How-To Geek
Warning: Your Browser Extensions Are Spying On You
The internet exploded Friday with the news that Google Chrome extensions are being sold and injected with adware. But the little-known and much more important fact is that your extensions are spying on you and selling your browsing history to shady corporations. HTG investigates.
TL;DR version:
- Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.
- Some of these add-ons are also injecting ads into the pages that you visit, and Google specifically allows this for some reason as long as it is “clearly disclosed”.
- Millions of people are being tracked this way and they don’t have a clue.
Are we officially calling it spyware? Well… it’s not quite that simple. Wikipedia defines spyware as “software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent”. That doesn’t mean that all software that gathers data is necessarily spyware, and it doesn’t mean that all software that sends data back to their servers is necessarily spyware.
But when the developer of an extension goes out of their way to hide the fact that every single page you visit is being stored and sent to a corporation that pays them for that data while burying it in the settings as “anonymous usage statistics”, there is a problem, at least. Any reasonable user would assume that if a developer wants to track usage statistics, they are only going to be tracking the usage of the extension itself — but the opposite is true. Most of these extensions are tracking everything else you do except using the extension. They are just tracking you.
This becomes even more problematic because they call it “anonymous usage statistics”; the word “anonymous” implies that it would be impossible to figure out who that data belongs to, as if they are scrubbing the data clean of all your information. But they aren’t. Yeah, sure, they are using an anonymous token to represent you rather than your full name or email, but every single page you visit is tied to that token. For as long as you have that extension installed.
Track anybody’s browsing history long enough, and you can figure out exactly who they are.
How many times have you opened your own Facebook profile page, or your Pinterest, Google+, or other page? Have you ever noticed how the URL contains your name or something that identifies you? Even if you never visited any of those sites, figuring out who you are is possible.
I don’t know about you, but my browsing history is mine, and nobody should have access to that but me. There’s a reason why computers have passwords and everybody older than 5 knows about deleting their browser history. What you visit on the internet is very personal, and nobody should have the list of pages I visit but me, even if my name is not specifically associated with the list.
I’m not a lawyer, but the Google Developer Program Policies for Chrome extensions specifically say that an extension developer should not be allowed to publish any of my personal information:
We don’t allow unauthorized publishing of people’s private and confidential information, such as credit card numbers, government identification numbers, driver’s and other license numbers, or any other information that is not publicly accessible.
Exactly how is my browsing history not personal information? It’s definitely not publicly accessible!
Yep, Many of These Extensions Insert Ads Too
The problem is compounded by a large number of extensions that are injecting ads into many of the pages you visit. These extensions are just putting their ads wherever they randomly choose to put them into the page, and they are only required to include a tiny piece of text identifying where the ad came from, which most people will ignore, because most people don’t even look at ads.
Whenever you are dealing with ads, there are also going to be cookies involved. (It’s worth noting that this site is ad-supported, and the advertisers put cookies on your hard drive, just like every site on the internet.) We don’t think cookies are a huge deal, but if you do, they are pretty easy to deal with.
The adware extensions are actually less of a problem, if you can believe it, because what they are doing is very obvious to the users of the extension, who can then start an uproar about it and try and get the developer to stop. We definitely wish that Google and Mozilla would change their ridiculous policies to forbid that behavior, but we can’t help them get common sense.
Tracking, on the other hand, is done in secret, or is essentially secret because they try to hide what they are doing in legalese in the description of the extensions, and nobody scrolls to the bottom of the readme to figure out if that extension is going to track people.
This Spying is Hidden Behind EULAs and Privacy Policies
These extensions are “allowed” to engage in this tracking behavior because they “disclose” it on their description page, or at some point in their options panel. For instance, the HoverZoom extension, which has a million users, says the following in their description page, at the very bottom:
Hover Zoom uses anonymous usage statistics. This can be disabled in the options page without losing any features as well. By leaving this feature enabled, the user authorize the collection, transfer and use of anonymous usage data, including but not limited to transferring to third parties.
Where exactly in this description does it explain that they are going to track every single page you visit and send the URL back to a third party, which pays them for your data? In fact, they claim everywhere that they are sponsored through affiliate links, completely ignoring the fact that they are spying on you. Yeah, that’s right, they are also injecting ads all over the place. But which do you care more about, an ad showing up on a page, or them taking your entire browsing history and sending it back to somebody else?
