securitywithsam.com Open in urlscan Pro
104.26.10.7  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to content

Security with Sam

by Sam Jadali

 * About Sam |
 * DataSpii Report |
 * DataSpii FAQ |
 * Impacted Companies |
 * Press |
 * Contact

 * * Back

 * Twitter
 * Email


DATASPII: THE CATASTROPHIC DATA LEAK VIA BROWSER EXTENSIONS (SUMMARY)

Click here to read about Sam

Click here to read the full DataSpii report.

Click here to download the DataSpii indicator (IOC) file

Click here to view the DataSpii-identified extensions

Click here to read about Hover Zoom’s controversial past

 

Imagine if someone could see what employees at thousands of companies were
actively working on in near real-time (about a one-hour delay). Imagine,
further, this person could access your sensitive personal data in much the same
way. Moreover, what if you and/or your colleagues were, yourselves, unknowingly
leaking such data?  

DataSpii (pronounced data-spy) denotes the catastrophic data leak that occurred
via eight Chrome and Firefox browser extensions (see Table 1). This leak exposed
personal identifiable information (PII) and corporate information (CI) on an
unprecedented scale, impacting millions of individuals. The collected data was
then made available to members of an unnamed service, which we refer to in our
report as Company X. Both paid and trial members of this service had access to
the leaked data. After we reported our findings to Google and Mozilla, the
browser vendors remotely disabled the extensions. Furthermore, the online
service is now defunct.

Table 1.  Chrome and Firefox extensions identified in the DataSpii leak. 
Note: There may be other, yet unidentified, invasive browser extensions involved
in the DataSpii leak.

Extension nameNumber of usersBrowser vendorChrome extension ID
(if applicable)Hover Zoom800,000+
usersChromenonjdcjchghhkdoolnlbekcfllmednblSpeakIt!1.4+ million
usersChromepgeolalilifpodheeocdmbhehgnkkbakSuperZoom329,000+ usersChrome and
FirefoxgnamdgilanlgeeljfnckhboobddoahblSaveFrom.net Helper†≤140,000
usersFirefoxN/AFairShare Unlock‡1+ million usersChrome and
FirefoxalecjlhgldihcjjcffgjalappiifdhaePanelMeasurement‡500,000+
usersChromekelbkhobcfhdcfhohdkjnaimmicmhcboBranded Surveys‡8
usersChromedpglnfbihebejclmfmdcbgjembbfjneoPanel Community
Surveys‡1 userChromelpjhpdcflkecpciaehfbpafflkeomcnb

†The invasive data collecting behavior occurred when the SaveFrom.net Helper
extension was installed from the author’s official website using Firefox on
macOS or Ubuntu. We did not observe the invasive behavior when the extension was
installed from a browser vendor store.

‡FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community
Surveys make explicit efforts to let their users know they collect browser
activity data.

Company X members could search the website traffic data for nearly any domain
name and find confidential corporate memos, zero-day security vulnerabilities,
as well as impacted users’ tax returns, GPS locations, travel itineraries,
credit card details, or possibly any URL he or she may have opened with their
browser.  By requesting data for a single domain via the Company X service, we
were able to observe what staff members at thousands of companies were working
on in near real-time. The Company X website states they collect their data from
millions of opt-in users; however, we spoke with many impacted individuals and
major corporations who have told us they did not consent to such collection.

DataSpii impacted tech giants — including Apple, Facebook, Microsoft, and
Amazon; DataSpii also impacted cybersecurity giants — including Symantec,
FireEye, Trend Micro, and Palo Alto Networks. See Table 2 for a list of impacted
companies and leaked data types provided by Company X to its members. Based on
our research, billions of analytics hits were collected from impacted users and
corporations. When impacted users use browser sync features (e.g., Google Chrome
Sync), the extensions can instantly spread to all logged-in locations of a user,
(e.g., home and work computers). Moreover, by monitoring the web traffic of a
domain under our control, we observed third-party visits to the unique URLs
collected by the extensions.

Note: We have sent disclosures and notified all of the companies listed by our
report.
The list below is by no means a complete list of corporations impacted by the
DataSpii leak.

Table 2.  DataSpii-impacted services and/or companies.
Note: The data was published via Company X or it was made accessible by clicking
the link provided by Company X.  We did not click on any links except of our
own.

TABLE 2: IMPACTED COMPANIES

Impacted companiesLeaked data made accessible via Company X.

