When we use browsers to schedule medical appointments, exchange tax returns with accountants, or access company intranets, We usually rely on the pages we access to remain private. DataSpii, a redefined privacy issue where millions of users have been collecting and exposing browser histories, shows how much of us is betrayed when this assumption is turned upside down.
DataSpii starts with browser extensions that are primarily available for Chrome In a few cases, Firefox also has 4.1
Web logs may not play Most sensitive, but a subset of the published links resulted in pages that are not password protected – just a hard-to-guess sequence of characters (called tokens) contained in the URL. Thus, the published links could allow viewers to access the content of these pages. (Safety practitioners have long advised against publishing confidential information on sites that are not password-protected, but the practice remains widespread.)
According to the researcher who discovers this issue here and later documents it in detail This has happened non-stop The flow of sensitive data in the past seven months has led to the publication of links to:
- Home and business video surveillance videos hosted in Nest and other security services
- Tax returns, invoices, business documents, and presentation slides sent to or on Microsoft OneDrive, Intuit.com, and other online services hosted
- Vehicle identification numbers of recently purchased automobiles and names and addresses of buyers
- Patient names, physicians they visited, and other details Listed by DrChrono, a cloud platform for patient care, the Ver sluggish with medical services.
- Itineraries that are hosted on Priceline, Booking.com and the airline's website
- Facebook Messenger attachments and Facebook photos, even if the photos were classified as private.
In other cases, the published URLs did not open a page unless the person following them provided an account password or had access to it on the private network where the content was hosted. But even in these cases the combination of the full URL and the corresponding page name sometimes revealed confidential internal information. It is known that DataSpii has affected 50 companies, but this number was limited only by the time and money required to find more. Examples:
- URLs that point to teslamotors.com subdomains that are not reachable via the external Internet. Combined with the corresponding page titles, these URLs showed that employees have fixed a "pump motor installation error", a "Raven Front Drivetrain Vibration" and other issues. Sometimes the URLs or page titles contained vehicle identification numbers of certain cars that were experiencing issues, or they discussed Tesla products or features that had not yet been released. (See picture below)
- Internal URLs for the pharmaceutical companies Amgen, Merck, Pfizer and Roche; Healthcare provider AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks and Trend Micro. Like Tesla's internal URLs, these links routinely reveal internal development or product details. The page title for an Apple subdomain was: "Problem updating fields [REDACTED] and [REDACTED] in response to the story and collection update APIs of [REDACTED]."
- URLs for JIRA, an Atlassian project management service, showed Blue Origin, Jeff Bezos & # 39; aerospace and suborbital aerospace companies, and discussed a competitor and the failure of speed sensors, calibration devices, and distributors. Other JIRA customers included security company FireEye, Buzzfeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit and UnderArmour.
This is clearly not good. But how did it happen?
The Data Spy
The term DataSpii was coined by Sam Jadali, the researcher who discovered the privacy issue of the browser extension – or more specifically . Jadali intended to use the DataSpii name to capture the invisible capture of both corporate and personal data (PII). (For more technical details about DataSpii, click here.)
As the founder of Internet hosting service Host Duplex, Jadali first reviewed Nacho Analytics at the end of last year, having published a series of links featuring one of his clients Domains was listed. Jadali said he was concerned because these URLs led to private forum discussions – and only the senders and recipients of the links knew about the URLs or had the credentials needed to access the discussion. How did you come to Nacho Analytics?
Jadali guessed that the links were from one or more extensions installed in the browsers of people viewing the specific URLs. He forensically tested more than 200 different extensions, including one called "Hover Zoom," and found several that uploaded a user's browser behavior to developer-designated servers. However, none of the extensions sent the specific links that were later published by Nacho Analytics.
Still curious about how Nacho Analytics obtained these URLs from his client's domain, Jadali tracked down three people who initially had access to the published links. It correlated the timestamps published by Nacho Analytics with the timestamps in its own server logs, which monitored the customer's domain. Then Jadali got the first clue that he was up to something. Two of its three users said they viewed the leaked forense pages with a browser that used hover zoom.
