Web browsers have become the equivalent of safe deposit boxes, digital spaces where we stuff our personal information and expect it to be kept safe. While the websites that harbor sensitive data generally swear that this information is private and protected, a detailed report by cybersecurity researcher Sam Jadali, explained in depth by Dan Goodin at Ars Technica, found that eight browser extensions for Google Chrome and Firefox were harvesting personal data from millions of people, unbeknownst to both them and to the makers of those browsers.
The unauthorized data collected included sensitive information, ranging from medical records, credit card information, travel itineraries, online shopping history, file attachments, GPS locations and more. Jadali, who describes the data collection as “unprecedented,” explains that it reportedly affected over 4 million people and some Fortune 500 companies. The full list of the compromised extensions are available in Jadali’s full report, titled "Dataspii."
“DataSpii is the catastrophic data leak that occurred when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users,” Jadali said in the report. “This data was then disseminated to members of an online service, where it may have been appropriated or exploited by any member.”
Unfortunately those who never downloaded any of the compromised extensions could still be at risk.
“Even if you did not have one of the extensions, you may not be immune to the data leak,” Jadali wrote. “If you or someone with whom you communicated with online had one of the invasive extensions installed on your computer, you may have been impacted by the DataSpii leak," he continued.
Jadali recommends removing the extensions right away if you have them installed, in addition to taking the following steps:
As a precaution, if you have downloaded one of the identified extensions, you may consider changing your passwords. Additionally, if you access services through an API via a URL, you may consider changing your API keys.
For web developers, corporations, and cybersecurity professionals, we recommend removing PII, CI, and sensitive material within metadata such as URLs. We propose that companies further protect their APIs by restricting access to whitelisted IP addresses.
More details on dealing with the breach are described in the full report.
How have Google and Mozilla, makers of the Chrome and Firefox browsers, respectively, responded to the discovery? According to Jadali, Google and Mozilla remotely disabled the extensions identified by the report, meaning users are no longer able to directly download them from browser-specific extension sites.
A Mozilla spokesperson told Forbes: “We are aware of the changing security landscape and as such have created a list of Recommended Extensions which are editorially vetted, security-reviewed, and monitored for safety and privacy by Mozilla.”
A Google spokesperson also sent a similar statement to Forbes.
"We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort," the spokesperson said.