Chrome Extensions - AKA Total Absence of Privacy

labsdetectify

TL;DR, Popular Google Chrome extensions are constantly tracking you per default, making it very difficult or impossible for you to opt-out. These extensions will receive your complete browsing history, all your cookies, your secret access-tokens used for authentication (i.e., Facebook Connect) and shared links from sites such as Dropbox and Google Drive. The third-party services in use are hiding their tracking by all means possible, combined with terrible privacy policies hidden inside the Chrome Web Store. The Detectify team has identified how they are doing it and what options you have to avoid being affected by it.

The problem

Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed.

 

About a month ago, SourceDNA posted an advisory around private data shared by an advertising SDK used in the iOS App Store. Similar companies are doing the same thing in Google Chrome Web Store using Chrome extensions – and they are getting away with it.

Chrome extensions works like this:

  1. You install an extension from Google Chrome Web Store.
  1. This extension asks for permissions, being able to access web pages you are currently visiting, sometimes restricted to certain web pages. More often than not, these permissions are set to <all_urls> which means that they work on every web page.
  1. The extensions installed will now run every time you’re visiting pages where the extensions are permitted. Some of these permissions are legit, needed by the extension to work, but more often than not, the extensions are also embedding third-party scripts which are gathering all your browser traffic.

What happens to the browsing history they are tracking?

The tracked browsing history data is made available through analytics services, where anyone can sign up to pay for a monthly subscription to analyze and dig through this traffic. It is still unknown what happens with some of the data, such as your personal cookies, but there’s a possibility that it is being used to enhance the profile of the user to make the analytics even more accurate in terms of location, gender, age and interests.

 

Through these services, we’ve been able to confirm that even browsing patterns from only one user ended up in the search results, making it possible to fingerprint a specific user’s browser history.

 

For people using shared links on Dropbox or Google Drive, these tracking services are able to get access to all information shared. Many times you are sharing material that might be confidential, like a financial report or an internal contract or document. Through these analytics services, people can find these links to the documents and gain access to them without your knowledge or consent.

Watching data from the other side – How we found out

We signed up for one of the services which provides this information gathered by the Chrome extensions. We were able to see the following:

  • Common URLs used by employees on targeted companies.
  • Internal network URLs, exposing internal network structure as well as completely separated websites for internal use only.
  • Internal PDFs being placed on AWS S3 referencing competitors.
  • Pages which only one person had visited. We tested this out. One of the guys in the office using one of the plugins created a local website, page X, which didn’t link anywhere, but while being on the site he changed the address bar to page Y. He was the only visitor ofpage X. Two weeks later page X ended up in the “Similar sites” of page Y with “Affinity: 0.01%”.

Technical Details – how they are doing it

We’ve been able to confirm that they are doing the following:

  • They are running the tracking scripts in a separate background instance of the extension, but can still get access to all information about your tabs. By doing this, your network traffic of a web page will not disclose that requests are being done to a third party. This bypasses all Content Security Policy-rules and Chrome extensions – such as Ghostery – that tries to prevent tracking, since the requests are being done inside the extension itself.
  • They are packing the data using different methods to make it obfuscated and hard to identify. We’ve seen examples using:
    base64(base64(payload))

    and:

    btoa(pako.deflate(root.dca_compressor.utf16to8(JSON.stringify(requests)), {to: "string"}));

    Some third-party scripts are posting a request for each page view, some of them are collecting multiple page views and will send data in chunks every now and then.

  • Some tracking scripts are using different subdomains for each extension making it harder to see that they are using the same solutions for tracking users and to make it harder to block them.
  • The extensions always enable this tracking per default, some of them do give you an option to disable it, but it’s always activated from start. Some extensions have added these scripts inside an incremental update, automatically enabling the tracking for all users from before the update.
  • This is an ugly one. Some third-party tracking services use a tracking script SDK inside the extensions. But the first time it runs, it replaces this code by making a few requests fetching new JavaScript-code and storing it in the extension’s file storage and saves references to the files in the local storage of the extension. This makes it possible for the extension to constantly run and update arbitrary code controlled by the third-party not included by the extension from the beginning. Now, note that this file storage and local storage functionality is only because of the tracking scripts, not due to the functionality of extension itself.
  • Let’s repeat that. This technique is only because of the tracking scripts. Here’s an example of a ping that is made from the extension to the third-party service to see if there are any new scripts to download for the tracking service:

Here's the manifest showing what to update

The extension then starts to download the new scripts and saves them locally: Here's the script that is being downloaded.

