Forwarded from BlackBox (Security) Archiv
DataSpii: The catastrophic data leak via browser extensions
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data โ including personally identifiable information (PII) and corporate information (CI) โ from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics โ an effective maneuver for eluding detection โ to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
๐๐ผ https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. Itโs for sale.
As many as 4 million people have Web browser extensions that sell their every click. And thatโs just the tip of the iceberg.
Iโve watched you check in for a flight and seen your doctor refilling a prescription.
Iโve peeked inside corporate networks at reports on faulty rockets. If I wanted, I couldโve even opened a tax return you only shared with your accountant.
I found your data because itโs for sale online. Even more terrifying: Itโs happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Postโs newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately โ but we probably identified only a fraction of the problem
๐๐ผ https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data โ including personally identifiable information (PII) and corporate information (CI) โ from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics โ an effective maneuver for eluding detection โ to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
๐๐ผ https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. Itโs for sale.
As many as 4 million people have Web browser extensions that sell their every click. And thatโs just the tip of the iceberg.
Iโve watched you check in for a flight and seen your doctor refilling a prescription.
Iโve peeked inside corporate networks at reports on faulty rockets. If I wanted, I couldโve even opened a tax return you only shared with your accountant.
I found your data because itโs for sale online. Even more terrifying: Itโs happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Postโs newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately โ but we probably identified only a fraction of the problem
๐๐ผ https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN