SecureMac, Inc.

The DataSpii Privacy Disaster: How Browser Extensions Resulted in a Huge Sensitive Data Leak

August 3, 2019

If you use Google Chrome or Mozilla Firefox as your go-to web browser, and you regularly make use of browser extensions, then some of your browsing data may have been compromised. According to a detailed Ars Technica report on the matter—which is being referred to as “DataSpii’—more than four million users have likely been affected. 

The fault lies with eight different browser extensions, meant for everything from getting past paywalls to zooming in on web content. The way these extensions were set up allowed them to access and collect a wide …

The DataSpii Privacy Disaster: How Browser Extensions Resulted in a Huge Sensitive Data Leak

If you use Google Chrome or Mozilla Firefox as your go-to web browser, and you regularly make use of browser extensions, then some of your browsing data may have been compromised. According to a detailed Ars Technica report on the matter—which is being referred to as “DataSpii’—more than four million users have likely been affected. 

The fault lies with eight different browser extensions, meant for everything from getting past paywalls to zooming in on web content. The way these extensions were set up allowed them to access and collect a wide range of web browser data, including “URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the user visited.” Said another way, the extensions were saving a hidden record of each user’s web history. 

These web histories were later published to the internet by the website Nacho Analytics. Nacho Analytics is a fee-based site that claims to allow a user to “See Anyone’s Analytics Account.” The site is supposedly intended to help users “gather marketing-focused insights” about sites or companies that are not their own.

Nacho Analytics, in publishing this information, unwittingly exposed vast quantities of sensitive data, belonging to both individuals and corporations. Companies affected include Apple, Amazon, Walmart, and Tesla. Sensitive data that may have been part of the leak consists of surveillance videos from Nest and other similar security companies, tax returns prepared using browser tools such as Intuit.com, private Facebook photos, personal medical information, travel itineraries, and more.

To protect themselves from this privacy leak, users should delete the offending browser extensions immediately. These tools include the following

  • Branded Surveys (Chrome)
  • Fairshare Unlock (Chrome and Firefox)
  • Hover Zoom (Chrome)
  • Panel Community Surveys (Chrome)
  • PanelMeasurement (Chrome)
  • SaveFrom.net (Firefox)
  • SpeakIt! (Chrome)
  • Super Zoom (Chrome and Firefox)

In addition to removing these extensions, users and companies should also be more hesitant to trust browser extensions in the future. These powerful tools are often useful for tasks such as blocking ads. However, they can also access and collect browser data in ways that are difficult to see and even harder to understand. Doing your own research into extensions to determine how they work—and to learn about how the developers behind them plan to protect consumers—is as important as researching any other type of software.

As for Nacho Analytics, the company has stated that “no legitimate customer” accessed the leaked information and that no private, personal, or sensitive information was disclosed. The service is investigating the matter and has halted new sign-ups in the meantime.

Get the latest security news and deals