by DataSpii?
The DataSpii leak primarily impacted Chrome and Firefox users with one of the eight invasive extensions. However, other Chromium-based browsers (i.e., Opera) that can run Chrome extensions are also impacted.
What extensions were identified?
|Extension name||Number of users||Browser vendor||Chrome extension ID|
|Hover Zoom||800,000+ users||Chrome||nonjdcjchghhkdoolnlbekcfllmednbl|
|SpeakIt!||1.4+ million users||Chrome||pgeolalilifpodheeocdmbhehgnkkbak|
|SuperZoom||329,000+ users||Chrome and Firefox||gnamdgilanlgeeljfnckhboobddoahbl|
|SaveFrom.net Helper†||≤140,000 users||Firefox||N/A|
|FairShare Unlock‡||1+ million users||Chrome and Firefox||alecjlhgldihcjjcffgjalappiifdhae|
|Branded Surveys‡||8 users||Chrome||dpglnfbihebejclmfmdcbgjembbfjneo|
|Panel Community Surveys‡||1 user||Chrome||lpjhpdcflkecpciaehfbpafflkeomcnb|
†The invasive data collecting behavior occurred when the SaveFrom.net Helper extension was installed from the author’s official website using Firefox on macOS or Ubuntu. We did not observe the invasive behavior when the extension was installed from a browser vendor store.
‡FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys make explicit efforts to let their users know they collect browser activity data.
Did anyone visit the URLs collected by the extensions?
Yes. During the investigation, we discovered that the URLs collected by the extensions were visited by a third-party, Amobee, shortly after collection. Shortly after disclosing DataSpii to Amobee, they admitted they “index publicly accessible internet URLs as part of their product suite that allows advertisers to place ads based on a web page’s keywords and topics.” We reached out to Amobee inquiring whether they utilize a search tool to review the indexed data. We received no response.
How widespread is the DataSpii leak?
Over 4 million users had these extensions. As a result, tens of thousands of companies were impacted by DataSpii. In our report, we document the impact to over 50 companies. However, even if you did not have one of the extensions, you may not be immune to the data leak. If you or someone with whom you communicated with online had one of the invasive extensions installed on your computer, you may have been impacted by the DataSpii leak.
Through a process of responsible disclosure, we confirmed that staff at some of the largest corporations had one of the invasive extensions. In addition, we found many instances where one person was leaking the data of many. For example, if your accountant had one of the browser extensions, he/she may have unwittingly leaked the data of his/her clients.
How can I tell if I am impacted by DataSpii?
In order to stop the data collection, we recommended uninstalling the extensions immediately.
To view your extensions in Chrome, manually enter the following URL in your browser: chrome://extensions
To view your extensions in Firefox, manually enter the following URL in your browser: about:addons
If you see any of the extensions, listed we recommend removing them.
In one instance, we found that a remotely deactivated extension did not stop the collection. Once the extension is removed, the collection should cease.
However, even if you do not have one of the identified extensions, you may be indirectly impacted. If you or someone with whom you communicate with online had one of the invasive extensions installed on their computer, you may have been impacted by the DataSpii leak.
What should I do if I am impacted?
- Remove the extensions.
- As a precaution, if you have downloaded one of the identified extensions, you may consider changing your passwords. Additionally, if you access services through an API via a URL, you may consider changing your API keys.
- For web developers, corporations, and cybersecurity professionals, we recommend removing PII, CI, and sensitive material within metadata such as URLs. We propose that companies further protect their APIs by restricting access to whitelisted IP addresses.
- We make additional recommendations in Section 4.6 of our report
How can I remove the identified extensions?
Manually enter the following URL in your browser: chrome://extensions
On the following page, click Remove next to the extension in question.
Manually enter the following URL in your browser: about:addons
On the following page, click Remove next to the extension in question
How can I monitor extension network activity?
In Chrome, manually enter the following URL: chrome://extensions
At the top-right of your screen, toggle “Developer mode”
Click ‘Inspect views background page’ next to the extension in question.
Click the Network Tab. Hit Command-R (Mac) or Ctrl-R (Windows) to refresh the page
Network activity may be logged there
Do you have a list of the hostnames used in the data collection?
We have published an indicator (IOC) file to help security organizations add rules to detect and block the data leak.
You can download the file here.
Has this been exploited in the wild?
We have not heard of any reports; however, there is no way to know for sure if this has been exploited or used in the real world yet with malicious intent or for personal gain.
Who discovered DataSpii?
Sam Jadali discovered DataSpii while using a marketing intelligence service and noticed that a plethora of data was being collected. He then determined that the data in question was being collected by web browser extensions and contained PII, API keys and more. Sam is a cybersecurity and threat researcher.
What is the response to the DataSpii leak?
Google and Mozilla responded to our findings and remotely disabled the extensions identified by our report.
While Opera extensions are not affected, the Opera browser is capable of running Chrome extensions. We reported our findings to Opera’s security team and they have also remotely disabled the Chrome extensions identified by our report.
Where to find more information?
Sam is continuously researching cybersecurity practices, threats and more. He further details the extent and nature of the DataSpii leak on his website, SecurityWithSam.com.
Why it is called DataSpii?
DataSpii (pronounced data-spy) was coined for the leak’s ability to spy on an individual’s personally identifiable information (PII). The PII acronym is also interchangeable with sensitive personal information (SPI).
What Operating Systems are affected?
Any operating systems capable of running the browsers in question are affected.
Where can I find more information?
You can read the full report on SecurityWithSam.com