A security researcher revealed that some Google Chrome extensions, like HoverZoom, collected your browsing history, and in some cases, even embedded URLs. Then the extensions published them for a fee through a company called Nacho Analytics, potentially revealing personal data.
Sam Jadali, a security researcher and founder of Internet hosting service Host Duplex, noticed something surprising. A company called Nacho Analytics had published a series of links that listed one of his client domains. Those URLs let to private forum conversations, and only the senders and recipients should have those links and the necessary credentials to access the discussions.
When he investigated how Nacho Analytics acquired the URL he discovered the culprit was the very extensions users were installing on their browsers. Extensions like HoverZoom, which expands images, requires access to the full webpage you browse to accomplish its function. But buried in its privacy policy is the statement that it can and will collect your browsing data and share it with 3rd parties for advertising purposes. Jadali discovered several other extensions with similar access and privacy policies.
Many (if not most) people don’t read privacy policies at all, so they not be aware of the extent to which a browser extension can track them. While mere browsing history might not seem like a major privacy violation at first blush, some URLs lead to private and personal information without the need to input a password.
When Jadali investigated further, he found Nacho Analytics published links to home and business surveillance videos from Nest and other security camera providers; tax returns and business documents hosted on OneDrive, Intuit, and other online services; Facebook messenger attachments and private Facebook photos; and other private data.
For its part, Nacho Analytics stresses that collecting and publishing this data isn’t illegal, which is true. The company also downplayed the severity of the problem. The CEO of the company, Mike Roberts, told Ars Technica
Those pages are available. It’s just that you didn’t know how to discover them. This is just something that you’re now able to see that you weren’t able to see before. But we’re not creating a loophole. There’s no backdoor or anything. We’re just showing links that you didn’t know about before and maybe weren’t indexed, but they do exist…
Google is investigating and already removed some offending extensions. But this extensive report does illustrate that you should look at extensions closely when installing them. And that includes what data you’re giving access to and what the privacy policies say the extension can do with that data. [Ars Technica]
In Other News:
- Vienna’s Driverless Bus parked after hitting someone: In Vienna, Austria a self-driving bus trial is on hold after the bus collided with a pedestrian. The bus was traveling 7.5 miles per hour, and just clipped the person, so everyone is okay. But Navya, the startup behind the bus, wants to investigate thoroughly for the safety of everyone. Self-driving is hard. [The Verge]
- Southwest Airlines gave free Nintendo Switches to passengers: A Nintendo Rep had a surprise for passengers on a Southwest Airlines flight to San Diego. Free Switches (with Maro Maker 2) for everyone. Bonus points if they yelled, “And you get a Switch, and you get a Switch…” [Digital Trends]
- Plants vs Zombies 3 is in development: Six years after Plants vs. Zombies 2 dropped, a new sequel is in development. Better yet, you can try an early pre-alpha now on Android. But spots are limited so jump in now if you want to play. [Engadget]
- Google Stadia Controller won’t support Bluetooth headphones to start: Anyone hoping to game quietly on Google’s Stadia service will have to use wired headphones. Director of Andrey Doronichev, Product for Stadia, explained in an AMA that the controller wouldn’t support Bluetooth audio on day one. An update down the road will add the feature. Until then, at least it has a headphone jack. [9to5Google]
Post a Comment Blogger Facebook
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.