UPDATE: Awesome Screenshot 3.7.12 now offers an 'opt-out' setting to address this (but it's on by default) - read my new article here.

Back in June, my OSSEC logs alerted me to some web crawling activity by a crawler with a user-agent of 'niki-bot'. Chances are if you grep or analyse your web logs, you've seen it too.

That in and of itself is not especially unusual. If you're anything like me, you find that crawlers are all over your logs, 24x7. You especially know this if you are running OSSEC and getting rule 31151 ('Multiple web server 400 error codes from same source ip') triggered all the time. However, niki-bot is different, and it got my attention due to the nature of the URLs it was trying to hit. Here are some examples:

64.79.85.202 - - [09/Aug/2014:15:40:37 +0100] "GET /node/6059128/webform/configure HTTP/1.1" 403 4474 "-" "niki-bot"

64.79.85.202 - - [09/Aug/2014:15:39:39 +0100] "GET /admin/structure/pages/edit/node_view HTTP/1.1" 403 4483 "-" "niki-bot"

64.79.85.202 - - [09/Aug/2014:06:59:44 +0100] "GET /node/add_to_group/257998 HTTP/1.1" 403 22037 "-" "niki-bot"

Hmm. Very specific URLs relating to certain Drupal websites within the infrastructure. Not just arbitrary, opportunistic URLs such as /user/register, but actual edit pages of specific nodes that do exist.

Here's another from our Jenkins server, which requires authentication to view any such URLs:

64.79.85.202 - - [15/Jul/2014:21:42:02 -0400] "GET /view/Deployments/job/Deploy_XXXXXXXXX_application HTTP/1.1" 400 264 "-" "niki-bot"

Wow, that's very specific. That job definitely exists, but only staff who are logged in can see it.

And here's another, from Gitlab:

64.79.85.202 - - [31/May/2014:22:59:40 +0100] "GET /client/some-project/merge_requests/22 HTTP/1.1" 400 264 "-" "niki-bot"

Wow, a merge request URL. WTF?

See any common theme (other than, in these cases, the IP address)? These are very specific URLs that definitely do exist, but are effectively behind an 'auth-wall' which no normal bot can access. These are not URLs linked anywhere, and hence why no 'normal' crawler such as Googlebot etc ever finds them. Yet niki-bot does.

Somewhat alarmed, we collated via OSSEC all cases of the logs, and gradually a picture began to emerge. Even early on in the investigation, I was 90% sure that these were all URLs that a specific staff member had visited. We had all visited many of them, but one user in particular was likely to have visited all of them due to the nature of their role. Virus scans showed up nothing on his computer.

I was not the only one to experience this, but maddeningly, there was not much reported on the internet about it. One other person had reported a similar issue, regarding a Google AppEngine URL that only he could have used. He had had no response.

Email correspondence at the time has me saying in June, "The only way these URLs would be found is client-side. Maybe some browser plugin maliciously recording someone's (Bob's?) browsing history?".

Finally, Bob reviewed his browser extensions, and we were able to determine the only extension we couldn't be 100% sure of was 'Awesome Screenshot' by Diigo. The extension was subsequently disabled, but we still didn't know for sure if that was the culprit. Time passed and we moved on.

Picking up a lead

In early August, I happened across another thread, which was effectively a cross-post by the same AppEngine user above. But in this thread, he finally had had a response in July from another user 'Vlad':





I faced the same issue. As I found out, the attacker used the URLs, which were provided to him by chrome extension. In my case it was awesomescreenshot extension in Google Chrome, which leaked all the internal pages (in admin account) I was visiting myself. So the bot later just pinged those. When extension is installed basically it receives access to all the pages URLs you visit. I just removed the extension, now in doubts whether I need to reset all password of all my accounts, because potentially cookies also could be leaked.





Bolstered by this corroborating story, I decided to look further into this AwesomeScreenshot extension. It wasn't long before negative reviews on the Chrome app store led me to these two articles, which both seemed to confirm that the extension contains javascript which sends browsing activity in plaintext to an upstream service lb.crdui.com, which redirects or makes use of an API belonging to webovernet.com, which some say is part of a third service called SimilarWeb. To quote from some of these linked pages:





If you try to navigate to http://s1821.crdui.com/service2 it will redirect you to http://t1.webovernet.com/service2. Note that.. "webovernet.com". Back to the linked article: You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.





