DataSpii

Last updated

DataSpii (pronounced data-spy) is a leak that directly compromised the private data of as many as 4 million Chrome and Firefox users via at least eight browser extensions. [1] [2] [3] The eight browser extensions included Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys. The private data included personally identifiable information (PII), corporate information (CI), and government information (GI). DataSpii impacted the Pentagon, Zoom, Bank of America, Sony, Kaiser Permanente, Apple, Facebook, Microsoft, Amazon, Symantec, FireEye, Trend Micro, Boeing, SpaceX, and Palo Alto Networks. [4] [5] Highly sensitive information (e.g., private network topology) associated with these corporations and agencies was intercepted and sent to foreign-owned entities. [6]

The data was made publicly available via Nacho Analytics (NA), a marketing intelligence company which described itself as "god mode for the internet." [7] Both paid and free-trial members of NA were provided access to the leaked data. Upon signing up for NA membership, members were then provided access to the data via a Google Analytics account.

DataSpii leaked un-redacted information related to medical records, tax returns, GPS location, travel itinerary, genealogy, usernames, passwords, credit cards, genetic profiles, company memos, employee tasks, API keys, proprietary source code, LAN environment, firewall access codes, proprietary secrets, operational materials, and zero-day vulnerabilities. [4]

DataSpii was discovered and elucidated by cybersecurity researcher Sam Jadali. By requesting data for a single domain via the NA service, Jadali was able to observe what staff members at thousands of companies were working on in near real-time. The NA website stated it collected data from millions of opt-in users. Jadali, along with journalists from Ars Technica and The Washington Post, interviewed impacted users, including individuals and major corporations. [1] [2] According to the interviews, the impacted users did not consent to such collection.

Related Research Articles

XUL, which stands for XML User Interface Language, is a user interface markup language developed by Mozilla. XUL is an XML dialect for writing graphical user interfaces, enabling developers to write user interface elements in a manner similar to web pages.

Firefox Free and open-source web browser by Mozilla

Mozilla Firefox or simply Firefox is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. Firefox uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. In 2017, Firefox began incorporating new technology under the code name Quantum to promote parallelism and a more intuitive user interface. Firefox is available for Windows 7 and later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. Firefox is also available for Android and iOS. However, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements, as with all other iOS web browsers. An optimized version of Firefox is also available on the Amazon Fire TV, as one of the two main browsers available with Amazon's Silk Browser.

Mozilla Firefox has features that allow it to be distinguished from other web browsers, such as Chrome and Internet Explorer.

Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website.

A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

Stylish User style manager

Stylish is a user style manager that can change the appearance of web pages in a user's browser without changing their content by including user-supplied CSS style sheets with those supplied by the web site itself. The Stylish browser extension includes tools with which to write user styles, and can install user styles written by other Stylish users from a companion website. These user styles may be more or less selective, targeting just one web page, or all of the pages on a domain, or every page on the web.

Opera (web browser) Freeware web browser

Opera is a multi-platform web browser developed by its namesake company Opera. Opera is a Chromium-based browser. It distinguishes itself from other browsers through its user interface and other features.

Google Chrome Web browser developed by Google

Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. It was later ported to Linux, macOS, iOS, and Android, where it is the default browser. The browser is also the main component of Chrome OS, where it serves as the platform for web applications.

Private browsing Privacy feature in some web browsers

Private browsing is a privacy feature in some web browsers. When operating in such a mode, the browser creates a temporary session that is isolated from the browser's main session and user data. Browsing history is not saved, and local data associated with the session, such as cookies, are cleared when the session is closed. These modes are designed primarily to prevent data and history associated with a particular browsing session from persisting on the device, or being discovered by another user of the same device.

LastPass is a freemium password manager that stores encrypted passwords online. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets. LogMeIn, Inc. acquired LastPass in October 2015. On December 14, 2021, LogMeIn announced that LastPass would be made into a separate company and accelerate its release timeline.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in April 2021. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Do Not Track (DNT) is a no longer official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Microsoft Edge Web browser developed by Microsoft

Microsoft Edge is a cross-platform web browser created and developed by Microsoft. It was first released for Windows 10 and Xbox One in 2015, for Android and iOS in 2017, for macOS in 2019, and for Linux in 2020, and can replace Internet Explorer on Windows 7, Windows Server 2008 R2 and later versions but unlike IE, this browser does not support Windows Vista or earlier versions.

Vivaldi (web browser) Freeware web browser, using the Blink browser engine

Vivaldi is a freeware, cross-platform web browser developed by Vivaldi Technologies, a company founded by Tatsuki Tomita and Jon Stephenson von Tetzchner, who was the co-founder and CEO of Opera Software. Vivaldi was officially launched on April 6, 2016.

Have I Been Pwned? Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

AdGuard

AdGuard Software Limited develops ad blocking and privacy protection software. Some of AdGuard's products are open-source, some are free, and some are shareware. AdGuard's DNS app supports Microsoft Windows, Linux, macOS, Android and iOS. AdGuard is also available as a browser extension.

MetaMask Software cryptocurrency wallet

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications. MetaMask is developed by ConsenSys Software Inc., a blockchain software company focusing on Ethereum-based tools and infrastructure.

Adrozek is malware that injects fake ads into online search results. Microsoft announced the malware threat on 10 December 2020, and noted that many different browsers are affected, including Google Chrome, Microsoft Edge, Mozilla Firefox and Yandex Browser. The malware was first detected in May 2020 and, at its peak in August 2020, controlled over 30,000 devices a day. But during the December 2020 announcement, Microsoft claimed "hundreds of thousands" of infected devices worldwide between May and September 2020.

References

  1. 1 2 Goodin, Dan (2019-07-18). "My browser, the spy: How extensions slurped up browsing histories from 4M users". Ars Technica. Retrieved 2020-07-28.
  2. 1 2 Fowler, Geoffrey (2019-07-18). "Perspective: I found your data. It's for sale". Washington Post. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
  3. O'Flaherty, Kate (2019-07-19). "Data Leak Warning Issued To Millions Of Google Chrome And Firefox Users". Forbes. Archived from the original on 2019-07-19. Retrieved 2020-07-28.
  4. 1 2 Jadali, Sam (2019-07-18). "DataSpii - A global catastrophic data leak via browser extensions". Security with Sam. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
  5. Sam Jadali [@sam_jadali] (5 December 2019). "Multibillion dollar cybersecurity companies leaked client data including government (Pentagon) and corporate data (BofA, AT&T, Novartis, Orange, and KP) in the #DataSpii browser extension leak. See attached for heavily redacted screenshot" (Tweet) via Twitter.
  6. Goodin, Dan (2019-07-18). "More on DataSpii: How extensions hide their data grabs—and how they're discovered". Ars Technica. Retrieved 2020-07-28.
  7. Dreyfuss, Emily (2019-07-20). "Browser Extensions Scraped Data From Millions of People". Wired. ISSN   1059-1028 . Retrieved 2020-07-28.{{cite news}}: CS1 maint: url-status (link)