Security researchers have discovered eight Chrome and Firefox extensions that leak user data, including personally identifiable information (PII) and corporate information (CI).
Referred to as
DataSpii (pronounced data-spy), the leak was detected within the internal network environments of several Fortune 500 companies and resulted in browsing activity being sent to a service that would sell it to subscription members in near real-time, according to the "Security with Sam" blog.
Personal and corporate data accessible via said online service includes personal interests, tax returns, GPS location, travel itineraries, gender, genealogy, usernames, passwords, credit card information, genetic profiles,company memos, employee tasks, API keys, proprietary source code, LAN environment data, firewall access codes, proprietary secrets, operational material, and zero-day vulnerabilities.
The eight extensions found to engage in said behavior had a total user count of millions. They, however, state in either their terms of service, privacy policies, or descriptions that they may collect user data, either personally or non-personally identifiable.
The offending extensions include Hover Zoom (800,000 Chrome users), SpeakIt! (1.4 million Chrome users), SuperZoom (329,000 Chrome and Firefox users), SaveFrom.net Helper (around 140,000 Firefox users), FairShare Unlock (1 million Chrome and Firefox users), PanelMeasurement (500,000 Chrome users), Branded Surveys (8 Chrome users), and Panel Community Surveys (1 Chrome user).
securitywithsam.com
