Google bans 200 dodgy extensions for data snooping

Research reveals Chrome add-ons are stealing user data

Google has yanked 200 extensions from the Chrome store, after they were revealed to be stealing sensitive data from millions of users. 

The move follows two reports about browser extensions, the small, often free tools that can be installed in Chrome and Firefox to add specific features.

The first report was from the University of California at Santa Barbara, which worked alongside Google to measure the extent of the problem, analysing more than 100 million visits to its pages. 

The research found that 5 per cent of everyone visiting a Google page have at least one malicious extension, and most of those affected have multiple dodgy add-ons. 

Advertisement
Advertisement - Article continues below

Researcher Alexandros Kapravelos said the problem is hard to fix because malicious extensions use the same techniques to collect data as legitimate tools. 

"Even when we have a complete understanding of what the extension is doing, sometimes it is not clear if that behaviour is malicious or not," he told the BBC. "You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar."

Indeed, the extension that's the focus of the second report denies it's acting malicously. Web firm ScrapeSentry analysed Chrome extension Webpage Screenshot, finding it collects data from users and sends it to a server in the US.

While the purpose of the tool is, as the name suggests, to take screenshots of webpages, the extension also copies all your browsing data, sending it to an IP address registered in the US. 

"The repercussions of this could be quite major for the individuals who have downloaded the extension," said ScrapeSentry security analyst Cristian Mariolini. "What happens to the personal data and the motives for wanting it sent it to the US server is anyone's guess, but ScrapeSentry would take an educated guess it's not going to be good news.  And of course, if it's not stopped, the plugin may, at any given time, be updated with new malicious functionality as well."

However, a spokesperson for Webpage Screenshot told the BBC that the data wasn't gathered for malicious reasons, but to understand who was using the extension.

Google doesn't appear to believe full browsing history is required for that, and the extension has been removed from its Chrome Web Store

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019