Browser extensions are meant to help users in several ways. However, a recent finding by security researcher Robert Theaton from San Francisco is quite worrying. A popular plugin called Stylish on Google Chrome and Mozilla Firefox was found to be recording everything that the users did online since January 2017 after it was sold to SimilarWeb.
What's worse is that the browsing data could be linked to their details making them identifiable and vulnerable to blackmailers and hackers. Check out some malicious Chrome extensions from here.
Mr. Theaton has taken to his blog stating, "It only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to."
He claims that Stylish sends the entire browsing activity to its servers along with a unique identifier. This includes Google search results on your browser. With this information, SimilarWeb connects to the users with all their online activity. In addition to having access to a copy of the users' complete browsing history, SimilarWeb also has other data such as email address and the users' identity.
At that time, the privacy policy of SimilarWeb stated that they collect non-personal information. However, in the case of this browser extension, the company appears to have collected more details from unsuspecting users. Some URL sessions visited by the users seem to contain password reset tokens in the URL itself. This could be a problem if the user didn't use the token or if the token hasn't expired as it might result in big security vulnerabilities.
In his blog, Robert claims that he noticed a massive number of requests going to api.userstyles.org and URLs are encoded with the Base64 Encoding, which is easy to decode using a decoder. He decoded the same to find a lot of session data and browser data, which has been sent to the company's servers.
Third party reference image
According to a report by Alphr, the software used by the extension is designed to let users customize how the webpages should appear inside the browsers. This extension has been hijacked by spyware. Over 1.8 million users across the world use the extension and it is likely that it has been recording the browsing history of all its users.
User data could be hacked
What's worse is that the browsing data could be linked to their details making them identifiable and vulnerable to blackmailers and hackers. Check out some malicious Chrome extensions from here.
Mr. Theaton has taken to his blog stating, "It only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to."
Data theft
He claims that Stylish sends the entire browsing activity to its servers along with a unique identifier. This includes Google search results on your browser. With this information, SimilarWeb connects to the users with all their online activity. In addition to having access to a copy of the users' complete browsing history, SimilarWeb also has other data such as email address and the users' identity.
At that time, the privacy policy of SimilarWeb stated that they collect non-personal information. However, in the case of this browser extension, the company appears to have collected more details from unsuspecting users. Some URL sessions visited by the users seem to contain password reset tokens in the URL itself. This could be a problem if the user didn't use the token or if the token hasn't expired as it might result in big security vulnerabilities.
In his blog, Robert claims that he noticed a massive number of requests going to api.userstyles.org and URLs are encoded with the Base64 Encoding, which is easy to decode using a decoder. He decoded the same to find a lot of session data and browser data, which has been sent to the company's servers.
Tags:
tech