Traffic Exchange

Via online business online marketing online business opportunities

Sam Jadali

Contents hide


We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe. We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies. Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.

Via online business online marketing online business opportunities1. Introduction

Imagine if someone could publicly access, in near real-time — within an hour — your sensitive personal data on the websites you are browsing. Imagine, further, this person could access your sensitive business data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unwittingly leaking such data? InTable 1below, we enumerate the types of data that can be accessed.

Table 1. Types of personal and corporate data accessible via the online service.

Personal dataCorporate data
personal interests
tax returns
GPS location
travel itineraries
credit card information
genetic profiles
company memos
employee tasks
API keys
proprietary source code
LAN environment data
firewall access codes
proprietary secrets
operational material
zero-day vulnerabilities

This scenario may seem far-fetched, but in reality, it has global implications for millions of people across the globe who unwittingly send information about their browsing activity to a publicly accessible online service via at least eight browser extensions. The online service, referred to in this report asCompany X,then provides the collected data to its paid or free-trial members who request such data about any domain of their choosing.SeeTable 2for the Chrome and Firefox browser extensions in question.*

*The eight extensions state in either their terms of service, privacy policies, or descriptions that they may collect data that is personally identifiable or non-personally identifiable. While such statements appear to provide transparency about their data collection, privacy policies are largely ignored by web users[1].

Clickbank Marketing Tools

Table 2. Chrome and Firefox extensions identified in the DataSpii leak.

Extension nameNumber of users
(as of Feb/Mar 2019)
Browser vendorChrome extension ID
(if applicable)
Hover Zoom800,000+ usersChromenonjdcjchghhkdoolnlbekcfllmednbl
SpeakIt!1.4+ million usersChromepgeolalilifpodheeocdmbhehgnkkbak
SuperZoom329,000+ usersChrome and Firefoxgnamdgilanlgeeljfnckhboobddoahbl Helper≤140,000 usersFirefoxN/A
FairShare Unlock1+ million usersChrome and Firefoxalecjlhgldihcjjcffgjalappiifdhae
PanelMeasurement500,000+ usersChromekelbkhobcfhdcfhohdkjnaimmicmhcbo
Branded Surveys8 users (June 2019)Chromedpglnfbihebejclmfmdcbgjembbfjneo
Panel Community Surveys1 user (June 2019)Chromelpjhpdcflkecpciaehfbpafflkeomcnb

The invasive data collecting behavior occurs when the Helper extension is installed from the author’s official website using Firefox on macOS or Ubuntu. We have not observed such invasive behavior when it is installed from a browser vendor store.

FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys make explicit efforts to let their users know they collect browser activity data.

These browser extensions and their respective browsers (i.e., Chrome or Firefox) run on desktops and laptops with macOS, Windows, Chrome OS, or Ubuntu operating systems. The extensions also run on Chromium-based browsers (e.g., Opera, Yandex Browser) that accept Google Chrome extensions. Google Chrome Sync’s feature, for instance, can spread the extensions to home and work computers. The extensions collect highly sensitive user information from URLs, page titles, and referrers. The collected data is then filtered by domain name and offered for sale. In one instance, we observed the widespread exposure of corporate project data and employee tasks from thousands of companies that use a popular project management provider, It is important to note that this report examines data obtained from Company X; it does not address whether other companies or individuals may have also disseminated such data.

1.1 How it works

As stated above, the termCompany Xshall refer to the online service selling analytics data of any website. To protect the data of the millions of users and businesses impacted by DataSpii, this report has omitted the name of the online service. The termParty Yshall refer to the data collector vis-à-vis the eight browser extensions at the center of this report. For convenience,Party Yalso refers to one or more corporate entities that may or may not have legal relationships with each other.Party Yshall also refer to other browser extensions, as yet unidentified, involved in the collection, processing, and/or dissemination of data.

During the course of our investigation, we observed Party Y extensions collecting browser activity data. Within one hour of collection, we observed that same data being disseminated to members of Company X. (Company X does not provide all Party Y collected metadata types [e.g., last-modified] available to its customers.) Once signed up for Company X’s free trial, a member can then view the near real-time traffic data of any organization by merely entering its domain name (see Figure 1). The data is then filtered by domain name and delivered to the Google Analytics accounts of Company X members. The collected metadata delivered to Company X members includes hostname, URL, page title, referrer, browser, browser version, city, state, country, internet service provider (ISP), network domain, operating system (OS), OS version, date, and time. The Google Analytics service collates the metadata, thus providing Company X members with insight into the sources of a domain’s web traffic statistics.

via online business online marketing online business opportunities

Figure 1. Possible scenario for how one impacted individual, Jerry, can leak the data of many of his clients. Tax returns are among the types of data made accessible via DataSpii.

