Imagine if someone could see what employees at thousands of companies were actively working on in near real-time (about a one-hour delay). Imagine, further, this person could access your sensitive personal data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unknowingly leaking such data?
DataSpii (pronounced data-spy) denotes the catastrophic data leak that occurred via eight Chrome and Firefox browser extensions (see Table 1). This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals. The collected data was then made available to members of an unnamed service, which we refer to in our report as Company X. Both paid and trial members of this service had access to the leaked data. After we reported our findings to Google and Mozilla, the browser vendors remotely disabled the extensions. Furthermore, the online service is now defunct.
Table 1. Chrome and Firefox extensions identified in the DataSpii leak.
Note: There may be other, yet unidentified, invasive browser extensions involved in the DataSpii leak.
|Extension name||Number of users||Browser vendor||Chrome extension ID|
|Hover Zoom||800,000+ users||Chrome||nonjdcjchghhkdoolnlbekcfllmednbl|
|SpeakIt!||1.4+ million users||Chrome||pgeolalilifpodheeocdmbhehgnkkbak|
|SuperZoom||329,000+ users||Chrome and Firefox||gnamdgilanlgeeljfnckhboobddoahbl|
|SaveFrom.net Helper†||≤140,000 users||Firefox||N/A|
|FairShare Unlock‡||1+ million users||Chrome and Firefox||alecjlhgldihcjjcffgjalappiifdhae|
|Branded Surveys‡||8 users||Chrome||dpglnfbihebejclmfmdcbgjembbfjneo|
|Panel Community |
†The invasive data collecting behavior occurred when the SaveFrom.net Helper extension was installed from the author’s official website using Firefox on macOS or Ubuntu. We did not observe the invasive behavior when the extension was installed from a browser vendor store.
‡FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys make explicit efforts to let their users know they collect browser activity data.
Company X members could search the website traffic data for nearly any domain name and find confidential corporate memos, zero-day security vulnerabilities, as well as impacted users’ tax returns, GPS locations, travel itineraries, credit card details, or possibly any URL he or she may have opened with their browser. By requesting data for a single domain via the Company X service, we were able to observe what staff members at thousands of companies were working on in near real-time. The Company X website states they collect their data from millions of opt-in users; however, we spoke with many impacted individuals and major corporations who have told us they did not consent to such collection.
DataSpii impacted tech giants — including Apple, Facebook, Microsoft, and Amazon; DataSpii also impacted cybersecurity giants — including Symantec, FireEye, Trend Micro, and Palo Alto Networks. See Table 2 for a list of impacted companies and leaked data types provided by Company X to its members. Based on our research, billions of analytics hits were collected from impacted users and corporations. When impacted users use browser sync features (e.g., Google Chrome Sync), the extensions can instantly spread to all logged-in locations of a user, (e.g., home and work computers). Moreover, by monitoring the web traffic of a domain under our control, we observed third-party visits to the unique URLs collected by the extensions.
Note: We have sent disclosures and notified all of the companies listed by our report.
The list below is by no means a complete list of corporations impacted by the DataSpii leak.
Table 2. DataSpii-impacted services and/or companies.
Note: The data was published via Company X or it was made accessible by clicking the link provided by Company X. We did not click on any links except of our own.
Table 2: Impacted Companies
|Impacted companies||Leaked data made accessible via Company X. |
|23andMe||Shared 23andMe reports|
|AlienVault||JIRA data from alienvault.atlassian.net|
|Amazon Web Services||AWS S3 query string authentication parameters|
|American Airlines||Passenger information including: First name, last name, flight confirmation number|
|Amgen||LAN network data collected from visitor(s) on the amgen inc. ISP network|
|Apple||Last 4 digits of credit cards used for Apple product orders, credit card type, store used to pickup an Apple order, first and last name of the Apple order customer, iCloud Email addresses|
Shared iCloud Photos including iOS user first and last name.