The relationship with niki-bot

None of the articles that explain the tracking by the extension, seem aware that the niki-bot crawler appears to return back to URLs harvested from such extensions as Awesome Screenshot, for who knows what purpose (reconnaissance of some sort?). That's fair enough, these guys may not be sysadmins with access to web logs. But per the AppEngine case, there was clearly a link.

So I began to wonder two things:

1) What is the relationship between crdui.com and webovernet.com/similarweb.com ?

2) What is the relationship between these and niki-bot?

Looking into crdui.com, which is a 'domains by proxy' privately-registered domain name like webovernet is, I noticed it was registered on December 24, 2013. Lo and behold, that just happens to be the date that my logs pick up niki-bot for the first time!

/var/log/apache2/other_vhosts_access.log.33.gz:207.182.143.242 - - [24/Dec/2013:22:37:50 +1100] "GET / HTTP/1.1" 200 13723 "-" "niki-bot" 115 14164

Meanwhile, other online services appear to link the IP 64.79.85.202 to both similarweb.com and niki-bot.

At least two IPs in my logs have been used by niki-bot: 209.190.113.82 and 64.79.85.202. These are in the 209.190.0.0/17 and 64.79.64.0/19 subnets announced by AS10297, belonging to eNET, Inc.

t1.webovernet.com, mentioned in one of the above articles, resolves to two IPs 209.190.8.242 and 64.79.86.18. Both in the same subnets as the above.

The Bitcoin service BitBargain, only 2 days ago, also wrote about the niki-bot and had their attention brought to it same as me - the 'secret' URLs standing out in the logs. Independently from my research, they were able to cross-reference the IP 64.79.85.202 to a known Adware executable called similarwebie.exe. The plot thickens! Their case may not have been from Awesome Screenshot - as Howtogeek reports, other Chrome extensions such as Hoverzoom have been known to send data to the webovernet service too. However, that extension, according to the article, at least offers an opt-out checkbox in its settings page.

The connection between these services and the niki-bot are still not clear to me, and perhaps never will be. I think it's unlikely that the crawler tool belongs to Awesome Screenshot, but more likely is part of a wider set of tools belonging to the advertising companies etc. I don't think it or the screenshot extension are used to harvest sensitive credentials, but clearly there is some sort of market value perceived in crawling the URLs for data later.

A closer look at the Awesome Screenshot extension

Returning to Awesome Screenshot, I decided to look at the source code of the extension and found that it indeed does POST requests to crdui.com URLs, evidently to get some sort of return value of whether there were 'related' URLs from the upstream service (presumably similarweb). Take a look at the extension's data on your hard drive, specifically the file 'javascripts/Tr/tr.js' (I guess 'Tr' here is short for 'tracker'). On my Linux machine running Chromium, this file is in ~/.config/chromium/Default/Extensions/xxxxxxxxxxxxxxxxxxxxx/3.7.11_0/javascripts/Tr/tr.js where xxxxxxxxxxxxxxxxx is presumably the identifier of the extension itself. I am basing the version number here on the new version 3.7.11 from August 14 (which actually came out after I first published this post.. but sadly that new version still continues to use this tracking nastiness).

Analysing the traffic in Wireshark the POST data appears to be twice base64-encoded (why?) and sent over plaintext to those URLs. Decoding the data shows essentially the URL string you visited. I couldn't find evidence that it captures or sends cookies or the actual POST data that is, say, sent in a login form (using gmail.com as a test) - just the URLs. Some people in the links/reviews have claimed it captures their session data but I didn't see this myself.