1.2 Background

Abrowseris software (e.g., Google Chrome, Mozilla Firefox, Safari, Microsoft Edge, Internet Explorer) that enables users to search, access, and display web pages. Browsers provide an interface to perform various web activities such as emailing, cloud-sharing, online shopping, watching movies, listening to music, and sharing photos.Browser extensionsare modules that enhance and customize the browsing experience. For example, ad blockers are extensions that increase page speeds and reduce browser crashes, whereas password managers are extensions that generate and store random passwords, thereby increasing overall security.

According to the Google Chrome Developer site, “Extensions are event based programs used to modify or enhance the Chrome browsing experience. Events are browser triggers, such as navigating to a new page, removing a bookmark, or closing a tab. Extensions monitor these events in their background script, then react with specified instructions”[2]. Such triggers allow an extension to send user browsing data to third-party servers, which in turn can be used to compile user profiles for (the purpose of) targeting users with personalized advertisements.

InData and Goliath, Bruce Schneier notes that some corporations use surveillance data to target consumers with discounts, trial offers, and other promotional features[3]. Corporations and governments that exchange surveillance data for legitimate purposes may also be sharing it — albeit inadvertently — with cybercriminals, often in huge data breaches. While most users understand that browsing activity is surveilled and tailored for advertisement purposes, few appreciate the full implications of being monitored.

Likewise, browser extensions surveil user data in return for convenience. Antimalware extensions warn users of danger by collecting the URLs that users visit and cross-referencing those URLs with a live database of known hacked sites. Grammar check extensions collect user-entered text, including social media posts, documents, and emails. In exchange for such conveniences, users are bombarded with personalized insights, performance stats, or advertisements. When such data is collected for tailored advertisements, market research, or enhanced browsing experiences, it may inadvertently end up in the wrong hands. Thus, the very same data that enhances personal experiences jeopardizes personal, corporate, and government information.

1.3 Company X and Party Y

Company X’s frequently asked questions (FAQ) page maintains that millions of people around the world opted in to anonymously share their browsing history. It further maintains that what it is doing is legal, ethical, and patented. While Company X does not disclose its method of data collection, it does seek to assure its users that the data collected remains anonymized. We suggest that this is not always the case. Moreover, if an employee is using a data-collecting browser extension on a company computer, the employee may not have the authority to consent on behalf of his or her employer.

While our investigation did not establish a legal relationship between Party Y and Company X, it did establish that much of the data collected by Party Y was made available to members of Company X.

The privacy policies of the Party Y extensions inform the end user that data may be collected. While privacy policies may allay some concerns about data collection, they are largely ignored by the typical web user[1]. Furthermore, in this report, we elucidate a delayed data collection measure employed by two Party Y extensions.

While Party Y extension policies state they may employ “PII scrubbers” to assist in providing anonymity, this report details their inability to scrub all types of PII. As a matter of legality, the European Union’s recently enacted data privacy law (EU-GDPR) states that the PII of all EU data subjects must be redacted or pseudonymized[4]. The failure to redact sensitive information, including PII and CI, endangers everyone who uses Party Y extensions, either directly or by association.

1.4 Invasiveness

After our reporting of a Party Y extension to a browser vendor, the vendor remotely disabled the extension for all users; however, that did not stop the data collection in our browser. While the extension ceased its functionality, we continued to observe our browsing activity being sent via POST request to Party Y servers. Ultimately, the data collection stopped when we removed the extension.

1.5 LAN impact

DataSpii circumvented the most effective security measures including authentication or encryption, which were designed to thwart leaks. Using a multi-pronged approach, we discovered the collection of sensitive data from the private LAN networks of many Fortune 500 companies. In addition, we devised a LAN experiment and observed the collection of hyperlinks stored within the page content of the website hosted on our LAN. Such data collected from a single visit to a page in a LAN environment can be used to map a corporation’s LAN environment. Furthermore, we observed the dissemination of our LAN data to three different hostnames. The collected data included our site’s LAN IP address, hostname, page title, timestamp of the visit, as well as the URLs of page resources (i.e., CSS files, JS files, and images) referenced in our HTML code. We then observed much of our LAN data being disseminated to members ofCompany X. Finally, through the responsible disclosure process, we corroborated our discovery with impacted individuals and major corporations.

1.6 History

Cybersecurity companies have long warned about the dangers of publicly accessible links[5]. In addition, the HTTP referer header has been notoriously known to cause leakage of publicly accessible URLs. Researchers have also warned about the data collection practices of browser extensions. Unfortunately, many corporations often fail to act on this direct knowledge. The problem is compounded when an online service such as Company X publishes the near real-time traffic data for its members. The dissemination of such data by Company X undermines the data protection features of data source types such as ephemeral links, URL-based query string authentication parameters, and API keys.

READ  LIVE: Samsung unveils new Galaxy phones, watches, and more

Via online business online marketing online business opportunities2. Affected data source types and impacted companies

Extensions have access to powerful browser application interface (API) functions that tap into user browsing activity. While some extensions may use this data to perform their inherent, legitimate functions, others use the data strictly for monetization or advertising. In order to be approved by a browser extension store, an extension must be reviewed by browser vendors; however, perfunctory reviews can result in the approval of bad actors. We identify seven data source types and provide examples of impacted companies by each.

Note: We have made disclosures to all impacted companies listed in this report. We have not identified any data being used maliciously. However, through our honeypot experiment, we observed third parties visiting unique URLs captured by Party Y browser extensions.

2.1 Data source type: Shared links

Web users frequently share publicly accessible unique links with family, friends, and colleagues. The links can direct recipients to Apple iCloud photos, Quickbooks invoices, 23andMe ancestry data, Nest security camera video clips, or confidential documents stored on OneDrive. The following examples detail how the leaking of shared links can impact major online services.

2.1.1 Zoom Video Communications

The DataSpii leak enables malicious parties to monitor corporate or client meetings. Enterprise businesses use services like Zoom for online meetings, video conferencing, and webinars. Typically, the meeting organizer will invite colleagues or clients by sharing a Zoom meeting link via email. The invite link URL often contains a unique meeting ID. When a participant of the meeting opens the link using a browser with an invasive extension, the link URL may then be displayed to a Company X customer in near real-time (see Figure 2).

Features of Zoom’s “Business” plan enable customers to choose a vanity hostname such The vanity hostname acts as an easy way to brand the Zoom account and is included as a subdomain of the link URLs used for the organization’s online meetings. Search refinement tools provided by Google Analytics make it easy for aCompany Xmember to filter the subdomains of Zoom customers, thereby allowing that member to filter meetings specific to an organization. Meetings that are not password protected become vulnerable to eavesdropping by outsiders with access to the URL. Although Zoom notifies meeting participants when a new user joins a meeting, it is possible for these notifications to be disregarded, especially during meetings with large numbers of participants. Zoom also offers a popular “waiting room” feature, enabling the host to manually admit each participant to ensure only their intended participants join their meeting.

via online business online marketing online business opportunities

Figure 2. meeting URLs.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.2 Skype

As with Zoom, Skype users ask their friends or colleagues to join a group chat using a publicly accessible shared link. The recipient of the link can join the chat directly from a web browser. When a user opens the link with a Party Y browser extension, the Skype group URL may become available to Company X customers who request the data of (see Figure 3). A malicious Company X member may use the link to eavesdrop on chat conversations. Note that when a new user joins the group chat, Skype will notify connected users that a new guest has joined the conversation.

via online business online marketing online business opportunities

Figure 3. Skype group chat URLs.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.3 23andMe

23andMe customers can share reports with family, friends, and/or their entire social network using a publicly accessible link. When the link is opened by a user with a Party Y browser extension, the URL of the report becomes available to any Company X customer that requests data on 4displays URLs matching a known format for publicly accessible 23andMe reports. Such reports may include information on ancestry, family DNA, muscle composition, and other biomedical data.

via online business online marketing online business opportunities

Figure 4. Redacted links to shared 23andMe DNA and ancestry reports.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.4 Apple example I

When an iOS user stores photos on iCloud and shares four or more photos via the Photos app, the app will generate a publicly accessible unique link to the photos. When a recipient or sender opens the link in a browser with a Party Y extension, the link to the photos is collected. Such a link may end up in the hands of a Company X member requesting the data of (see Figure 5). When the URL is visited, the photos become visible and may even display an iOS user’s first and last name.

via online business online marketing online business opportunities

Figure 5. Links to shared Apple iCloud photos or videos.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.5 Apple example II

Shoppers who place orders via may receive an email from Apple containing a link to view their order status. When such links are viewed using a browser with a Party Y extension, they may be delivered to customers of Company X that request data of 6contains Apple order status links obtained from the Company X service.via online business online marketing online business opportunities

Figure 6. Apple order status URLs provided by the Company X service.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

A bad actor may use the URL data to view an product order status page in a browser. While Apple may well omit PII from visible areas of the order status page, during our observations, it did not conceal PII within the source code of our own Apple order. This source code can easily be viewed in web browsers by right-clicking anywhere on the page and selecting the “view page source” option.Figure 7displays our PII data, including first name, last name, the last four digits of the purchaser’s credit card number, credit card type, and the Apple store location used for pickup.

via online business online marketing online business opportunities

Figure 7. Source code view of our Apple order status page.

2.1.6 Intuit Quickbooks

Vendors often email Quickbooks invoice links to customers for payment. Such invoices may be accessible via a publicly accessible unique link (see Figure 8). When the links are viewed using a browser with a Party Y extension, they may be delivered to customers of Company X that request data of Viewing the invoice may reveal the recipient’s full name, address, city, state, zip code, amount paid, invoice number, date, and details of the service, as well as the name and address of the vendor who sent the invoice.

via online business online marketing online business opportunities

Figure 8. Intuit Quickbooks invoice links obtained from the Company X service.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.7 Nest Labs

Nest provides businesses and homeowners with 24/7 video surveillance of their property. Nest members can share surveillance videos with others using a publicly accessible unique link. If the sender or recipient of a shared video clip accesses the URL via a browser with a Party Y extension, the link to the clip may then become available through the Company X service (see Figure 9).

