TL;DR version:
- Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.
- Some of these add-ons are also injecting ads into the pages that you visit, and Google specifically allows this for some reason as long as it is “clearly disclosed”.
- Millions of people are being tracked this way and they don’t have a clue.
Are we officially calling it spyware? Well… it’s not quite that simple. Wikipedia defines spyware as ”software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent”. That doesn’t mean that all software that gathers data is necessarily spyware, and it doesn’t mean that all software that sends data back to their servers is necessarily spyware.
But when the developer of an extension goes out of their way to hide the fact that every single page you visit is being stored and sent to a corporation that pays them for that data while burying it in the settings as “anonymous usage statistics”, there is a problem, at least. Any reasonable user would assume that if a developer wants to track usage statistics, they are only going to be tracking the usage of the extension itself — but the opposite is true. Most of these extensions are tracking everything else you do except using the extension. They are just tracking you.
This becomes even more problematic because they call it “anonymous usage statistics”; the word “anonymous” implies that it would be impossible to figure out who that data belongs to, as if they are scrubbing the data clean of all your information. But they aren’t. Yeah, sure, they are using an anonymous token to represent you rather than your full name or email, but every single page you visit is tied to that token. For as long as you have that extension installed.
Track anybody’s browsing history long enough, and you can figure out exactly who they are.
How many times have you opened your own Facebook profile page, or your Pinterest, Google+, or other page? Have you ever noticed how the URL contains your name or something that identifies you? Even if you never visited any of those sites, figuring out who you are is possible.
I don’t know about you, but my browsing history is mine, and nobody should have access to that but me. There’s a reason why computers have passwords and everybody older than 5 knows about deleting their browser history. What you visit on the internet is very personal, and nobody should have the list of pages I visit but me, even if my name is not specifically associated with the list.
I’m not a lawyer, but the Google Developer Program Policies for Chrome extensions specifically say that an extension developer should not be allowed to publish any of my personal information:
We don’t allow unauthorized publishing of people’s private and confidential information, such as credit card numbers, government identification numbers, driver’s and other license numbers, or any other information that is not publicly accessible.
Exactly how is my browsing history not personal information? It’s definitely not publicly accessible!
Yep, Many of These Extensions Insert Ads Too
The problem is compounded by a large number of extensions that are injecting ads into many of the pages you visit. These extensions are just putting their ads wherever they randomly choose to put them into the page, and they are only required to include a tiny piece of text identifying where the ad came from, which most people will ignore, because most people don’t even look at ads.
Whenever you are dealing with ads, thereare also going to be cookies involved. (It’s worth noting that this site is ad-supported, and the advertisers put cookies on your hard drive, just like every site on the internet.) We don’t think cookies are a huge deal, but if you do, they are pretty easy to deal with.
The adware extensions are actually less of a problem, if you can believe it, because what they are doing is very obvious to the users of the extension, who can then start an uproar about it and try and get the developer to stop. We definitely wish that Google and Mozilla would change their ridiculous policies to forbid that behavior, but we can’t help them get common sense.
Tracking, on the other hand, is done in secret, or is essentially secret because they try to hide what they are doing in legalese in the description of the extensions, and nobody scrolls to the bottom of the readme to figure out if that extension is going to track people.
This Spying is Hidden Behind EULAs and Privacy Policies
These extensions are “allowed” to engage in this tracking behavior because they “disclose” it on their description page, or at some point in their options panel. For instance, theHoverZoom extension, which has a million users, says the following in their description page, at the very bottom:
Hover Zoom uses anonymous usage statistics. This can be disabled in the options page without losing any features as well. By leaving this feature enabled, the user authorize the collection, transfer and use of anonymous usage data, including but not limited to transferring to third parties.
Where exactly in this description does it explain that they are going to track every single page you visit and send the URL back to a third party, which pays them for your data? In fact, they claim everywhere that they are sponsored through affiliate links, completely ignoring the fact that they are spying on you. Yeah, that’s right, they are also injecting ads all over the place. But which do you care more about, an ad showing up on a page, or them taking your entire browsing history and sending it back to somebody else?
Hover Zoom’s Excuse Panel
They are able to get away with this because they have a tiny little checkbox buried in their options panel that says “Enable anonymous usage statistics”, and you can disable that “feature” — though it’s worth noting that it is defaulted to be checked.
This particular extension has had a long history of bad behavior, going back quite some time. The developer has recently been caught collecting browsing data including form data… but he was also caught last year selling data on what you typed into another company. They’ve added a privacy policy now that explains in further depth what is going on, but if you have to read a privacy policy to figure out that you are being spied on, you’ve got another problem.
To sum up, a million people are being spied on by this one extension alone. And that’s just one of these extensions — there are a lot more doing the same thing.
Extensions Can Change Hands or Update Without Your Knowledge
This extension is asking for way too many permissions. Deny!
There is absolutely no way to know when an extension has been updated to include spyware, and since many types of extensions need a ton of permissions to even operate properly in the first place before they turn into ad-injecting pieces of spycraft, so you won’t be prompted when the new version comes out.