23andMeShared 23andMe reportsAlienVaultJIRA data from
alienvault.atlassian.netAmazon Web ServicesAWS S3 query string authentication
parametersAmerican AirlinesPassenger information including: First name, last
name, flight confirmation numberAmgenLAN network data collected from visitor(s)
on the amgen inc. ISP networkAppleLast 4 digits of credit cards used for Apple
product orders, credit card type, store used to pickup an Apple order, first and
last name of the Apple order customer, iCloud Email addresses
Shared iCloud Photos including iOS user first and last name.AthenaHealthLAN
network data collected from visitor(s) on the athenahealth ISP
networkAtlassianNear real-time data of corporate issues and employee-assigned
tasks from thousands of atlassian.net subdomains.Blue OriginJIRA data hosted on
blueorigin.com domain, originating from visitor(s) city listed as: Kent,
WashingtonBuzzFeedJIRA data from buzzfeed.atlassian.netCapitalOneZoom meeting
URLs from capitalone.zoom.usCardinalHealthJIRA data from
cardinalhealth.atlassian.netDellZoom meeting URLs from
dell.zoom.usDrChronoPatient names, names of medicationEpic SystemsLAN network
data collected from visitor(s) on the epic systems corporation ISP
networkFacebookFacebook Messenger attachments including tax returnsFireEyeJIRA
data hosted on fireeye.com domain, originating from visitors on the fireeye,
inc. ISP networkIntuitQuickbooks invoicesKaiser PermanenteLAN network data
collected from visitor(s) of kaiser foundation health plan ISP network


KareoPatient namesMerckLAN network data collected from visitor(s) on merck and
co. inc. ISP networkMicrosoft OneDriveFiles shared on OneDrive including tax
returnsNBCDigitalJIRA data from nbcdigital.atlassian.netNestShared Nest security
camera clipsNetAppZoom meeting URLs from netapp.zoom.usOracleZoom meeting URLs
from oracle.zoom.usPalo Alto NetworksLAN network data collected from visitor(s)
of Palo Alto Networks ISP networkPfizerLAN network data collected from
visitor(s) of pfizer inc. ISP networkRedditJIRA data from
reddit.atlassian.netRocheLAN network data collected from visitor(s) on hoffmann
laroche inc.  ISP networkShopifyImpacted by AWS S3 query string parameter
leakSkypeShared Skype chat URLsSouthwest AirlinesPassenger information
including: First name, last name, and flight confirmation number
Members of Company X can see these users checking-in in near real-time.  Such
data can be used to modify a flight, cancel a flight, or stalk the person,
etc.SpaceXLAN network data collected from visitor(s) on the space exploration
technologies corporation ISP networkSymantecLAN network data collected from
visitor(s) on the symantec corporation ISP networkTeslaLAN network data
collected from visitor(s) on the tesla inc. ISP networkTmobileJIRA data from
tmobile.atlassian.netTrend MicroJIRA data collected from visitors on a
non-publicly resolvable trendmicro.com subdomain.UberPassenger pickup and
drop-off locations for impacted users that booked rides via m.uber.com, Zoom
meeting URLs from uber.zoom.usUCLAZoom meeting URLs from ucla.zoom.usUnder
ArmourJIRA data from underarmour.atlassian.netUnited AirlinesPassenger last
names and their flight confirmation numbersWalmartZoom meeting URLs from
walmart.zoom.usZendeskSupport ticket attachments, which (via HTTP referer) can
even further be refined by the Zendesk client, (e.g., Venmo).Zoom Video
CommunicationsZoom meeting URLs

After we informed a browser vendor that one of its extensions was implicated in
data collection, the vendor remotely disabled the extension for all users. While
the extension did, indeed, cease performing its primary function, its collection
of data continued unabated. Based on this observation, we recommend impacted
users remove the extension in question from their browsers.

During the course of our investigation, we observed two popular extensions
(i.e., Hover Zoom and SpeakIt!) employ dilatory tactics — an effective maneuver
for eluding detection — to collect the data. The extensions waited, on average,
24 days before initiating the collection of browsing activity data.   

We discovered the collection and dissemination of sensitive data from the
internal networks of many Fortune 500 corporations (see Table 2 above for a
complete list of impacted companies). In addition, we devised a local area
network (LAN) experiment, which allowed us to observe one extension, Hover Zoom,
collect hyperlinks stored within the page content of our LAN website. Such data
collected from a single visit to a page in a LAN environment can be used to map
a corporation’s LAN environment. Furthermore, we observed the dissemination of
our LAN data to three different hostnames. The collected data included our
site’s LAN IP address, hostname, page title, timestamp of the visit, as well as
the URLs of page resources (i.e., CSS files, JS files, and images) referenced in
our HTML code. We then observed much of our LAN data being disseminated to
members of Company X. (Company X did not provide all collected metadata (e.g.,
last-modified) available to its customers.) Finally, through the responsible
disclosure process, we corroborated our findings with impacted individuals and
major corporations.

 

Security with Sam, Proudly powered by WordPress.