via online business online marketing online business opportunities

Figure 9. Redacted URLs of shared Nest security cameras clips.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.1.8 JSFiddle

Web developers use sites such as to share and collaborate code with their colleagues. Developers can access their code via a publicly accessible unique URL. If the senders or recipients visit a URL using a browser with a Party Y extension, the code may appear to members of Company X requesting data on In addition, Google Analytics tools allow Company X members to filter URLs by a visitor’sservice provider. Google Analytics defines the service provider dimension as the internet service provider (ISP) registered to the IP address of the visitor. Many of the largest corporations operate as their own ISP. InFigure 10, we filter the service provider dimension for some of the largest organizations, and observe visits to URLs from those networks. The data obtained from Company X could then be used by bad actors to view or scrape the contents of JSFiddle URLs visited by targeted corporations.

via online business online marketing online business opportunities

Figure 10. Redacted URLs filtered by service provider dimension (ISP).
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.2 Data source type: PII embedded in URL

Insecure practices such as embedding PII in the URL still occurs within many organizations. When browser users with a Party Y extension visit pages with PII in the URL, the data can be viewed by Company X members. A cybercriminal can use such data to find a person’s GPS coordinates in near real-time, commit burglary during a homeowner’s absence, or to stalk travelers along their destinations.

2.2.1 Southwest Airlines, American Airlines, and United Airlines,, and (American) all include passenger last names and record locator (confirmation) numbers within the URL. In addition, URLs may also include a passenger’s first name. On February 6, 2019,Wandera’s threat research teamreported that many airlines, including Southwest Airlines, expose PII in their URLs. During our investigation in early June of 2019, Company X data showed thousands of Southwest URLs containing passenger first names, last names, and record locator numbers within the URL (see Figure 11). 

Note: After disclosure, Southwest confirmed they are aware of this issue and have enhancements underway.

via online business online marketing online business opportunities

Figure 11. URL data containing values for passengerFirstName, passengerLastName, and confirmationNumber.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.2.2 Uber

Uber customers can book rides in a web browser via the website. In doing so, customers with a Party Y browser extension may expose their pickup and drop-off locations to cybercriminals, who could then use such information to stalk riders using their GPS coordinates in near real-time (see Figure 12).

via online business online marketing online business opportunities

Figure 12. URL data containing customer pickup and drop-off locations.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.2.3 Apple example III

InFigure 13, we observe URLs containing email addresses from the hostname. Such email addresses can be cross-referenced with hacked databases located on the dark web to exploit vulnerable Apple users.

via online business online marketing online business opportunities

Figure 13. page URLs containing email addresses.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.3 Data source type: Page titles

To protect corporate assets, security-conscious businesses enforce user authentication to access company documents and portals; however, such businesses may ignore the content of data stored within the page title, which may contain descriptive confidential information. For example, “Firewall needs to be re-enabled. All ports are currently open” or “reset VPN password to [REDACTED-PASSWORD].” The near real-time exposure of such information creates opportunities for cybercriminals to attack individuals or organizations.

2.3.1 Atlassian

Atlassian is an enterprise software company that provides project management and document collaboration software to its clients. Atlassian’s project management software, JIRA, inserts project issues and employee-assigned tasks into the page title. Atlassian customers have the option to self-host Atlassian software or use the Atlassian Cloud platform. Companies that choose the Atlassian Cloud option can host their project management portal on a subdomain of (i.e.,[6]. When a Company X member requests data for, the data includes all subdomains under the domain. Within two hours of requesting data via the Company X service, we observed the collection of 30,000 unique URLs on more than 1,400 subdomains. This included page title data from the following subdomains:BuzzFeed,NBCdigital,AlienVault,CardinalHealth,TMobile,Reddit, andUnderArmour. Users of these subdomains may have a Party Y extension leaking corporate page title and URL data, as shown in the following examples.

Example: page titles include:

“Technical failure for

“Wrong contestant name(s) and/or image(s) displaying online, in the viz, or in the official app”

Examplepage title from an unnamed automotive company:

“Whitelist IP [RED.ACT.ED.IP] and [RED.ACT.ED.IP] for all AWS servers.”

From such information, a cybercriminal would know that the two IP addresses or server(s) have unfettered access to the entire company’s AWS servers. The cybercriminal can use such knowledge to focus all of his or her efforts on breaking into the server(s) associated with those IPs.