Web searches such as these have reported the extension's earlier data collection history. Jadali, who suspected that Hover Zoom could do the same again, set about testing the extension more rigorously.
He reinstalled Windows and Chrome and then watched them with the security tool Burp Suite and the extension FoxyProxy Chrome as Hover Zoom behaved. This time he remained patient, though he did not find any signs of data collection. Then, he said, after more than three weeks of hibernation, the extension uploaded its first group of visited URLs. Within a few hours, the visited links pointing to Jadali-controlled domains were published on Nacho Analytics. Soon after, each URL was called by a third party who frequently downloaded the page content.
Jadali finally tested the browser extensions for Firefox and set up test computers running both macOS and the Ubuntu operating system. Enhancements he later found on Nacho Analytics include:
- Fairshare Unlock, a Chrome extension for free access to premium content. (The same browser data will be collected in a Firefox version of the extension available here.)
- SpeakIt !, a text-to-speech extension for Chrome.
- Hover Zoom, a Chrome extension to enlarge images.
- PanelMeasurement, a Chrome extension for finding market research surveys
- Super Zoom, another image extension for Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-on stores in February or March after Jadali reported data collection behavior. Even after this distance, the extension recorded weeks later, the surfing behavior on the laboratory computer of the researcher.
- SaveFrom.net Help with a Firefox extension to make it easier to download on the Internet. Jadali observed the data collection only in an extension version downloaded by the developer. He has not observed the behavior in the version that was previously available in the Mozilla add-on store.
- Branded surveys offering the opportunity to receive cash and other prizes for completing online surveys.
- Panel Community Surveys, another app that provides rewards for answering online surveys.
While Jadali may not be sure, such as has received Nacho Analytics URLs for sites that can only be accessed by individuals authorized by companies such as Apple, Tesla, Blue Origin, The most likely explanation for Symantec is that one or more of them had a browser with an affected extension. Jadali has confirmed with four affected companies that employees have actually installed one or more of the extensions. Palo Alto Networks also confirmed to Ars that browsers on its network used an affected extension. All five companies have now removed the extensions. Google has also removed the six extensions from its Chrome Web Store, citing violations of its Terms of Service.
Ars contacted a small selection of affected companies, including Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origins. Symantec, Trend Micro and Palo Alto Networks were the only ones commenting.
The Symantec statement states, "We want to thank the researcher for bringing this issue to our attention and sharing his findings, and we have taken immediate action to remedy this problem." Trend Micro executives said, "Trend Micro appreciates this and has resolved the problem." A representative of Palo Alto Networks wrote, "The day we were informed about the problem, Palo Alto Networks deleted the browser extensions and blocked the outbound traffic associated with the add-on extensions with further potential impact prevent."
Examining DataSpii Over the last six months, Jadali has outshined his full-time job and much of his private life.
Jadali said the new appointment cost him almost $ 30,000 in personal expenses, as the research is not tied to his responsibilities at Host Duplex. Jadali estimates that about 60 percent of the costs were caused by charges from Nacho Analytics. The rest was for the trip and for various consultants.
"It became my number one priority," he said. "Almost as if it were beyond my control."
Reading the fine print
Principals with Nacho Analytics and the browser extensions state that any data collection is strictly "opt-in". They also insist that links be anonymized and freed from sensitive data before they are published. However, Ars has seen numerous cases where names, locations, and other sensitive information are displayed directly in URLs, in page titles, or by clicking links.
The information collected specifically includes "visited URLs, data from loaded URLs and pages viewed, typed search queries, social connections, profile properties, contact information, usage data and other behavioral, software and hardware information." At the same time, the guideline promises that FairShare will take steps to anonymize the data.