Hypertext Transfer Protocol

POST / service2 HTTP / 1.1 \r



[ Expert Info ( Chat / Sequence ) : POST / service2 HTTP / 1.1 \r

]

[ Message : POST / service2 HTTP / 1.1 \r

]

[ Severity level : Chat ]

[ Group : Sequence ]

Request Method : POST

Request URI : / service2

Request Version : HTTP / 1.1

Host : s1821 . crdui . com\r



Connection : keep - alive\r



Content - Length : 864 \r



[ Content length : 864 ]

Accept : application / json , text / javascript , * /*; q=0.01\r



Origin: chrome-extension://alelhddbbhepgpmgidjdcjakblofbmce\r



User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36\r



Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r



Accept-Encoding: gzip,deflate,sdch\r



Accept-Language: en-US,en;q=0.8\r



\r



[Full request URI: http://s1821.crdui.com/service2]

Line-based text data: application/x-www-form-urlencoded

[truncated] e=Y3oweE9ESXhKbTFrUFRJeEpuQnBaRDA1UVhORmJtZHdPVFV3Tm5SclRWa21jMlZ6Y3owek1ETTBNVEEzTURneU1EVTNOelEwTURBbWMzVmlQV05vY205dFpTWnhQV2gwZEhCekpUTkJMeTkzZDNjdVoyMWhhV3d1WTI5dEwybHVkR3d2Wlc0dmJXRnBiQzlvWld4d0wyRmliM1YwTG1oMGJXd21kRzEyU



0000 52 54 00 12 35 02 08 00 27 c0 fe bb 08 00 45 00 RT..5...'.....E.

0010 05 76 d3 71 40 00 40 06 30 0c 0a 00 02 0f ad 2d .v.q@.@.0......-

0020 78 c8 df 8f 00 50 56 f5 2d 1c 0f e2 68 02 50 18 x....PV.-...h.P.

0030 39 08 37 6d 00 00 50 4f 53 54 20 2f 73 65 72 76 9.7m..POST /serv

0040 69 63 65 32 20 48 54 54 50 2f 31 2e 31 0d 0a 48 ice2 HTTP/1.1..H

0050 6f 73 74 3a 20 73 31 38 32 31 2e 63 72 64 75 69 ost: s1821.crdui

0060 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e .com..Connection

0070 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 6f : keep-alive..Co

0080 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 38 36 ntent-Length: 86

0090 34 0d 0a 41 63 63 65 70 74 3a 20 61 70 70 6c 69 4..Accept: appli

00a0 63 61 74 69 6f 6e 2f 6a 73 6f 6e 2c 20 74 65 78 cation/json, tex

00b0 74 2f 6a 61 76 61 73 63 72 69 70 74 2c 20 2a 2f t/javascript, */

00c0 2a 3b 20 71 3d 30 2e 30 31 0d 0a 4f 72 69 67 69 *; q = 0.01 .. Origi

00d0 6e 3a 20 63 68 72 6f 6d 65 2d 65 78 74 65 6e 73 n : chrome - extens

00e0 69 6f 6e 3a 2f 2f 61 6c 65 6c 68 64 64 62 62 68 ion : //alelhddbbh

00f0 65 70 67 70 6d 67 69 64 6a 64 63 6a 61 6b 62 6c epgpmgidjdcjakbl

0100 6f 66 62 6d 63 65 0d 0a 55 73 65 72 2d 41 67 65 ofbmce .. User - Age

0110 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 nt : Mozilla / 5.0

0120 28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f ( X11 ; Linux x86_

0130 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 64 ) AppleWebKit /

0140 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 537.36 ( KHTML , l

0150 69 6b 65 20 47 65 63 6b 6f 29 20 55 62 75 6e 74 ike Gecko ) Ubunt

0160 75 20 43 68 72 6f 6d 69 75 6d 2f 33 36 2e 30 2e u Chromium / 36.0 .

0170 31 39 38 35 2e 31 32 35 20 43 68 72 6f 6d 65 2f 1985.125 Chrome /

0180 33 36 2e 30 2e 31 39 38 35 2e 31 32 35 20 53 61 36 . 0 . 1985 . 125 Sa

0190 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 43 6f 6e fari / 537.36 .. Con

01a0 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 tent - Type : appli

01b0 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 cation / x - www - for

01c0 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68 m - urlencoded ; ch

01d0 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 41 63 63 arset = UTF - 8 .. Acc

01e0 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a ept - Encoding : gz

01f0 69 70 2c 64 65 66 6c 61 74 65 2c 73 64 63 68 0d ip , deflate , sdch .