  • Our guess is that this is a way to bypass any filters used by Chrome Web Store to identify malicious extensions and abuse of privacy. It’s also a great way for the tracking scripts to be auto updated, without forcing the user or the owner of the extension to update the extension.
  • They are sending over everything about you. Every. Thing. Even relations between websites that is only known by the current user, since the pages themselves are not linked in any way. They also steal all your cookies and OAuth access-tokens (provided between web pages using URL fragments aka location.hash). Here are some examples of what kind of data that is being shared from some of the third-party scripts, we have de-obfuscated the data in these examples so you can see the exact data being transferred.
  • User opens new tab. Enters nytimes.com
    send tracking -> "user opened new tab with nytimes.com"
  • User changes the address, not by clicking anything on nytimes.com, but writing a completely new address in the address bar: huffpost.com
    send tracking -> "user changed from nytimes.com to huffpost.com"
  • User visits a shared link with family photos, only people with the link can access the photos.
    send tracking -> "user opened a new tab and here is the complete Dropbox-URL for your personal data being shared"
    Here is your Dropbox Shared Link
  • User signs in with Facebook Connect on a website.
    send tracking -> "user signed in on webpage X and here is the private access_token to access this Facebook account"
    Your Facebook access-token sent to the third-party.
  • User visits google.se being signed in on Google.
    send tracking -> "here is all request headers, including the cookies for the currently signed in user on Google"
    Your Google cookies right here.
  • The extensions are in fact exposing that they do have these tracking scripts embedded. The GUI of the Chrome Web Store is actually helping these companies to hide this information perfectly. See here:
    The Chrome Web Store small description box

Do you see the scrollbar on the right side of the description? If you scroll that one down to the bottom, you’ll see the text where it says that you’re being tracked.
Awesome UX in the works.

 

  • Both the description of why they are including the tracking script and the privacy policies for these scripts are a complete joke.

Here are some examples:“Usage of this browser extension requires granting it permission to capture anonymized click stream data.”

 

“In order to continuously support and improve this software, users who install it permit … to collect and share information about them and their web usage activity with third parties for business and research purposes. To learn more or opt-out please refer to …’s terms and privacy policy.”

 

This extension requires that extension users grant … permission to collect browsing activity to be used internally and shared with third parties all for use on an anonymous and aggregated basis for research purposes. No personally identifying information will be used in connection with this research. Please review our specific privacy policy … for more details.”

  • And if you read the policies attached, you’ll see this:

“When users access or use the Services, certain non-personally and personally identifiable information (the “User Information”) is collected, stored and used for business and marketing purposes such as maintaining and improving the Services, conducting research, and monetization.This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software, and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.“

 

and:

 

“We never collect Personal Information unless such information is actively provided to us by you.

We may share some or all of your Personal Information with our subsidiaries, joint ventures or other companies under a common control that we have or may have in the future, providing such party undertakes to protect your privacy in accordance with these terms.”

But why are the extensions agreeing to use this tracking code?

Many of these extensions are being paid per user by the third party to install the tracking code in their extensions. We’ve seen some indications on Chrome Extension-forums that it’s around $0.04 per user/month. For plugins with over tens and hundreds of thousands of users that equals a substantial amount of monthly income.

These popular apps are doing it

These are some of the popular apps that are currently using different solutions to earn money on your data and browsing behaviour:

 

HoverZoom (>1 100 000 users)
What’s interesting here is that HoverZoom was discussed more than a year ago on Reddit regarding its gathering of user data. They even went out with an official statement on their website denying that the third-party scripts they used at that time were collecting any personal data, a statement that is 100% false with the current state of their extension. The problem could actually be that HoverZoom haven’t even realized what the tracking script they are using actually does due to the auto update solution it is utilizing.

