Click here to read about Sam

Click here to read the full DataSpii report.

Click here to download the DataSpii indicator (IOC) file

Click here to view the DataSpii-identified extensions

Click here to read about Hover Zoom’s controversial past

Imagine if someone could see what employees at thousands of companies were actively working on in near real-time (about a one-hour delay). Imagine, further, this person could access your sensitive personal data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unknowingly leaking such data?

DataSpii (pronounced data-spy) denotes the catastrophic data leak that occurred via eight Chrome and Firefox browser extensions (see Table 1). This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals. The collected data was then made available to members of an unnamed service, which we refer to in our report as Company X. Both paid and trial members of this service had access to the leaked data. After we reported our findings to Google and Mozilla, the browser vendors remotely disabled the extensions. Furthermore, the online service is now defunct.

Table 1. Chrome and Firefox extensions identified in the DataSpii leak.

Note: There may be other, yet unidentified, invasive browser extensions involved in the DataSpii leak.

Extension name Number of users Browser vendor Chrome extension ID

(if applicable) Hover Zoom 800,000+ users Chrome nonjdcjchghhkdoolnlbekcfllmednbl SpeakIt! 1.4+ million users Chrome pgeolalilifpodheeocdmbhehgnkkbak SuperZoom 329,000+ users Chrome and Firefox gnamdgilanlgeeljfnckhboobddoahbl SaveFrom.net Helper† ≤140,000 users Firefox N/A FairShare Unlock‡ 1+ million users Chrome and Firefox alecjlhgldihcjjcffgjalappiifdhae PanelMeasurement‡ 500,000+ users Chrome kelbkhobcfhdcfhohdkjnaimmicmhcbo Branded Surveys‡ 8 users Chrome dpglnfbihebejclmfmdcbgjembbfjneo Panel Community

Surveys‡ 1 user Chrome lpjhpdcflkecpciaehfbpafflkeomcnb

†The invasive data collecting behavior occurred when the SaveFrom.net Helper extension was installed from the author’s official website using Firefox on macOS or Ubuntu. We did not observe the invasive behavior when the extension was installed from a browser vendor store.

‡FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys make explicit efforts to let their users know they collect browser activity data.

Company X members could search the website traffic data for nearly any domain name and find confidential corporate memos, zero-day security vulnerabilities, as well as impacted users’ tax returns, GPS locations, travel itineraries, credit card details, or possibly any URL he or she may have opened with their browser. By requesting data for a single domain via the Company X service, we were able to observe what staff members at thousands of companies were working on in near real-time. The Company X website states they collect their data from millions of opt-in users; however, we spoke with many impacted individuals and major corporations who have told us they did not consent to such collection.

DataSpii impacted tech giants — including Apple, Facebook, Microsoft, and Amazon; DataSpii also impacted cybersecurity giants — including Symantec, FireEye, Trend Micro, and Palo Alto Networks. See Table 2 for a list of impacted companies and leaked data types provided by Company X to its members. Based on our research, billions of analytics hits were collected from impacted users and corporations. When impacted users use browser sync features (e.g., Google Chrome Sync), the extensions can instantly spread to all logged-in locations of a user, (e.g., home and work computers). Moreover, by monitoring the web traffic of a domain under our control, we observed third-party visits to the unique URLs collected by the extensions.

Note: We have sent disclosures and notified all of the companies listed by our report.

The list below is by no means a complete list of corporations impacted by the DataSpii leak.

Table 2. DataSpii-impacted services and/or companies.

Note: The data was published via Company X or it was made accessible by clicking the link provided by Company X. We did not click on any links except of our own.

After we informed a browser vendor that one of its extensions was implicated in data collection, the vendor remotely disabled the extension for all users. While the extension did, indeed, cease performing its primary function, its collection of data continued unabated. Based on this observation, we recommend impacted users remove the extension in question from their browsers.

During the course of our investigation, we observed two popular extensions (i.e., Hover Zoom and SpeakIt!) employ dilatory tactics — an effective maneuver for eluding detection — to collect the data. The extensions waited, on average, 24 days before initiating the collection of browsing activity data.

We discovered the collection and dissemination of sensitive data from the internal networks of many Fortune 500 corporations (see Table 2 above for a complete list of impacted companies). In addition, we devised a local area network (LAN) experiment, which allowed us to observe one extension, Hover Zoom, collect hyperlinks stored within the page content of our LAN website. Such data collected from a single visit to a page in a LAN environment can be used to map a corporation’s LAN environment. Furthermore, we observed the dissemination of our LAN data to three different hostnames. The collected data included our site’s LAN IP address, hostname, page title, timestamp of the visit, as well as the URLs of page resources (i.e., CSS files, JS files, and images) referenced in our HTML code. We then observed much of our LAN data being disseminated to members of Company X. (Company X did not provide all collected metadata (e.g., last-modified) available to its customers.) Finally, through the responsible disclosure process, we corroborated our findings with impacted individuals and major corporations.