2.3.2 Microsoft

OneDrive is a file- and photo-sharing hosting service operated by Microsoft. Users of OneDrive often share their documents with friends or colleagues via a publicly accessible unique link. OneDrive inserts the titles of documents or filenames into the browser page title. The Party Y extensions capture the URL and page title data and deliver it to a Company X customer requesting data on Using Google Analytics advanced filter tools, metadata such as page titles are searchable.Figure 14illustrates a page title search query for the word “tax.” The redacted results include the URLs to page titles such as “2018 Tax Return [REDACTED],” where the redacted text is often an individual’s name. A cybercriminal can access these documents and use the data in them to steal identities and/or view financial income, bank account numbers, social security numbers, and other confidential information.

via online business online marketing online business opportunities

Figure 14. Microsoft OneDrive page title search query for “tax” under the domain.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.3.3 Kareo

Kareo provides healthcare providers with electronic health record (EHR) management via Kareo’s practice management software. Healthcare providers that use Kareo can access patient information via a web browser. Customers ofCompany Xrequesting data on may use Google Analytics to find patient names.Figure 15lists redacted patient names obtained from the Company X service. Furthermore, the figure illustrates many patient names being exposed from a single city. Over a four-day period, we observed 193 unique page titles from Hunters Creek, Florida. We observed the service provider (ISP/ASN/OrgName) value for all entries originating from Hunters Creek as being listed from a single service provider: [REDACTED-CLINIC-NAME] – [REDACTED]. Moreover, we observed all page title entries associated with the visits originating from Windows 7 running Chrome. The metadata led us to suspect the patient-name leak originated from one or more staff member(s) at the unnamed clinic.

READ  Nevada Caucuses — Live Analysis

via online business online marketing online business opportunities

Figure 15. Company X obtained data for the domain name.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.3.4 DrChrono

DrChrono provides an online platform for doctors and patients that makes EHRs available digitally[7]. Healthcare staff members can access such software from their offices.

Customers of Company X requesting data on may use Google Analytics to find patient and medication names.Figure 16displays page title data such as “RefillRequest for [REDACTED-NAME].” In the right-hand column, many of the redacted subdomains of the hostname contain the names of various health clinics and doctors’ offices. Using collected metadata such as timestamp, browser, OS, ISP, and hostname, the metadata may be used to follow the visitor’s browser activity path and infer from this which patient is associated with which medication.

via online business online marketing online business opportunities

Figure 16.Company Xdata for the domain name provided page title data in the following format “Lab Results for JOHN DOE.”
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.3.5 Blue Origin

Blue Origin is a private aerospace company founded by Amazon’s CEO, Jeff Bezos. We observed the following page title data within a Google Analytics account populated by Company X and filtered for the domain name, We observed a subdomain with URL and page title data that follow patterns similar to those of Atlassian’s JIRA software (e.g., /browse/[PROJECT-KEY]-[PROJECT-ID]). Due to the sensitive nature, we have decided against publishing a screenshot. Moreover, we have removed the project-name prefixes (commonly seen with JIRA issues) and suffixes which accompany the page titles.

Blue Origin page title examples:

“manifold [REDACTED] contaminated with [REDACTED] material”


“Rust found in [REDACTED] manifold”

“speed sensor broke during [REDACTED]”

“[REDACTED] Failed Calibration”

“Verify [REDACTED] can survive degrease and clean operations”

2.3.6 FireEye

FireEye is a publicly-traded cybersecurity company with offices around the world. We observed the following page title data within a Google Analytics account populated by Company X and filtered for the domain name, The page titles contained the phrase “JIRA” or originated from hostnames containing that phrase. We observed the service provider (ISP/ASN/OrgName) of the visitor(s) as “fireeye inc.” The city and region metadata components match a city of one of FireEye’s office locations[8]. This leads us to suspect that a user (or users) using the fireeye inc network is impacted by the DataSpii leak.

We have removed any category-name prefixes (commonly seen with JIRA issues) and suffixes which may accompany page titles. Due to the sensitive nature, we decided against publishing a screenshot.

The following are page titles collected from visitor(s) with an ISP listed as:fireeye inc.:

“URL with Malicious download missed detection [REDACTED-URL]”

“Large backup fails when [REDACTED]”

“As [REDACTED] engineer, I would like to run the [REDACTED]”

“Expose what Engines are running on the [REDACTED]”

2.4 Data source type: File attachments

Company X members can search, view, scrape, and save publicly accessible attachments leaked by users with Party Y extensions. This includes document, image, and video attachments from popular platforms such as Facebook Messenger and Zendesk. This vulnerability compromises the possible confidential and/or sensitive nature of the files being transmitted.

2.4.1 Facebook Messenger

The URLs to Facebook Messenger attachments may be captured by Party Y extensions (see Figure 17). In the course of our investigation, we sent a sample JPEG to a friend over Facebook Messenger. We observed the JPEG attachment being served over a publicly accessible URL. While Facebook appears to append query strings that specify a time-limited window for access, Company X is able to provide these URLs in near real-time, thereby allowing access within Facebook’s time-limited window.

via online business online marketing online business opportunities

Figure 17. Search query for “tax” on data collected over a 96-hour period.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.4.2 Zendesk

Many of the world’s largest corporations and organizations use Zendesk for their support ticketing system. The Zendesk website states that their customers include Uber, Airbnb, Mailchimp, GoFundMe, the American Civil Liberties Union (ACLU), and Dollar Shave Club[9]. Users who submit support tickets sometimes attach files containing confidential or personal information. Using an attachment we submitted to a Zendesk portal, we observed the storage of our attachment on thezdusercontent.comdomain name. We observed that the URL to our attachment is publicly accessible. During the investigation of our own Zendesk ticket attachment, we observed that even when the token query parameter was excluded, the attachment still loaded in a remote browser. We discuss redacted query strings inSection 4.1.Figure 18shows other attachment URLs captured on the domain name. Using Google Analytics filter tools, such ticket attachments can be filtered by referrer and narrowed to the companies from which they originate.