 

SpeakIt (>1 000 000 users)
Free Smileys & Emoticons (>784 000 users)
EagleGet Free Downloader (>630 000 users)
ProxFlow (>430 000 users)
Emoji Input (>350 000 users)
Instant Translate (>330 000 users)
FB Color Changer (>230 000 users)
Flash Player+ (>150 000 users)
SuperBlock Adblocker (>110 000 users)
SafeBrowse (>100 000 users)
JavaScript Errors Notifier (>70 000 users)

 

Try yourself, just by googling: site:chrome.google.com “In order to continuously improve and maintain this software we work with” will show some of the extensions using one of the tracking providers out there.

 

Also, try installing one of these extensions, on the chrome://extensions page in Chrome, press the “Inspect views: background.html”:
background.html-link to inspect the network traffic

 

Then watch the “Network”-tab when browsing in another tab so see the communication this extension makes on each page view. Most likely, this data will be obfuscated by one of the ways explained above:
Some of the calls from the extension
Some calls from another extension

Mitigation – how to opt-out and protect yourself

So, what to do here.

 

First, uninstall all the extension you don’t trust or know exactly what they are doing. Go tochrome://extensions and press the Details-link of each extension you want to keep and see if they mentioned anything about this sort of behaviour. Please note that the words they are using when mentioning this sort of tracking is de-emphasized to say the least.

 

The Chrome Web Store will need to act on extensions using these methods or at least disallow extensions to steal your cookies. The UX of the Chrome Web Store is terrible due to the tiny description box of the extension, and these third-parties take advantage of that.

 

Dropbox should add a way for users to see if the link was accessed by anyone and from where. However, Dropbox Pro users do have the ability to set an expiration and to set a password for any shared link. In addition to these controls, Dropbox Business admins have the option to limit access to a shared link only to members of their team. Within the admin console, admins can also view access logs for shared links and have the ability to disable links when suspicious activity is detected.

 

Google Drive’s way to only allow users in the same company or signed in users to access the links are a good step in the right direction, however, you cannot see if a publicly accessible link has been used or by whom. (Except if they are accessing it during the same time as you)

 

If you need your extensions, use incognito mode for your regular browsing. Also make sure no extension is enabled in Incognito mode, Google Chrome actually makes it hard for you to enable them for Incognito without noticing:
Incognito mode in Chrome

 

But just opting-out yourself is unfortunately not enough since people you are communicating with online may also be tracked. If you send across a shared link to a colleague using a service like Dropbox or Google Docs, and they open it in Google Chrome, the colleague’s Chrome extensions might also expose this link to tracking services.

 

So be smart when sending across a business document, and do it as an attachment in an email as opposed to through a shared link on a file sharing service.

Are Firefox extensions any better?

To be honest, no. We’ve seen examples of extensions, like:
Ant Video Downloader (>409 000 users)
That addon sends all pages you’re visiting over to them, including the location.hash values. The Mozilla Addons Marketplace have a bigger description box for the privacy policies though, even though the policies constantly tries to convince you that the URLs you’re visiting – that they are gathering – are not private information. Well, access-tokens giving access to your Facebook data is by definition private indeed. This is an example of what is being sent on every page view with Ant Video Downloader enabled:
Facebook access-token

 

On a final note

Ironically, one of these extensions also had this as its slogan:
More privacy for you?

 

Well, we beg to differ.

 

Update: Changed the suggestion for Dropbox, since they do have options to lock links internally for Dropbox Pro and Business.

 

Update 2: 7 of the 12 listed Chrome extensions has been disabled from the Chrome Web Store + a bunch more. No statement or announcement by Google though.

 

Update 3: The Mozilla Add-ons team replied that the Firefox add-on mentioned has been disabled and a new version without the tracking feature enabled per default has been deployed by the maintainer. Ref:@wagnerand

 

Update 4: The Google Web Store has also removed HoverZoom for breaking the policy. 8 of the 12 listed Chrome extensions are now disabled. We’ve also verified that a few of the remaining extensions have removed the tracking scripts.



Authors:

Frans Rosén
Knowledge Advisor
@fransrosen

Linus Särud
Student & Bug bounty hunter
@_zulln