Hover Zoom’s Excuse Panel
They are able to get away with this because they have a tiny little checkbox buried in their options panel that says “Enable anonymous usage statistics”, and you can disable that “feature” — though it’s worth noting that it is defaulted to be checked.
This particular extension has had a long history of bad behavior, going back quite some time. The developer has recently been caught collecting browsing data including form data… but he was also caught last year selling data on what you typed in to another company. They’ve added a privacy policy now that explains in further depth what is going on, but if you have to read a privacy policy to figure out that you are being spied on, you’ve got another problem.
To sum up, a million people are being spied on by this one extension alone. And that’s just one of these extensions — there are a lot more doing the same thing.
Extensions Can Change Hands or Update Without Your Knowledge
This extension is asking for way too many permissions. Deny!
There is absolutely no way to know when an extension has been updated to include spyware, and since many types of extensions need a ton of permissions to even operate properly in the first place before they turn into ad-injecting pieces of spycraft, so you won’t be prompted when the new version comes out.
To make matters worse, many of these extensions have changed hands over the last year — and anybody who has ever written an extension is being flooded with requests to sell their extension to shady individuals, who will then infect you with ads or spy on you. Since the extensions don’t require any new permissions, you’ll never have the opportunity to go figure out which ones added secret tracking without your knowledge.
In the future, of course, you should either avoid installing extensions or addons entirely, or be very careful about which ones you do install. If they ask for permissions to everything on your computer, you should click that Cancel button and run.
Hidden Tracking Code with a Remote Enable Switch
There are other extensions, in fact, a ton of them, that have complete tracking code built right in — but that code is currently disabled. Those extensions ping back to the server every 7 days to update their configuration. These ones are configured to send even more data back — they calculate exactly how long you have each tab open, and how long you spend on each site.
We tested one of these extensions, called Autocopy Original, by tricking it into thinking that the tracking behavior was supposed to be enabled, and we were able to immediately see a ton of data sent back to their servers. There were 73 of these extensions in the Chrome Store, and some in the Firefox add-ons store. They are easily identifiable because they are all from “wips.com” or “wips.com partners”.
Wondering why we are worried about tracking code that isn’t even enabled yet? Because their description page doesn’t say a word about the tracking code — it’s buried as a checkbox on each of their extensions. So people are installing the extensions assuming they are from a quality company.
And it’s only a matter of time before that tracking code is enabled.
Investigating this Spying Extension Awfulness
The average person isn’t going to ever even know that this spying is going on — they won’t see a request to a server, they won’t even have a way to tell that it is happening. The vast majority of those million users won’t be affected in any way… except that their personal data was stolen out from under them. So how do you figure this out for yourself? It’s called Fiddler.
Fiddler is a web debugging tool that acts as a proxy and caches all the requests so you can see what is going on. This is the tool that we used — if you want to duplicate at home, just install one of these spying extensions like Hover Zoom, and you’ll start seeing two requests to sites similar to t.searchelper.com and api28.webovernet.com for every single page that you view. If you check on the Inspectors tag you’ll see a bunch of base64-encoded text… in fact, it’s been base64-encoded twice for some reason. (If you want the full example text before decoding, we stashed it in a text file here).
They’ll track any site you visit, even the HTTPS ones
Once you’ve successfully decoded that text, you’ll see exactly what is going on. They are sending back the current page that you are visiting, along with the previous page, and a unique ID to identify you, and some other information. The very scary thing about this example is that I was on my banking site at the time, which is SSL encrypted using HTTPS. That’s right, these extensions are still tracking you on sites that should be encrypted.
s=1809&md=21&pid=mi8PjvHcZYtjxAJ&sess=23112540366128090&sub=chrome
&q=https%3A//secure.bankofamerica.com/login/sign-in/signOnScreen.go%3Fmsg%3DInvalidOnlineIdException%26request_locale%3Den-us%26lpOlbResetErrorCounter%3D0&hreferer=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&prev=https%3A//secure.bankofamerica.com/login/sign-in/entry/signOn.go&tmv=4001.1&tmf=1&sr=https%3A//secure.bankofamerica.com/login/sign-in/signOn.go
You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.
