Web User - UK (2019-08-07)

(Antfer) #1
Need to Know

8 7 - 20August 2019


What happened?
Security experts have warned that
extensions for the Google Chrome
and Mozilla Firefox browsers may be
snooping on your data. Researcher Sam
Jadali uncovered the DataSpii leak (bit
.ly/dataspii481), in which eight browser
extensions used by millions of people
were found hoovering up data, including
details of the web pagesthey visi ted,
andtheir usernames andpasswords.
Web page URLsmay not sound like
much of a securi ty breach, but their
interception can be serious. Plenty of
Google Docs andshared folders have
no protection, so anyone with a link can
access them. As Jadali explai ned,
someonemight share a Microsoft
OneDrive folder with their accountant
using a link, for example. If hackers
intercept the link, they can open an
account at Office 365 and access the
folder and documents – a serious
problem if the documents includetax
returns, invoices or other sensitive files.
Information gatheredin this way was
bundled up by the attackers andsold
online to whoever wanted it, Jadali said.
Mozilla andGoogle have removed the
offending extensions from their stor es
anddisabled the snooping functions. It’s
unclear how many of the four million
people who instal led the extensions
were actually target ed by the attackers.


How will it affectyou?
Sam Jadali spotted eight problematic
extensions: Hover Zoom, SpeakIt!,
SuperZoom, SaveFrom.net Helper,
FairShare Unlock , PanelMeasurement,


Branded Surveys, andPanel
Community Surveys.
If you’re one of at leas t four million
people who instal led a rogue add-on,
the first step is to uninstal l it. However,
you could be affe cted even if you didn’t
instal l one but communicated with
someonewho did. In that case, there’s
little you can do. If you’re worrie d that a
loginhas beenleaked, it’s worth
changingyour passwords, but unlessa
friend or family memberspecifically
tells you they used a suspect add-on,
there’s no needto panic, because the
researchers contacted those affe cted.
Both Google andMozilla have
disabled the data-snooping functions in
the extensions andbanned them from
their add-on stor es. However, Jadali
said that datais still leaking from the
extensions, so make sure you take the
time to uninstal l them completely.
In general, it’s best to instal l only
extensions you know from sources you
trust – as you would with apps on your
phone. If you want to check that an
extension won’t snoop onyou, instal l a
tool called Chrome Extension Source
Viewer. (bit.ly/chrome481). Then, when
browsing for extensions, click the
viewer’s toolbar button whil e on an
add-on’s Chrome Web Store page. Click
to “view source”, find the “manifest
.json” file andlook for an “unsafe-eval”
policy. This indicates that the extension

can execute remote code, which is a
serious securi ty risk.
If that all soundstoo complicated, try
runningany Chrome extension through
Duo Labs’ securi ty checker, CRXcavator
(crxcavator.io). Submit th e extension’s
ID number– the long string of letters at
the end of it s URL – andyou’ll receive a
report revealing any securi ty concerns.

What dowethink?
Your browser is at the centre of your
web use, so it’s essential that it’s safe,
secure andprivat e. Many extensions are
handy tools that bring convenience, and
some even enhance your securi ty, but
never forg et that they have a privileged
position in your browser. It can be hard
to tell whether anextension is behaving
as it should, so think twice before you
instal l them, andensure you get them
only from reputablesources, such as the
Chrome Web Store. Avoid instal ling
extensions you don’t really need, and
help friends andfamily members who
use extensions to manage and delete
any they don’t use.
Google andMozilla needto do a
better job of monitoring these tools
and flagging up potential problems
without users having to rely on third-
party securi ty checkers orindependent
researchers such as Jadali. If we can’t
trust browser extensions, what’s the
point of them?

Millions at risk from malicious


browser extensions


Chrome Extension Source Viewer lets you
inspect extensions beforeyou install them

Free download pdf