Note: Zendesk support instances have a setting which customers can enable to “Require authentication to download [attachments].” As such, the public accessibility of the URLs is dependent upon the setting the customers have in place. By default, it is not enabled.

via online business online marketing online business opportunities

Figure 18. URLs to Zendesk ticket attachments on the domain name.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.5 Data source type: Ephemeral links and authorization strings

In order to defend against malicious activity, businesses may protect publicly accessible URLs by using query string parameters that (a) set a time-limited window for access, (b) add an authorization string, or (c) use (a) and (b) together. However, the ability of Company X to deliver complete URLs to its customers in near real-time renders these security methods less effective, if not altogether ineffective.

2.5.1 Amazon Web Services (AWS) Simple Storage Service (S3) buckets

Per AWS S3 documentation: “By default, all S3 buckets are private and can be accessed only by users that are explicitly granted.” Administrators, however, may authenticate S3 access requests by usingAWS S3 Query String Authentication. This form of authentication includes the following URL query string parameters, that can be captured by Party Y extensions:

  • TheAWSAccessKeyIdspecifies, “the AWS secret access key used to sign the request and, indirectly, the identity of the developer making the request.”
  • TheSignaturespecifies, “[t]he URL encoding of the Base64 encoding of the HMAC-SHA1 of StringToSign.” The encoding is a unique representation that includes an AWS secret access key ID that Amazon assigns to users when they sign up for Amazon Web Services. In other words, it ensures that the request a user is about to make is not modified in transit.
  • TheExpiresparameter specifies when the signature expires and is specified as a UNIX epoch timestamp. Any request received after the specified time will be rejected.

Shopify AWS S3 buckets

Customers of Company X requesting data on can view URLs containing AWSAccessKeyId, Expires, and Signature query string parameters (explained in the previous subsection). The URL is one of many such examples (see Figure 19). A malicious Company X customer can view the captured data in near real-time and use it to access Shopify shipping labels and details about customer orders.

via online business online marketing online business opportunities

Figure 19. A Shopify AWS S3 bucket as an example of how authorization strings and ephemeral links are rendered ineffective by the DataSpii leak.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.5.2 Facebook Photos

Facebook users share private photos on the platform while making use of privacy settings to restrict access. Such Facebook photo privacy settings includePublic,Friends,Custom, andOnly Me. Once posted, the URLs to such photos may reside on the Facebook domain,

To illustrate this, we uploaded a Facebook photo and chose the Only Me photo privacy setting:URL to photo on We viewed this photo with a Party Y extension and observed the URL collection by the extension. Then, within one hour, we witnessed the delivery of the URL by Company X to our Google Analytics account (see Figure 20).

via online business online marketing online business opportunities

Figure 20. The URL to our Facebook photo defined with an “Only me” privacy setting.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

As discussed in our results, our honeypot experiment determined that our URLs collected by Party Y extensions were visited by a third party almost immediately after collection. If a third party were to scrape and collect URLs to domains like, it may enable them to use facial-recognition technology to process and identify individuals visible in the image. While we could only verify visits to our own honeypot domain, third-party viewing, processing, or scraping of such content has disastrous implications for privacy.

2.6 Data source type: API keys, secrets, and tokens

Party Y extensions can capture API authentication credentials, which poses especially vexing security issues. An API can offer software developers an easy way to integrate their software or app with another online platform. In order to serve their function, APIs often provide high-level access to an account. Malicious actors may use API keys and API secrets found on the Company X service to gain access to accounts on cryptocurrency exchanges or financial services, or to access sensitive information from any impacted corporation.

An unnamed, cloud-based website security service

An unnamed platform provides firewall protection services to businesses across the globe. The service’s web portal allows their customers to click on a link to perform firewall actions. Accessing such a link by a user with a Party Y browser extension can deliver the sensitive API key and API secret to a Company X customer requesting data on the unnamed service. A malicious Company X customer can then view customer API keys and secrets, bypass the website’s firewall, and pull the business’s logging data (see Figure 21). Unless use of the API is restricted by IP address, a bad actor can use the API data to wreak havoc on a corporation.

via online business online marketing online business opportunities

Figure 21. Customer API keys and secrets from unnamed cloud firewall provider on display.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

2.7 Data source type: Private LAN environments

For added security, corporations may host their most confidential data on a private intranet that is accessible only from within the organization. For convenience, corporations frequently host their intranet portals on a subdomain of their domain name (e.g., When an employee with internet and intranet access has a Party Y extension and browses intranet portals on a company subdomain, the extension captures the private intranet browsing activity data before sending it to Party Y servers, which in turn deliver the data to any Company X customer requesting it on the corporation’s domain name.