"In our primary research case, PII scrubbers attempt to remove all personally identifiable information before analysis and archival," the Fairshare Unlock Policy states. "Individual users are routinely assigned randomly-generated identifiers that combine with PII cleanup to ensure anonymity."
SpeakIt !, PanelMeasurement, Hover Zoom, Panel Community Surveys, and Branded Surveys policies contain largely identical languages as those cited above , The Savefrom.net policy also makes it clear that the URL of the website you are visiting is being tracked. (The Super Zoom policy is no longer available.) Below are some images of the extensions that appear during installation:
Nacho Analytics said so in a YouTube promotion that asks, "Is this legal?"
"We collect data from millions of opt-in users, individuals from around the world who agreed to share their browsing data anonymously, and Nacho Analytics cleans up this information so that all personal information is erased and therefore DSGVO compliant (This is a reference to the government's stringent data protection regulation, which came into force in the European Union 26 months ago).
Jadali's study found that Fairshare Unlock, PanelMeasurement, SpeakIt! hover-zoom, brand surveys and Panel community surveys have corrected some information on the end-users' computers before sending them to the developers-designated servers, but a study of the data packets sent to servers and links published on Nacho Analytics revealed that not all Some types of confidential information have been removed, but a revision seemed to be agreed to use parameters for query strings in their URLs.
As the picture above shows, strings that used "lastname = x" seemed to successfully cause surnames to be replaced by asterisks. However, strings that used "passengerLastName = y" were not removed. None of the research conducted by Jadali shows that Super Zoom or SaveFrom.net Helper did any editorial work.
In addition, some links published by Nacho Analytics appear to contain the personal information of real people. Examples of such personal information were passenger names in links from Southwest.com, pick-up and drop-off points for people using the Uber.com website (but not the phone app) for travel, and e-mail addresses from the reset the Apple password operation. While Jadali edited confidential information from the following screenshots, none of them were removed from the links published by Nacho Analytics.
Even though the URLs were published by Nacho Analytics, they removed removed names, social security numbers, or other sensitive information and clicked on the links that frequently led to pages displaying the same edited information was displayed.
Meet the DataSpii Players
Another link to DDMR: Domains that have received browser data from all eight resolved extensions to the same two IP addresses – 184.108.40.206 and 220.127.116.11. This page from SSL Labs, a research project by the security firm Qualys, shows that 18.104.22.168 is bound to a security certificate from the DDMR domain ddmr.com (viewers must first click the "Click to expand" button to see Certificate 2).
Christian Rodriguez is listed as the founder and CEO of DDMR in this LinkedIn profile. In a 2015 article reporting on a previous round of data collection through Chrome extensions, Rodriguez is identified as a business development employee by Fairshare Labs. The Fairshare Labs contact page lists the same mailing list from Walnut, California.
Rodriguez informed me that Fairshare Labs is a discontinued project and that Fairshare Unlock is no longer actively developed (though it said it will continue to receive security and GDPR compliance updates). He pointed to the end of this page, which he said offers "very clear disclosure before installation to users."
Rodriguez described DDMR as a "passive measurement technology company" that provides market research companies with "passive measurement browser extensions" that they distribute to their research participants. He subsequently wrote in an email:
Our customers are responsible for attracting end users to their panels and forwarding them to our landing pages.
It is our responsibility to (1) ensure that we provide end users with clear disclosure of what data is collected and how it is used, and (2) with consent, once consent has been obtained, we collect the behavioral data and wipe it off for sensitive information such as telephone numbers, social security numbers, credit card numbers, and e-mail addresses and provide it to market researchers for their research.
If we become aware that confidential information is being lost, action will immediately be taken to improve our filters and remove that data from our dataset.
Responsible handling of behavioral data enables market researchers and the Companies they serve, better products and experiences But consumers need to recognize the value of this data in the context of their potentially sensitive nature.