0200 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 . Accept - Language

0210 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 38 : en - US , en ; q = 0.8

0220 0d 0a 0d 0a 65 3d 59 33 6f 77 65 45 39 45 53 58 .... e = Y3oweE9ESX

0230 68 4b 62 54 46 72 55 46 52 4a 65 45 70 75 51 6e hKbTFrUFRJeEpuQn

0240 42 61 52 44 41 31 55 56 68 4f 52 6d 4a 74 5a 48 BaRDA1UVhORmJtZH

0250 64 50 56 46 56 33 54 6d 35 53 63 6c 52 57 61 32 dPVFV3Tm5SclRWa2

0260 31 6a 4d 6c 5a 36 59 33 6f 77 65 6b 31 45 54 54 1jMlZ6Y3owek1ETT

0270 42 4e 56 45 45 7a 54 55 52 6e 65 55 31 45 56 54 BNVEEzTURneU1EVT

0280 4e 4f 65 6c 45 77 54 55 52 42 62 57 4d 7a 56 6d NOelEwTURBbWMzVm

0290 6c 51 56 30 35 76 59 32 30 35 64 46 70 54 57 6e lQV05vY205dFpTWn

02a0 68 51 56 32 67 77 5a 45 68 43 65 6b 70 55 54 6b hQV2gwZEhCekpUTk

02b0 4a 4d 65 54 6b 7a 5a 44 4e 6a 64 56 6f 79 4d 57 JMeTkzZDNjdVoyMW

02c0 68 68 56 33 64 31 57 54 49 35 64 45 77 79 62 48 hhV3d1WTI5dEwybH

02d0 56 6b 52 33 64 32 57 6c 63 30 64 6d 4a 58 52 6e VkR3d2Wlc0dmJXRn

02e0 42 69 51 7a 6c 76 57 6c 64 34 64 30 77 79 52 6d BiQzlvWld4d0wyRm

02f0 6c 69 4d 31 59 77 54 47 31 6f 4d 47 4a 58 64 32 liM1YwTG1oMGJXd2

0300 31 6b 52 7a 45 79 55 46 52 52 64 30 31 45 53 58 1kRzEyUFRRd01ESX

0310 56 4e 55 31 6f 77 59 6c 64 5a 4f 55 31 54 57 6e VNU1owYldZOU1TWn

0320 70 6a 61 6a 46 76 5a 45 68 53 64 30 70 55 54 6b pjajFvZEhSd0pUTk

0330 4a 4d 65 54 6c 75 59 6c 64 47 63 47 4a 44 4e 57 JMeTluYldGcGJDNW

0340 70 69 4d 6a 42 32 53 6d 35 4f 65 56 42 58 61 44 piMjB2Sm5OeVBXaD

0350 42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 57 BkSEJ6SlROQkx5OW

0360 35 69 56 30 5a 77 59 6b 4d 31 61 6d 49 79 4d 48 5iV0ZwYkM1amIyMH

0370 5a 4b 62 6b 35 35 55 46 64 6f 4d 47 52 49 51 6e ZKbk55UFdoMGRIQn

0380 70 4b 56 45 35 43 54 48 6b 35 64 46 6c 58 62 48 pKVE5CTHk5dFlXbH

0390 4e 4d 62 57 52 32 59 6a 4a 6b 63 31 70 54 4e 57 NMbWR2YjJkc1pTNW

03a0 70 69 4d 6a 42 32 59 6c 64 47 63 47 4a 44 4f 47 piMjB2YldGcGJDOG

03b0 31 6a 4d 30 6b 35 59 55 68 53 4d 47 4e 49 54 57 1jM0k5YUhSMGNITW

03c0 78 4e 4d 45 56 32 54 44 4a 47 61 6c 6b 79 4f 54 xNMEV2TDJGalkyOT

03d0 46 69 62 6c 4a 36 54 47 31 6b 64 6d 49 79 5a 48 FiblJ6TG1kdmIyZH

03e0 4e 61 55 7a 56 71 59 6a 49 77 64 6c 55 79 56 6e NaUzVqYjIwdlUyVn

03f0 6c 6b 62 57 78 71 57 6c 56 34 64 6c 6f 79 62 48 lkbWxqWlV4dloybH

0400 56 4b 56 45 35 48 59 7a 4a 57 65 57 52 74 62 47 VKVE5HYzJWeWRtbG

0410 70 61 55 31 56 36 55 6b 63 78 61 47 46 58 64 32 paU1V6UkcxaGFXd2

