Y

yigido

Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV.

Reporters of Panorama managed to gain access to a large data collection that contained the browsing history of roughly 3 million German Internet users.

The data was collected by companies that produce browser extensions for various popular browsers such as Chrome and Firefox.

Panorama did mention only one add-on, Web of Trust or WoT, but did not fail to mention that the data was collected by multiple browser extensions.

Browser extensions that run when the web browser runs may record any move a user makes depending on how they are designed.



Some, like Web of Trust, provide users with a service that requires access to every site visited in the browser. The extension is designed to offer security and privacy guidance for sites visited in the browser.

The data that Panorama bought from brokers contained more than ten billion web addresses. The data was not fully anonymized, as the team managed to identify people in various ways.

The web address, URL, for instance revealed user IDs, emails or names for instance. This was the case for PayPal (email), for Skype (user name) or an online check-in of an airline.

What's particularly worrying is that the information did not stop there. It managed to uncover information about police investigations, the sexual preferences of a judge, internal financial information of companies, and searches for drugs, prostitutes, or diseases.

Links may lead to private storage spaces on the Internet that, when improperly secured, may give anyone with knowledge of the URL access to the data.

It is trivial to search the data for online storage services for instance to reveal those locations and check whether they are publicly accessible.

Panorama reports that Web of Trust logs collected information such as time and date, location, web address and user ID. The information are sold to third-parties who may sell the data again to interested companies.

WOT notes on its website that it hands over data to third-parties but only in anonymized form. The team of reporters managed to identify several user accounts however which suggests that the anonymization does not work as intended.

The extension has been downloaded over 140 million times. While the data set that the researchers bought included only German user information, it is likely that data sets are available for users from other regions of the world.
 

Azure

Level 23
Verified
Content Creator
Why did you so surprised :) Even Google Safebrowsing does the similar thing by default ;)
Does Google safebrowing has the same "problem" as this?

"The data was not fully anonymized, as the team managed to identify people in various ways.

The web address, URL, for instance revealed user IDs, emails or names for instance. This was the case for PayPal (email), for Skype (user name) or an online check-in of an airline."
 
Y

yigido

Does Google safebrowing has the same "problem" as this?

"The data was not fully anonymized, as the team managed to identify people in various ways.

The web address, URL, for instance revealed user IDs, emails or names for instance. This was the case for PayPal (email), for Skype (user name) or an online check-in of an airline."
I didn't say same..I just said similar ;)
Even Web of Trust did these lol.. how can we believe Google (advertisement company) ?
 

cruelsister

Level 36
Verified
Trusted
Content Creator
This is nothing new at all- Extensions are just about the worst things ever. In addition to essentially making the extension author a partner in your day to day cyber life, you never can be sure exactly who the current author is or what is the motivation for the extensions current availability.

For example, just say that someone makes an extension that displays some pornographic picture when something is downloaded (you guys would just FLOCK to that one). When it gets popular the original author will get an offer to sell it, and along with the extension will be sold a valid certificate. Now the new owners can re-code the extension with nasty stuff and actually reuse the certificate so the new extension will show up as trusted.

Then there is always stuff like this:

In short, I hate extensions and so should you.