If you’re the adventurous type, you can easily find this same tracking code by opening up your chrome://extensions page and clicking on the Developer mode, and then “Inspect views: html/background.html” or the similar text that tells you to inspect the extension. This is going to let you see what that extension is running all the time in the background.
That trash can icon is your friend
Once you click to inspect, you’ll immediately see a list of source files and all sorts of other stuff that will probably be greek to you. The important things in this case are the two files named tr_advanced.js and tr_simple.js. These contain the tracking code, and it’s safe to say that if you see those files inside of any extension, you are being spied on, or will be spied on at some point. Some extensions contain different tracking code, of course, so just because your extension doesn’t have those, doesn’t mean anything. Scammers tend to be tricky.
(Note that we wrapped the source code to fit into the window)
You’ll probably notice that the URL on the right-hand side isn’t quite the same as the one earlier. The actual tracking source code is pretty complicated, and it appears that each extension has a different tracking URL.
Preventing an Extension from Updating Automatically (Advanced)
If you have an extension that you know and trust, and you’ve already verified that it doesn’t contain anything bad, you can make sure that the extension never secretly updates on you with spyware — but it is really manual and probably not what you’ll want to do.
If you still want to do so, open the Extensions panel, find the ID of the extension, then head to %localappdata%\google\chrome\User Data\default\Extensions and find the folder that contains your extension. Change the update_url line in the manifest.json to replace clients2.google.com with localhost. Note: we haven’t been able to test this with an actual extension yet, but it should work.
For Firefox, the process is a lot easier. Go to the Add-ons screen, click the menu icon, and un-check “Update Add-ons automatically”.
So Where Does This Leave Us?
We’ve already established that loads of extensions are being updated to include tracking / spying code, injecting ads, and who knows what else. They are being sold to untrustworthy companies, or the developers are being bought with a promise of easy money.
Once you have an add-on installed, there’s no way to know that they aren’t going to be including spyware down the road. All we do know is that there are a lot of add-ons and extensions that are doing these things.
People have been asking us for a list, and as we’ve been investigating, we’ve found so many extensions doing these things, we’re not sure that we can make a complete list of all of them. We’ll add a list of them to the forum topic associated with this article, so we can have the community help us generate a bigger list.
I'm going to use this topic as a master list of all the extensions and add-ons that contain either spyware or adware. Feel free to contribute anything you know of.
I use the paid version of Internet Download Manager (IDMan), which I set to notify me when a download has completed by letting rip a triumphant bird tweet!
For some reason Google Chrome stopped working on my XP Home a few days ago: a total uninstall and complete re-install made no difference; but Google Chrome gives me no problems whatever on my Windows 7. It's counterpart, Comodo Dragon works well on my XP but I do not have it installed on my W. 7. Dragon is synced to Google Chrome by means of Google+ Dashboard, and yesterday, when I opened Dragon Browser on my XP, my ear drums were assaulted by a continuous stream of frantic bird tweets, yet my IDMan showed no downloads taking place - very odd indeed. The tweeting continued unabated this morning - but only on my XP. My W. 7 IDMan, set to deliver the identical tweet, has remained silent. (Is this a harbinger of attacks on the old XP?)
I have never before heard this happening - it's something totally new. I disabled all the Google extensions on Dragon except for WOT, AdBlock Plus/Pro, Avast!, Page Rank and one or two others. The tweeting stopped immediately... and has not resumed whilst composing this reply on my XP. (Syncing takes place through my modem, as both my XP and W. 7 are connected to the internet through the same modem - my two PCs are not networked)
I take it Google is not responsible for this, what with it's DO NO EVIL policy, the available extensions in the Google Store all being third party stuff???
I am horrified by the information given us in your jolly good article, and I feel the same as you: no one, but no one has any shadow of right to spy on my PC activities - my PCs are my PRIVATE PROPERTY, and not available for public scrutiny or unauthorized use of any kind. Especially not for these advertisement vulture-boys, which is why I avoid freeware bundled with dreadful programs like Open Candy etc etc.
You have done us a GREAT service by your bringing this horrible development to our attention, and I hope the DO NO EVIL, Google, will take steps to remove offending extensions from its store - in keeping with the Google Policy.
Thank you for letting us know - I appreciate your efforts and resultant sleep deprivation very much, I'm sure I speak for ALL of us.
Thanks for the article geek!