He declined to say if Nacho Analytics was a customer, a business partner, or had any other relationship with DDMR.  Nacho Analytics
In the meantime, Nacho Analytics promises to give users the ability to "view another person's Analytics account" and provide "real-time web analytics for each website" The company charges $ 49 per domain per month Dollars for monitoring one of the 5,000 most visited websites. However, certain domains – including domains for Google, YouTube, Facebook, and others – are not available for monitoring. For sites below this premium threshold, domain monitoring costs $ 49 per month, $ 99 per month for up to five domains, and $ 149 per month for up to 10 domains.
When someone logs in, Nacho Analytics uses a Google Account. Providing a programming interface for communicating data to a user-defined Google Analytics account. Ars installed several extensions identified by Jadali, visited sites with long pseudorandom strings, and then watched how Nacho Analytics filled these unique URLs to the given Google Analytics page.
The video previously mentioned on YouTube, which advertises Nacho Analytics, states that the service is "100 percent legal and fully complies with Google's terms of service." The video also confirms that the Nacho Analytics service is "GDPR Compliant."
Nacho Analytics Founder and CEO Mike Roberts repeated in an interview that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this agreement.
Click the "Agree" button, Roberts said about all users whose data is being published. In addition, "we spend a lot of time editing every URL we see to remove all personally identifiable information." Ars has confirmed that, in many cases, the URLs published by Nacho Analytics have removed names, social security numbers and other personal information. However, Ars was also able to find numerous occurrences of names and other personal information in published URLs.
Roberts said he did not know that Nacho Analytics has published links to websites that host tax returns, nest videos, car buyer information, and a host of other personal information. Nacho Analytics excludes domains for Google, Facebook, YouTube and many other services for privacy reasons and may exclude others.
"Your report bothers me personally – and [publishing sensitive data] is definitely not the purpose of Nacho Analytics," he said. "We work hard to remove personally identifiable information from URLs and page titles, and to exclude sites with serious security issues, so if we find out about a new issue, we have a system that we can remove immediately." We've discontinued all new signups . " Nacho, until we get more information about this problem. If you give me a list of sites with these issues, we'll disable those sites immediately and work on a permanent solution.
He also backed the idea that Nacho Analytics was ever used by customers to gather confidential information, claiming that Jadali was the only one to do so (he also claimed that Jadali had the terms of service of Nacho Analytics violated when he conducted the investigation.)
"Jadali has seen hundreds of sites, of which only a tiny fraction has ever been viewed by a legitimate Nacho Analytics customer," he said. "In fact, none of the sites However, Roberts defended the basic practice of publishing links that lead to private data when clicking – as long as that data is in the database. "
Nacho Analytics published URLs themselves are not visible.
He put it this way:
These pages are available, it's just that You did not know how to discover it. This is just something you can see now that you have not seen before. But we do not create a gap. There is no back door or anything like that. Only links that you did not know before and that might not have been indexed are displayed, but they do exist …
I do not like this thing with links through obfuscation. I wish there was not, because I definitely do not want to empower anyone to do something bad, only good. I try to make good things in the world. And there is a possibility that some people do damage.
Roberts said he also does not know that Nacho Analytics publishes links and page titles from corporate non-public internal networks. Although he questioned the analytical value of this data, he did not necessarily consider publication a bad thing.
"I do not think I personally see much value in it," he said. "But just because a company may want to keep it private, I'm not sure that's the best value."
He said he had never heard of one of the extensions that Jadali identified as data collection that ended later. Nacho Analytics, however, has refused to identify software that collects end user browser data and has not named any companies that Nacho Analytics is working with to retrieve this data. (In a later email, he clarified that the data "came from third-party data brokers, we certainly did not invent the method of data collection.")
"Honestly, I think you have the wrong villain here"
On July 8, five days after Google disabled the extensions reported by Jadali remotely, Roberts said on Twitter that Nacho Analytics "had a data outage upstream." A day later, Roberts said Nacho Analytics "data partner has ceased operations". Shortly afterwards, the service stopped accessing potentially sensitive data on the Nacho Analytics homepage.