Many of the page titles on the intranet subdomains include what appear to be employee tasks and issues. Data provided by Company X can provide competitors, state-sponsored actors, and cybercriminals with proprietary secrets, information about existing cybersecurity vulnerabilities, and other sensitive corporate data such as internal health memos.

We employed three prongs to identify corporations impacted by this data type. First, we used readily available DNS tools to ascertain whether the hostname for a data point was publicly resolvable. Second, we ascertained the visitor’s internet service provider (ISP). Many of the impacted Fortune 500 companies act as their own ISP with their own autonomous system number (ASN). Third, we relied on city and region metadata to ascertain if the visitor was near an impacted company’s place of operation.

We ascertained whether the three conditions listed below occurred. If at least two of the conditions occurred (condition 1 being required), we then presumed that the page visit was from a LAN environment, suggesting that a network user or staff member of the corporation may have a Party Y browser extension:

  1. the hostname is not publicly resolvable or the hostname points to an IP in the known private LAN IP range (i.e.,,, or
  2. the Service Provider (ISP/ASN/OrgName) value matches the name of the company;
  3. the City and Region metadata show the visitor is near or in the city of an office location of the impacted company.

We denote each page title with one of the following notations:All three conditions occurred.
¦Conditions 1 and 3 are confirmed. We use this notation to acknowledge that not all companies operate their own ASN. In addition, some users may use a VPN to access a corporate LAN while maintaining a wide-area-network (WAN) IP via their local ISP, such as Comcast.
§Conditions 1 and 2 are confirmed, and the City and Region metadata were missing.

Due to the sensitive page title data, we do not provide screenshots but instead provide the redacted examples in text. The prefixes and suffixes that identify the category or task, like those used by JIRA, have been removed as well. We raise this note to make readers aware that most page titles belong to a subcategory of the removed category prefix under which those page titles were raised.

The following page titles were obtained from Company X, and we identify the pages as originating from a private LAN environment:

2.7.1 Health technology companies, including AthenaHealth and Epic Systems, Inc.

“Vaccines not being marked as completed once administered”

“Case Delays due to Emergent Case after Patient is In Room”

“PRN Medications administered multiple times”

”Giving OR Nurses Access to [REDACTED]”

“Timed PT Services are Displayed and Calculated Incorrectly on The Billing Tab”

”Newborns not showing up in [REDACTED]”

2.7.2 Pharmaceutical companies, including Amgen, Merck, Pfizer, and Roche

“[REDACTED] Samples were approved without approving the test results”

§“URGENT Missing Samples [REDACTED]”

§“Revise Sample Limit of [REDACTED] 5mg to [REDACTED] Packs per person/year”

“[REDACTED] Aliquotting Issue prevents [REDACTED] from fully documenting [REDACTED]”

“Personnel plates were not marked as sampled”

“User Approved own entered results”

“We would like to use Jira as a ticketing system for handling request based on privacy regulations globally”

READ  Via online business online marketing online business opportunities Expanding the cloud to the Middle East: Introducing the AWS Middle East (Bahrain) Region


“Samples are showing Out of Spec even when the results are In spec”

“[REDACTED] admin disable api key”

“Need the Parent [REDACTED] ID visible when attempting to match customers, see attachment for more detail”

“Update library dependencies per [REDACTED] vulnerabilities”

2.7.3 Kaiser Permanente

“Unpatched Library/Software: [REDACTED] Risk-High – [REDACTED] Jira”


2.7.4 Unnamed airplane manufacturer

“MFA access does not work through [REDACTED].”

Note: MFA is an acronym often used for multifactor authentication. Bad actors could act on such near real-time information to gain access to systems.

2.7.5 SpaceX

[REDACTED] Propulsion Failures”

[REDACTED] Vent Pressure [REDACTED] Displacement”

“Dragon 2 Propulsion Initialization [REDACTED]”

2.7.6 Tesla
‖ “Investigate [REDACTED] Raven front drivetrain [REDACTED] at [REDACTED] MPH and also [REDACTED]”

“Model [REDACTED] Significant white oxidation along the [REDACTED]”

“[REDACTED VIN#] Driving at speeds of approx 5 to 25 mph there is a loud whining sound from the rear drive unit. Noticed that when checking oil level that [REDACTED]”

“Periodic clunking noises while supercharging Model [REDACTED]”

“Bring back [REDACTED] trims for Model [REDACTED] features pages in the Performance section”

2.7.7 Apple

“Issue where [REDACTED] and [REDACTED] field are getting updated in response of story and collection update APIs by [REDACTED]”

“New hit test API & [REDACTED] concept”

“HomePod Settings (New Proposal) [REDACTED]”

“scripts for testing VIO accuracy amoung [sic] various devices”