I also use Smooth Gestures![frowning]( ":frowning:")
I must have a closer look at my addons for Firefox that I have installed. I have over 30 installed and some I rarely use. I installed them for their functionality and didn't check their privacy settings.
I hate to give up Hoverzoom. I am just going to turn off the tracking for now. I guess I could also block the two tracking sites in my host file.
You can use Hoverfree.
What is privacy anymore?
Something to think about is this: ANYTHING that can "guess" what your interests are is actually spying on you and the history of what you search for and link to. But that spying factor is simply electronics. It's all done by computers, but those computers also generate lists that real people use to then aim advertising at you. It's all a bunch of garbage and geared toward nothing but extreme capitalism. I have very eclectic tastes. I also am very particular about things I like and don't like within any particular category. That being said, none of these efforts will ever work on me. I also tend to boycott ANY advertising that I find irritating or annoying. The part to be cautious about with these "second-guessers" is that they can be used against you in very inappropriate ways. A private investigation can reveal false leads that could cause a major problem for you. Think of all those people who have lost their jobs over something they "didn't do".... chances are they didn't, but the trail they left makes it look like they did. It's completely reprehensible how advertising and marketing gets their fingers twisted in our lives to the point of slander. It's all about those nasty things in life: demographics, advertising, marketing, capitalism, stupidity, ignorance, statistics, and outright lying.
Wow don't you all know that any web site you go to has your info as well might as well stop searching the internet hell just unplug the machine, better yet trash can it they all got your info know oh no it's a government conspiracy LOL get a grip people this is old news websites and people have had your info far longer then you all think hell the US government has it know as well.
That's a good point. That extension was created by somebody that was upset about the ads, and took the source code and made his own version. It's probably safe, but who knows.
Hopefully Google and Mozilla will crack down on all this behavior.
You can actually view the code before installing the extension if you want. I use an extension called CRX viewer to do it. Of course, if you know how, you can simply copy the code and comment out the spyware lines.
Thanks for that... I'm working on a followup piece where we'll explain how to audit your extensions. I didn't know about CRX viewer, that's very helpful.
Interesting that this topic came up again after reading this story I Sold a Chrome Extension but it was a bad decision
Looks like another area of concern to worry about. Everyone is going to have to have a 2nd identity just to be online soon.
Personally I am not sure what the big deal is. The Internet is public access and while you are not tracked in real life while you browse a store, the computer is easier to target for individuals.
It's just ads for Pete's sake. It is not like they are stealing your credit card numbers, social security number, DOB, cell/phone numbers, ect.
If someone is so paranoid about targeted ads, they should reconsider using the Internet. Not so surprising, this had been done for the past two decades. Cookies, super cookies and now browser extensions and it's a sure bet they will find new ways of tracking you in the future guaranteed.
And as far as banking and secure sites are concerned, there should be an end to end https secure connection otherwise it is no longer adware or trackware but malicious coding.
It should be noted, there are other agencies that are tracking you right now other than advertisers. NSA, CIA, FBI, other un-named government agencies, both domestic and foreign. Accessing the Internet is not a private affair.
Keep your nose clean and just ignore/block the ads and you'll be happier at the end of the day.
You clearly didn't read the article. I repeatedly said that the adware part isn't the (big) problem.
I use two of the extensions on the "Adware" list, Sexy Undo Close Tab and ScrollToTopButton. Honestly I don't mind keeping them. In both cases they are more than clear about the ads. And with Sexy Undo Close Tab you can disable the ads. With ScrollToTop you can't without a paypal donation but honestly I have not even noticed any ads. I think Adblock blocks them. Eh. I've always felt that adware and spyware are two separate things, and it's silly that people get so up in arms about ALL adware, even in cases where it's not surreptitious. Developers have to eat too I guess. I mean people don't have problems with ad supported TV or radio. If they do they choose to pay for non ad supported options, but I've never heard anyone claim that the major TV networks are amoral for using an ad supported system to broadcast "free" media content. I honestly don't see the difference. Extensions that do it without telling the user are one thing, but when they're up front about it, I don't mind if the extension adds enough value to my browsing experience.
GetThemAll Downloader
https://chrome.google.com/webstore/detail/getthemall-downloader/nbkekaeindpfpcoldfckljplboolgkfm
Formerly FVD Video Downloader - a great tool for sniffing videos on webpages. Now, it injects ads onto webpages. I've removed it a long time ago, but you can see about this behavior in the review sections.