|AthenaHealth||LAN network data collected from visitor(s) on the athenahealth ISP network|
|Atlassian||Near real-time data of corporate issues and employee-assigned tasks from thousands of atlassian.net subdomains.|
|Blue Origin||JIRA data hosted on blueorigin.com domain, originating from visitor(s) city listed as: Kent, Washington|
|BuzzFeed||JIRA data from buzzfeed.atlassian.net|
|CapitalOne||Zoom meeting URLs from capitalone.zoom.us|
|CardinalHealth||JIRA data from cardinalhealth.atlassian.net|
|Dell||Zoom meeting URLs from dell.zoom.us|
|DrChrono||Patient names, names of medication|
|Epic Systems||LAN network data collected from visitor(s) on the epic systems corporation ISP network|
|Facebook Messenger attachments including tax returns|
|FireEye||JIRA data hosted on fireeye.com domain, originating from visitors on the fireeye, inc. ISP network|
|Kaiser Permanente||LAN network data collected from visitor(s) of kaiser foundation health plan ISP network|
|Merck||LAN network data collected from visitor(s) on merck and co. inc. ISP network|
|Microsoft OneDrive||Files shared on OneDrive including tax returns|
|NBCDigital||JIRA data from nbcdigital.atlassian.net|
|Nest||Shared Nest security camera clips|
|NetApp||Zoom meeting URLs from netapp.zoom.us|
|Oracle||Zoom meeting URLs from oracle.zoom.us|
|Palo Alto Networks||LAN network data collected from visitor(s) of Palo Alto Networks ISP network|
|Pfizer||LAN network data collected from visitor(s) of pfizer inc. ISP network|
|JIRA data from reddit.atlassian.net|
|Roche||LAN network data collected from visitor(s) on hoffmann laroche inc. ISP network|
|Shopify||Impacted by AWS S3 query string parameter leak|
|Skype||Shared Skype chat URLs|
|Southwest Airlines||Passenger information including: First name, last name, and flight confirmation number|
Members of Company X can see these users checking-in in near real-time. Such data can be used to modify a flight, cancel a flight, or stalk the person, etc.
|SpaceX||LAN network data collected from visitor(s) on the space exploration technologies corporation ISP network|
|Symantec||LAN network data collected from visitor(s) on the symantec corporation ISP network|
|Tesla||LAN network data collected from visitor(s) on the tesla inc. ISP network|
|Tmobile||JIRA data from tmobile.atlassian.net|
|Trend Micro||JIRA data collected from visitors on a non-publicly resolvable trendmicro.com subdomain.|
|Uber||Passenger pickup and drop-off locations for impacted users that booked rides via m.uber.com, Zoom meeting URLs from uber.zoom.us|
|UCLA||Zoom meeting URLs from ucla.zoom.us|
|Under Armour||JIRA data from underarmour.atlassian.net|
|United Airlines||Passenger last names and their flight confirmation numbers|
|Walmart||Zoom meeting URLs from walmart.zoom.us|
|Zendesk||Support ticket attachments, which (via HTTP referer) can even further be refined by the Zendesk client, (e.g., Venmo).|
|Zoom Video Communications||Zoom meeting URLs|
After we informed a browser vendor that one of its extensions was implicated in data collection, the vendor remotely disabled the extension for all users. While the extension did, indeed, cease performing its primary function, its collection of data continued unabated. Based on this observation, we recommend impacted users remove the extension in question from their browsers.
During the course of our investigation, we observed two popular extensions (i.e., Hover Zoom and SpeakIt!) employ dilatory tactics — an effective maneuver for eluding detection — to collect the data. The extensions waited, on average, 24 days before initiating the collection of browsing activity data.
We discovered the collection and dissemination of sensitive data from the internal networks of many Fortune 500 corporations (see Table 2 above for a complete list of impacted companies). In addition, we devised a local area network (LAN) experiment, which allowed us to observe one extension, Hover Zoom, collect hyperlinks stored within the page content of our LAN website. Such data collected from a single visit to a page in a LAN environment can be used to map a corporation’s LAN environment. Furthermore, we observed the dissemination of our LAN data to three different hostnames. The collected data included our site’s LAN IP address, hostname, page title, timestamp of the visit, as well as the URLs of page resources (i.e., CSS files, JS files, and images) referenced in our HTML code. We then observed much of our LAN data being disseminated to members of Company X. (Company X did not provide all collected metadata (e.g., last-modified) available to its customers.) Finally, through the responsible disclosure process, we corroborated our findings with impacted individuals and major corporations.