{"id":138282,"date":"2019-07-22T12:00:36","date_gmt":"2019-07-22T11:00:36","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=138282"},"modified":"2019-07-29T12:06:23","modified_gmt":"2019-07-29T11:06:23","slug":"my-browser-the-spy-how-extensions-slurped-up-browsing-histories-from-4m-users","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2019\/07\/my-browser-the-spy-how-extensions-slurped-up-browsing-histories-from-4m-users\/","title":{"rendered":"My Browser, the Spy: How Extensions Slurped Up Browsing Histories from 4M Users"},"content":{"rendered":"

Have your tax returns, Nest videos, and medical info been made public? Don’t trust extensions.<\/em><\/p><\/blockquote>\n

\"\"<\/a>

Aurich Lawson \/ Getty<\/p><\/div>\n

18 Jul 2019 – <\/em>When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people\u2019s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.<\/p>\n

DataSpii begins with browser extensions\u2014available mostly for Chrome but in more limited cases for Firefox as well\u2014that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs<\/a>, webpage titles<\/a>, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics<\/a>, which markets itself as \u201cGod mode for the Internet\u201d and uses the tag line \u201cSee Anyone\u2019s Analytics Account.\u201d<\/p>\n

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords\u2014but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren’t password protected, but the practice remains widespread.)<\/p>\n

According to the researcher who discovered and extensively documented the problem<\/a>, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:<\/p>\n