To make matters worse, many of these extensions have changed hands over the last year — and anybody who has ever written an extension is being flooded with requests to sell their extension to shady individuals, who will then infect you with ads or spy on you. Since the extensions don’t require any new permissions, you’ll never have the opportunity to go figure out which ones added secret tracking without your knowledge.
In the future, of course, you should either avoid installing extensions or addons entirely, or be very careful about which ones you do install. If they ask for permissions to everything on your computer, you should click that Cancel button and run.
Hidden Tracking Code with a Remote Enable Switch
There are other extensions, in fact, a ton of them, that have complete tracking code built right in — but that code is currently disabled. Those extensions ping back to the server every 7 days to update their configuration. These ones are configured to send even more data back — they calculate exactly how long you have each tab open, and how long you spend on each site.
We tested one of these extensions, called Autocopy Original, by tricking it into thinking that the tracking behavior was supposed to be enabled, and we were able to immediately see a ton of data sent back to their servers. There were 73 of these extensions in the Chrome Store, and some in the Firefox add-ons store. They are easily identifiable because they are all from “wips.com” or “wips.com partners”.
Wondering why we are worried about tracking code that isn’t even enabled yet? Because their description page doesn’t say a word about the tracking code — it’s buried as a checkbox on each of their extensions. So people are installing the extensions assuming they are from a quality company.
And it’s only a matter of time before that tracking code is enabled.
Investigating this Spying Extension Awfulness
The average person isn’t going to ever even know that this spying is going on — they won’t see a request to a server, they won’t even have a way to tell that it is happening. The vast majority of those million users won’t be affected in any way… except that their personal data was stolen out from under them. So how do you figure this out for yourself? It’s calledFiddler.
Fiddler is a web debugging tool that acts as a proxy and caches all the requests so you can see what is going on. This is the tool that we used — if you want to duplicate at home, just install one of these spying extensions like Hover Zoom, and you’ll start seeing two requests to sites similar to t.searchelper.com and api28.webovernet.com for every single page that you view. If you check on the Inspectors tag you’ll see a bunch of base64-encoded text… in fact, it’s been base64-encoded twice for some reason. (If you want the full example text before decoding, we stashed it in a text file here).
They’ll track any site you visit, even the HTTPS ones
Once you’ve successfully decoded that text, you’ll see exactly what is going on. They are sending back the current page that you are visiting, along with the previous page, and a unique ID to identify you, and some other information. The very scary thing about this example is that I was on my banking site at the time, which is SSL encrypted using HTTPS. That’s right, these extensions are still tracking you on sites that should be encrypted.
s=1809&md=21&pid=mi8PjvHcZYtjxAJ&sess=23112540366128090&sub=chrome
&q=https%3A//secure.bankofamerica.com/login/sign-in/signOnScreen.go%3Fmsg%3DInvalidOnlineIdException%26request_locale%3Den-us%26lpOlbResetErrorCounter%3D0&hreferer=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&prev=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&tmv=4001.1&tmf=1&sr=https%3A//secure.bankofamerica.com/login/sign-in/signOn.go
You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.
If you’re the adventurous type, you can easily find this same tracking code by opening up your chrome://extensions page and clicking on the Developer mode, and then “Inspect views: html/background.html” or the similar text that tells you to inspect the extension. This is going to let you see what that extension is running all the time in the background.
That trash can icon is your friend
Once you click to inspect, you’ll immediately see a list of source files and all sorts of other stuff that will probably be greek to you. The important things in this case are the two files named tr_advanced.js and tr_simple.js. These contain the tracking code, and it’s safe to say that if you see those files inside of any extension, you are being spied on, or will be spied on at some point. Some extensions contain different tracking code, of course, so just because your extension doesn’t have those, doesn’t mean anything. Scammers tend to be tricky.
(Note that we wrapped the source code to fit into the window)
You’ll probably notice that the URL on the right-hand side isn’t quite the same as the one earlier. The actual tracking source code is pretty complicated, and it appears that each extension has a different tracking URL.
Preventing an Extension from Updating Automatically (Advanced)
If you have an extension that you know and trust, and you’ve already verified that it doesn’t contain anything bad, you can make sure that the extension never secretly updates on you with spyware — but it is really manual and probably not what you’ll want to do.
If you still want to do so, open the Extensions panel, find the ID of the extension, then head to %localappdata%\google\chrome\User Data\default\Extensions and find the folder that contains your extension. Change the update_url line in the manifest.json to replace clients2.google.com with localhost. Note: we haven’t been able to test this with an actual extension yet, but it should work.
For Firefox, the process is a lot easier. Go to the Add-ons screen, click the menu icon, and un-check “Update Add-ons automatically”.
So Where Does This Leave Us?
We’ve already established that loads of extensions are being updated to include tracking / spying code, injecting ads, and who knows what else. They are being sold to untrustworthy companies, or the developers are being bought with a promise of easy money.
Once you have an add-on installed, there’s no way to know that they aren’t going to be including spyware down the road. All we do know is that there are a lot of add-ons and extensions that are doing these things.
People have been asking us for a list, and as we’ve been investigating, we’ve found so many extensions doing these things, we’re not sure that we can make a complete list of all of them. We’ll add a list of them to the forum topic associated with this article, so we can have the community help us generate a bigger list.