Hover Zoom’s controversial past

Browser vendors act as the gatekeepers to the world’s data. As such, their actions or inactions can impact billions of users around the globe. As stewards of the web, browser vendors have the ability to review, audit, approve, and disapprove browser extensions. We uncovered eight extensions involved in the DataSpii’s unprecedented data collection, two of them being Hover Zoom and SpeakIt!. We dug a bit further and discovered that Hover Zoom and SpeakIt! have been in the public eye for quite some time. 

We present a selection of articles and discussion threads that have reported on the controversial extensions since 2013:

Timeline:

1. October 8, 2012: Archive.org’s first snapshot of a Chrome Web Store URL containing Hover Zoom’s extension ID (nonjdcjchghhkdoolnlbekcfllmednbl).
2. January 5, 2013: Archive.org’s first snapshot of a Chrome Web Store URL containing SpeakIt!’s Chrome extension ID (pgeolalilifpodheeocdmbhehgnkkbak).
3. March 5, 2013: gHacks Technology News reported on what the author described as the “evil” nature of Hover Zoom. The author cites one user who observed POST requests to a Czech media company. The author later updated the article to state that “Hover Zoom is no longer available.”
4. December 17, 2013. A reddit thread titled “HoverZoom for Chrome is infected with malware!” was created. Over the next five months, 1,400 comments were posted in the thread.
5. December 26, 2013: : Martin Brinkmann of gHacks Technology News wrote an article entitled “Hoverzoom’s Malware controversy, and Imagus alternative.” Brinkmann wrote, “Not only did the extension receive hundreds of 1 star ratings on the Chrome Web Store, it was also removed from it by its author.”
6. January 19, 2014: Oleg Anashkin forked his own version, Hover Zoom+.  A github repo which lists its owner as “Oleg Anashkin” describes Hover Zoom+ as malware-free.
7. January 20, 2014: The popular tech blog lifehacker.com reported on Hover Zoom’s tracking behavior.
8. November 19, 2015: Brady Dale of The Observer reported on a Detectify cybersecurity report, disclosing how several browser extensions were involved in tracking and harvesting of URLs. Two of the extensions in the Detectify 2015 report included Hover Zoom, and SpeakIt!. The referenced Detectify report cites how the collected data was being made available through online analytics services. Such services described in the report are similar to those provided by Company X. The Detectify report was later updated to state that several extensions, including Hover Zoom, were removed from the Chrome Web Store.
9. November 20, 2015: Brady Dale of The Observer reported that FairShare Labs was one of the companies responsible for the data collection.
10. March 31, 2016: Security researcher Michael Weissbacher reported that SpeakIt! was one of many extensions spying on eight million users.
11. On November 4, 2016: The popular tech blog MakeUseOf.com listed both Hover Zoom and SpeakIt! as among the “10 Chrome Extensions You Should Uninstall Right Now.”
12. April 13, 2017: The Electronic Frontier Foundation (EFF) published a report titled “Spying on Students.” EFF surveyed students and school administrators on the software and applications in use in the classroom. Survey respondent(s) reported “SpeakIt” as one of the apps, software, and services in use.
13. December 4, 2017: Security researcher, Michael Weissbacher, mentioned SpeakIt! in a publication titled “Ex-ray: Detection of History-Leaking Browser Extensions.”
14. March 2, 2018: PC Magazine listed Hover Zoom as one of “[t]he 100 Best Free Google Chrome Extensions.”
15. July 9, 2018: In a 2018 IEEE European Symposium on Security and Privacy, security researchers, Aggarwal, et al., labeled Hover Zoom and SpeakIt! as spying extensions in a publication titled “I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions.”
16. July 2, 2019: We disclosed our findings to Google. Soon after Hover Zoom and and SpeakIt! were removed from the Chrome Web Store. They were also remotely deactivated from impacted users’ browsers.
17. July 18, 2019: The DataSpii report detailed how Hover Zoom and SpeakIt! employ a dilatory tactic, an effective maneuver for eluding detection.

Years of headlines, scholarly exposés, reddit posts, and numerous removals from the Chrome Web Store failed to stop Hover Zoom or SpeakIt!. Google removed the extensions from the Chrome Web Store shortly after our disclosure on July 2, 2019, but will it return again? The consequences of unscrupulous data collection practices are too dire to be dismissed or ignored by browser vendors.