0420 78 4e 61 6c 70 33 57 56 68 4f 65 6d 46 59 57 6d xNalp3WVhOemFYWm

0430 78 4b 56 45 35 46 5a 45 68 4b 4d 56 70 54 56 58 xKVE5FZEhKMVpTVX

0440 6c 4f 62 6b 70 30 53 6c 52 4f 52 56 70 74 52 6e lObkp0SlRORVptRn

0450 4e 6a 4d 6c 56 73 54 57 70 61 61 6d 49 79 4e 54 NjMlVsTWpaamIyNT

0460 42 68 56 7a 55 78 57 6c 4e 56 65 6c 4a 48 61 44 BhVzUxWlNVelJHaD

0470 42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 58 BkSEJ6SlROQkx5OX

0480 52 5a 56 32 78 7a 54 47 31 6b 64 6d 49 79 5a 48 RZV2xzTG1kdmIyZH

0490 4e 61 55 7a 56 71 59 6a 49 77 64 6d 4a 58 52 6e NaUzVqYjIwdmJXRn

04a0 42 69 51 7a 68 73 54 57 70 61 65 6d 4e 35 56 58 BiQzhsTWpaemN5VX

04b0 70 53 52 45 56 73 54 57 70 61 65 6c 6b 79 54 57 pSREVsTWpaelkyTW

04c0 78 4e 4d 46 46 34 53 6c 52 4a 4d 6d 4a 49 55 6e xNMFF4SlRJMmJIUn

04d0 52 6a 52 33 64 73 54 54 42 53 61 31 70 58 57 6d RjR3dsTTBSa1pXWm

04e0 68 6b 56 33 67 77 53 6c 52 4a 4d 6d 4a 49 55 6e hkV3gwSlRJMmJIUn

04f0 52 6a 52 33 68 71 57 56 64 4f 62 31 70 54 56 58 RjR3hqWVdOb1pTVX

0500 70 53 52 45 6c 73 54 57 70 61 62 47 4a 59 53 57 pSRElsTWpabGJYSW

0510 78 4e 4d 46 46 34 53 6d 35 4f 65 56 42 58 61 44 xNMFF4Sm5OeVBXaD

0520 42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 58 BkSEJ6SlROQkx5OX

0530 52 5a 56 32 78 7a 54 47 31 6b 64 6d 49 79 5a 48 RZV2xzTG1kdmIyZH

0540 4e 61 55 7a 56 71 59 6a 49 77 64 6d 46 58 4e 54 NaUzVqYjIwdmFXNT

0550 42 69 51 7a 6c 73 59 6d 6b 35 64 46 6c 58 62 48 BiQzlsYmk5dFlXbH

0560 4e 4d 4d 6d 68 73 59 6b 68 42 64 6c 6c 58 53 6e NMMmhsYkhBdllXSn

0570 5a 6b 57 46 46 31 59 55 68 53 64 47 4a 42 50 54 ZkWFF1YUhSdGJBPT

0580 30 25 33 44 0 % 3D

Base64-decoded output of this POST request:

s = 1821 & md = 21 & pid = 9AsEngp9506tkMY & sess = 303410708205774400 & sub = chrome & q = https % 3A //www.gmail.com/intl/en/mail/hehttps://mig5.net/about.html&tmv=4002.1&tmf=1&sr=http%3A//gmail.com/&sr=https%3A//gmail.com/&sr=https%3A//mail.google.com/mail/&sr=https%3A//accounts.google.com/ServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%3A//mail.google.com/mail/%26ss%3D1%26scc%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1&sr=https%3A//mail.google.com/intl/en/mail/help/about.htm)





Furthermore, there appears no way to turn off this feature, even though Awesome Screenshot's Twitter feed is full of apologies to users 10 or so days ago from time of writing, apparently regarding a now-disabled 'price comparison' functionality that was also being injected.

