Google, Firefox Browser Extensions Expose Data of 4 Million People

Experts say consumers should be cautious in downloading browser extensions, and delete ones they no longer need

By Thomas Germain

Updated July 19, 2019

Eight widely used browser extensions have been caught harvesting data from an estimated 4 million consumers who use the web browsers Chrome and Firefox.

The extensions collected a host of information that wasn’t authorized by either browser, exposing not only complete browsing histories but also access to files such as tax returns, medical records, credit card information, and other highly sensitive data, according to a report by Sam Jadali, an independent researcher who discovered the problem.

This data was then shared with the data broker Nacho Analytics, where it could be purchased for as little as $10 to $50, according to Jadali, whose report was first described in Ars Technica.

“I didn’t believe it at first,” Jadali says. He was able to see such sensitive information as people’s medical prescriptions, personal financial data, and travel itineraries.

Browser extensions—also known as plug-ins or add-ons—are small apps that consumers can install to run alongside their browser for additional functionality.

According to Jadali, the extensions included apps with hundreds of thousands to millions of users, including FairShare Unlock, HoverZoom, and SpeakIt, along with some extensions with just a handful of users. His report, titled DataSpii, has the full list.

All the extensions have been remotely removed from or disabled in consumers’ browsers and are no longer available for download, according to representatives from Google and Mozilla, the organization that operates Firefox. Both companies say the practices described in Jadali’s report violate their policies.

No other browsers were apparently affected, Jadali says.

The extensions collected user data by capturing the title and URL, or web address, for every page a user visited or clicked on—including those that aren’t typically accessible to the public.

“When people share documents, they often send each other unique URLs,” Jadali says.“People assume those URLs are safe, but they’re often accessible to anyone who has the link.”

And, Jadali says, even the titles of files and web pages can be very revealing. “For example, I could instantly see what employees across thousands of companies were working on in real time,” he says.

People who didn’t download the extensions may still have been affected.

“Nobody is immune to this,” Jadali says. “Even if you don’t have any harmful extensions, the other people you interact with may have an extension on their computers that could be leaking the data you share with them.”

A note on the Nacho Analytics website says: “We understand that an individual exploited our tool specifically to seek out security flaws in less-secure websites. Nacho Analytics was created to gather marketing-focused insights, so the websites that this user viewed were unusual for any business case.

“No legitimate Nacho Analytics customer accessed these websites or their analytics data,” the note adds. “However, in an abundance of caution, we are halting all access to any potentially sensitive data. . . . We are actively looking into additional information regarding this matter. In the meantime, we are not accepting new sign-ups on Nacho Analytics.”

Nacho Analytics did not respond to a request for further comment.

Jadali examined only these eight extensions and Nacho Analytics, but security experts say the issue could be widespread.

“The problem is the makers of browsers aren’t doing enough to protect consumers,” says Casey Oppenheim, co-founder of data security firm Disconnect, which operates a widely used browser extension of its own. “Companies like Google absolutely have the resources to review the information that every app is collecting and sharing.”

A Google spokesperson says: “We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort. Recently, we announced technical changes to how extensions work that will mitigate or prevent this behavior, and new policies that improve user privacy.”

A Mozilla spokesperson had this response: “When Mozilla becomes aware of add-ons, plug-ins, or other third-party software that seriously compromise Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. We are aware of the changing security landscape and as such have created a list of ‘Recommended Extensions,’ which are editorially vetted, security-reviewed, and monitored for safety and privacy by Mozilla.”

Browser extensions are similar to mobile apps in their ability to collect lots of personal data. However, phones provide detailed settings that allow consumers to grant or withdraw access to information, from GPS data to contact lists, privacy experts say.

“Tech companies should take significant steps to outlaw the practice of letting developers track you across the web, but at the very least, consumers should have more granular permission controls in their browsers,” says Katie McInnis, policy counsel at Consumer Reports.

How to Protect Yourself

The eight extensions Jadali reviewed may no longer pose a threat, but security experts say it’s a good idea to review all your browser extensions. “The burden is on consumers to ensure their extensions aren’t putting them at risk,” Oppenheim says. “If you have any extensions or apps that you don’t use and aren’t getting real value out of, uninstall them immediately.”

There may be extensions you can’t part with. Oppenheim recommends that consumers deal only with apps developed by companies that you trust and are familiar with. (Consumer Reports offers its own browser extension, which shows CR ratings and recommendations to members when they shop on certain retail sites.)

Mozilla maintains a list of recommended extensions.

Here’s how to delete browser extensions you’ve installed in the past. These instructions are for a computer, but the steps are similar on a smartphone.

To remove extensions in Chrome: Click the three dots in the top right corner > More Tools > Extensions > Click “Remove” on any extension you want to delete > Remove.

To remove extensions in Firefox: Click the menu with three horizontal lines in the top right corner > Add-ons > Extensions > Click “Remove” on any extension you want to delete.

To remove extensions in Safari: Click “Safari” from the menu bar at the top of your screen > Preferences > Extensions > Click “Uninstall” on any extension you want to delete.

To remove extensions in Internet Explorer: Click the three dots in the top right corner > Extensions > Click the gear icon next to any extension you want to delete > Uninstall > OK.

Correction: An earlier version of this article said that Sam Jadali's findings were first cited in a Washington Post article. The material appeared earlier in Ars Technica.

Thomas Germain

Thomas Germain was previously a technology reporter at Consumer Reports, covering several product categories and reporting on digital privacy and security issues. He investigated the sharing of sensitive personal data by health-related websites and the prevalence of dark patterns online, among other topics. During his tenure, Germain’s work was cited in multiple actions by the Federal Trade Commission.