By the way, is it possible to verify the who is extension developer? Some extensions just link to a support page or an email, so it is very difficult to know who made this. I think if Google makes Google+ and/or Verified profiles mandatory, it will be great.
Iminent is more then a extension. My sister's computer had it for a few days and I had to remove it. It turns on at start up, runs as a service, re-installs itself if you remove it before ending the service, and changes your chrome and firefox settings.
Fabulous (over 500.000) users. https://chrome.google.com/webstore/detail/fabulous/ambjmeohlajelahhhniggkkceagdlcgj
Installed last week. After installing it I noticed that Chrome, when visiting product pages on amazon or ebay was hijacked to go other two websites alecyueee.us and ezshoplist.me and was sending them the info on the product pages visited. I reported this to google yesterday.
I found an interesting article on lifehacker for an extension you can install in Chrome called Chrome Protector. This extension notifies users if they are running adware.
I haven't tested it myself, because I don't use Chrome, but maybe one of the geeks can have a closer look at it.
Thanks for replying!
Luckily I have never installed or used Chrome, to try to limit my google quota. Primarily use Mozilla. Only use Opera on android, so no Chrome there either. It's a given that google knows what my birth weight was, but now using DDG to limit tracking I feel that I'm being proactive. Realistically, after years of using google products, it's probably as useful as aiming a water pistol at a fire.
Yes, This.
They should also clearly mark ad-supported extensions with a banner of some type before you get to the install point. Having to install an app to figure out whether it hijacks your browser and inserts ads isn't good policy at all.
I found that fabulous facebook contained adware and I posted it on reddit. I appreciate howtogeek adding to your list. Very deatiled list so far.![blush]( ":blush:")
A new extension reported as malicious--Facebook Secret Emoticons by ExtShield - Stops Malicious Extensions
I'm the founder of Hola - a 30 person startup dedicated to providing freedom on the Web. Its critical for companies providing users with valuable services be able to monetize them, so in Nov we told our users that we'd include Ads and a "Shopping" app that seemed beneficial by offering lower prices. We found that both of these destroyed the user experience, so removed them both on 18-Dec-2013. Since then we found that the best model for us is to remain free and ad-free, with a premium version that helps to fund the further development of Hola. Enjoy and let us know what you think - info @ hola.org
Hi Geek -- the description of the Hola version with the 1,800,000 users on the chrome store says that Hola is ad free (see https://chrome.google.com/webstore/detail/hola-better-internet/gkojfkhlekighikafcpjkiklfbnlmeio?hl=en). The description of our PlugIn (12,000 users) has not been updated to reflect the fact that we do not advertise. By the way -- while we chose not to advertise in the product, it is still a perfectly legitimate way for developers to make an income in return for their hard work, especially when they are up front about it with the users. I find that you are misleading readers by listing extensions that advertise in a listing who's title is "... your browser extensions are spying on you" while they are only advertising. More so by listing Hola (any others?) that are not even advertising, and causing damage to an application that is doing good (opening up the Internet barriers) for Internet users. Please check out whether Hola is in fact 'ad ware', and remove us from the list if you find we are not.
Thanks for responding. I will check into this and update the list.
And if you read the article that is linked at the top, you'll see that I'm not as worried about adware extensions - it's the spyware ones that are the real problem.
Thanks for checking again and updating. I know you are more worried about extensions that are spying on users rather than on those advertising to users (neither of which we do), but the title implies the former, and people have a tendency to skim through and mis-understand. We've received some emails from our premium service subscribers that asked to unsubscribe from our service and point to your article to tell us we are spying on them. Please expedite your fact checking, since your article and our name are being replicated elsewhere now. If you decide to remove us from the list, please make sure to write that after the fact checking Hola should not have been in the list, so that we can point our customers to the correction. The information as is now is damaging, and incorrect. Thanks.
There is a very large database of adware extensions over at https://www.extensiondefender.com I would look over there too to see if theres any on that list as well.
Also there is a browser extension from them called Extension Defender that allows you to scan your extensions.
https://chrome.google.com/webstore/detail/extension-defender/lkakdehcmmnojcdalpkfgmhphnicaonm