Hidden analytics code tracks everything users do, EVERYTHING
Analytics code deeply hidden in popular Google Chrome extensions is being used to track users across the Web, in different browser tabs, and without user consent.
According to Detectify researchers, the extensions that engage in such practices are doing it without obtaining user consent, have the tracking feature enabled by default, and also have dodgy user privacy policies to begin with.
Analytics providers are tracking much more than the user’s browsing history
Detectify’s team has observed Chrome extensions track not only the user’s browser history but also data from cookies, secret access tokens from Facebook Connect and links to private Dropbox or Google Drive files.
While it is understandable for analytics providers to be interested in getting their grubby little hands on user details through any means they can, the methods employed via Chrome extensions are bordering criminal activity.
The analytics providers where all this information ends up are providing anyone with an open wallet access to the sensitive data. The researchers even signed-up for one such service and after sifting through the wharehoused data, they were able to find internal PDFs uploaded to AWS servers, Intranet URLs that could compromise a company’s internal network structure, and common URLs used by employees on targeted competitors.
An extension’s tracking code could update itself, even if the extension was abandoned
Researchers even observed one sneaky analytics SDK that included a self-updating functionality that would work even if the extension was never updated. This allowed the analytics company to update the tracking code and add new functionality, even if the extension’s author abandoned his project.
Detecting such extensions is also tricky since most of them use a separate extension process in the browser’s background to carry out their snooping activities.
Above all, researchers blame the extensions’ authors who in their quest to monetize their code, allow such snakes to nestle in their add-ons.
“We’ve seen some indications on Chrome Extension-forums that it’s around $0.04 per user/month,” says Linus Särud and Frans Rosén of Detectify Labs. “For plugins with over tens and hundreds of thousands of users that equals [to] a substantial amount of monthly income.”
As for Firefox add-ons, the researchers analyzed only one extension, and found it to have a similar functionality.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.