I’ve watched you check in for a flight and seen your doctor refilling a prescription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately – but we probably identified only a fraction of the problem.
The root of this privacy train wreck is browser extensions. Also known as add-ons and plug-ins, they’re little programs used by nearly half of all desktop Web surfers to make browsing better, such as finding coupons or remembering passwords. People install them assuming that any software offered in a store run by Chrome or Firefox has got to be legit.
Not. At. All. Some extensions have a side hustle in spying. From a privileged perch in your browser, they pass information about where you surf and what you view into a murky data economy. Think about everything you do in your browser at work and home – it’s a digital proxy for your brain. Now imagine those clicks beaming out of your computer to be harvested for marketers, data brokers or hackers.
Some extensions make surveillance sound like a sweet deal: This week, Amazon was offering people $10 to install its Assistant extension. In the fine print, Amazon said the extension collects your browsing history and what’s on the pages you view, though all that data stays inside the giant company. (Amazon CEO Jeff Bezos owns The Washington Post.) Academic researchers say there are thousands of extensions that gather browsing data – many with loose or downright deceptive data practices – lurking in the online stores of Google and even the more privacy-friendly Mozilla.
The extensions we found selling your data show just how dangerous browser surveillance can be. What’s unusual about this leak is that we got to watch it taking place. This isn’t a theoretical privacy problem: Here’s exactly how millions of people’s data got grabbed and sold – and the failed safeguards from browser makers that let it happen.
I didn’t realise the scale of the extension problem until I heard from Sam Jadali. He runs a website hosting business, and earlier this year found some of his clients’ data for sale online. Figuring out how that happened became a six-month obsession.
Jadali found the data on a website called Nacho Analytics. Just one small player in the data economy, Nacho bills itself on its website as a marketing intelligence service. It offers data about what’s being clicked on at almost any website – including actual Web addresses – for as little as $49 per month.
That data, Nacho claims, comes from people who opt in to being tracked, and it redacts personally identifiable information.
The deeper Jadali looked on Nacho, the more he found that went way beyond marketing data. Web addresses – everything you see after the letters “http” – page titles and other browsing records might not seem like they’d expose much. But sometimes they contain secrets sites forget to hide away.
Jadali found usernames, passwords and GPS coordinates, even though Nacho said it scrubs personal information from its data. “I started realizing this was a leak on a catastrophic scale,” Jadali told me.
What he showed me made my jaw drop. Three examples:
– From DrChrono, a medical records service, we saw the names of patients, doctors, and even medications. From another service, called Kareo, we saw patient names.
– From Southwest, we saw the first and last names, as well as confirmation numbers, of people checking into flights. From United, we saw last names and passenger record numbers.
– From OneDrive, Microsoft’s cloud storage service, we saw a hundred documents named “tax.” We didn’t click on any of these links to avoid further exposing sensitive data.
It wasn’t just personal secrets. Employees from more than 50 major corporations were exposing what they were working on (including top-secret stuff) in the titles of memos and project reports. There was even information about internal corporate networks and firewall codes. This should make IT security departments very nervous.
Jadali documented his findings in a report titled “DataSpii,” and has spent the last two weeks disclosing the leaks to the companies he identified – many of which he thinks could do a better job keeping secrets out of at-risk browser data. I also contacted all the companies I name in this column. Kareo and Southwest told me they’re removing names from page data.
I wondered if Jadali could find any data from inside The Washington Post. Shortly after I asked, Jadali asked me if I had a colleague named Nick Mourtoupalas. On Nacho, Jadali could see him clicking on our internal websites. Mourtoupalas had just viewed a page about the summer interns. Over months, he’d probably leaked much, much more.
I called up Mourtoupalas, a newsroom copy aide. Pardon the interruption, I said, but your browser is leaking.
“Oh, wow, oh, wow,” Mourtoupalas said. He hadn’t ever “opted in” to having his Web browsing tracked. “What have I done wrong?”
I asked Mourtoupalas if he’d ever added anything to Chrome. He pulled up his extensions dashboard and found he’d installed 17 of them. “I didn’t download anything crazy or shady looking,” he said.
One of them was called Hover Zoom. It markets itself in the Chrome Web Store and its website as a way to enlarge photos when you put your mouse over them. Mourtoupalas remembered learning about it on Reddit. Earlier this year, it had 800,000 users.
When you install Hover Zoom, a message pops up saying it can “read and change your browsing history.” There’s little indication Hover Zoom is in the business of selling that data.
I tried to reach all the contacts I could find for Hover Zoom’s makers. One person, Romain Vallet, told me he hadn’t been its owner for several years, but declined to say who was now. No one else replied……Read more>>