To summarise

The tracking and transmission of your browsing history is happening automatically, silently, with no proper explanation in the extension's details on the Chrome App Store. The potentially sensitive URLs are sent over plaintext HTTP in easily base64-decryptable form, and through the use of some 'niki-bot' crawler (which is apparently so malicious its User-Agent requires obfuscation with no reference to SimilarWeb, Awesome Screenshot, or any other explanation for its use - nor does it bother to respect robots.txt), seems to intend to make further reconnaissance against these URLs at a later date. I see little difference between a client-side attack and this 'service', except that it can be argued that the end user willingly (but maybe unwittingly) entered into the agreement.

The extension's page provides only this vague disclaimer:

[Updated privacy policy] Usage of the Awesome Screenshot browser extension requires granting it permission to capture anonymized click stream data. No personally identifying information will be captured in connection with this data. Please review our specific EULA https://www.diigo.com/extensions_terms.html and privacy policy https://www.diigo.com/extensions_privacy.html for more details.





Why is this functionality necessary for a screenshot tool?

If it's not necessary, why is there no opt-out?

Their privacy policy states:

When users access the software, certain non-personally and personally identifiable information (the "User Information") may be collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.





Funny to see 'anonymized', 'personally identifiable information' and 'unique device identifier' listed in the same context. Without 'limitation'.

Is a URL 'private'?

Of course, any URL that is not completely firewalled off and reachable by a bot in some way (even if it 403s etc due to ACLs), is technically not 'private'. However, as @aussielunix noted, this client-side attack of sniffing traffic straight out of the browser would lead to exposure of things such as Private Gists at Github - hard-to-guess URLs that are not entirely private but also not intended for chance discovery, for whatever reason.

Furthermore, how anonymous is it when a crawler returns later to check the URL out? How is it anonymous when I can identify, based on this crawler, which user had installed the extension at one of the organisations I'm involved with, based on URLs that are not intended for third parties to know about? What about Dropbox share URLs, Spideroak temporary URLs? Or, in Bitbargain's case above, 'unique trade ID URLs... accessible only to the buyer and the seller involved in the trades'.

The fact is, URLs aren't anonymous. Any simple URL such as www.example.com/user/1234/edit, immediately indicates something other than 'anonymous' activity. Like all metadata, it can infer identity, infer activity.

Naturally any form of client-side compromise, keyloggers etc, runs the same risk of this sort of exposure of your browsing history. Tracking of user activity like this, is perhaps not even illegal (though I am astonished that Chrome allows it in this extension's case, given there seems no way to opt out!), since the advertising company can hide behind the veneer of 'market research' and 'analytics' to help their customers gain 'a competitive edge', yadda yadda.

It's a bit much in my opinion, though, to keep this a secret from users who are installing what appears to be a very popular browser extension, not to mention the apparent lack of opt-out functionality. It consistently came as a surprise to the users I spoke with who installed this tool that this was happening. When installing the extension, Chrome requires confirmation to allow the extension to 'Access your data on all websites / access your tabs and browsing activity'. Take the time to read this, and be aware that this means 'watch everything you do online, potentially reporting it to third parties silently'.

My advice is to disable this extension if you use it (and any such extensions that require such absurd permissions to your data), and also to report it to Chrome to see what their assessment is.





P.S How funny that there's a similarly named Android malware called 'Nickibot' whose purpose is to "steal information and send it to a remote server". Wow, that sounds familiar!

Related sourced articles

https://groups.google.com/forum/#!topic/google-appengine/jEihs3D7Gig

https://gist.github.com/mvirkkunen/89f61a06819530e48b53

http://superuser.com/questions/778479/network-sniffer-identifying-strang...

http://www.howtogeek.com/180175/warning-your-browser-extensions-are-spyi...

http://blog.bitbargain.com/post/94349494452/niki-bot-similarsites-spywar...