2.7.8 Cybersecurity firms, including Symantec, Trend Micro, and Palo Alto Networks

“[REDACTED] Production Security vulnerabilities detected in [REDACTED]”

“[REDACTED] does not have [REDACTED] agents deployed to enable security monitoring”


¦“[REDACTED-TIER] – [REDACTED-MAJOR-RETAIL-CORP] – Evaluate false positive for [REDACTED]”

¦“[REDACTED-TIER] – [REDACTED-MAJOR-TELECOM-CORP] – SMS only providing limited Log History”

“[REDACTED] Servers reaching maximum capacity and processing capabilities”

¦“Reputation filter ignoring IP exceptions”

¦“[REDACTED] fails to activate package when large number of malware references are present on a filter”

“IPS Performance degrades after enabling OOB”

Note: IPS is a common acronym for Intrusion Protection System; OOB is a common acronym for Out-of-Band.

2.8 Example attack scenario

One Fortune 500 company’s private LAN data included the following page titles:


“Supermicro PSUs are bad”

“Please install latest CentOS on [REDACTED]”

“Snapshot strategy: Moving from 30 dailies, to 5 dailies, and 2 weeklies”


A bad actor’s access to such data will inform him or her of the following:

(1) the Fortune 500 company’s disaster recovery strategy;

(2) the brand of hardware in use;

(3) the IP address to a server that has access to an NFS storage unit;

(4) the company’s preferred Linux distribution; and

(5) a large LAN IP block with full access to a folder.

Such data can be used by bad actors to pinpoint attack vectors and plan a large-scale breach.

Via online business online marketing online business opportunities3. Methodology

To identify the extensions involved in data collection, we began our analysis by reviewing the first reported extension: Hover Zoom. In order to view the data captured by the extension, we analyzed the extension in an isolated environment. We used this controlled environment to verify whether the data was being collected by the extension, to decode and decompress the data, and to verify whether it was accessible via the Company X service.

3.1 Extension analysis environment

In order to set up an environment with minimal interference, we employed the following:

  1. Installation of a clean operating system (OS).Personal computers can be contaminated and exposed to malware in a variety of ways. OS software obtained from third-party providers may contain malware[10]. To decrease such risks, we provisioned a Windows Server 2016 virtual machine by using an OS ISO downloaded directly from
  2. Clean IP.To rule out interference from ad networks or other third parties having obtained data from an IP address, we allocated to the server an IP address that had not been used for at least five years before this experiment.
  3. Browser.For each browser tested, we installed the browser by downloading the installation file from the browser vendor’s website.
  4. Burp Suite.Burp Suite, a web application security tool downloaded from, was used for recon and analysis. The app acts as an intermediary between the browser and destination web server, allowing inspection and analysis of web traffic. Burp Suite records all requests from the moment of extension installation and continues to do so as long as the application remains open.
  5. FoxyProxy Standard Chrome Extension.This extension proxies Chrome requests to Burp Suite. After vetting FoxyProxy, we used this extension in our Windows OS testing environment. We chose FoxyProxy instead of the native Windows proxy service because the native service tended to add unnecessary traffic bulk to our Burp Suite data. We also verified our results using other operating systems such as Chrome OS running on a Chromebook, and in some instances without using FoxyProxy.
  6. Suspected extension.We installed each browser extension in question using the resource from which it is most likely to be downloaded by everyday users (e.g., the Chrome Web Store). However, the invasive behavior of the Helper Firefox extension only occurred when downloaded from the extension author’s website, In addition, we downloaded Firefox’s FairShare Unlock extension from

We used Chrome, Chromium, and Firefox to verify that the leak can occur on macOS, Ubuntu, Windows, and Chrome OS (the OS used on Chromebooks).

3.2 Tools for analysis

For analysis, we used Burp Suite as well as Chrome’s Development Tools; specifically, we used “Inspect views background page” for each extension. We inspected the background page to monitor live events and network traffic requests initiated by the extension. We reviewed historical and live events via Burp Suite. We noted the timestamp, hostname, URL query strings, HTTP status, response length, the raw requests and responses for each request, and the sequence of the requests. We then searched for temporal patterns and anomalous requests such as an unusually long response length that occurred while the browser was idle. Such high response lengths may indicate either the download of an extension’s data collection instruction set or the more commonly observed automated extension update.

In some cases, the raw responses of requests contained minified source code, making it difficult to read. We used readily available unminification tools (e.g., Atom Beautify,, to translate the code into a more readable format. For additional extension source code analysis, we usedRob Wu’s CRX Viewer. We informed ourselves with actionable intelligence provided byDuo Security’s CRXcavator. We usedPacketTotal’s PCAP historical analysis database to perform research on the hostnames that we uncovered via Burp Suite. For the historical WHOIS and hosting information of those hostnames, we For greater hosting and DNS insight, we further assessed the hostnames and IPs usingFarsight Security’s historical DNS database. We also performed a quantitative text and source code analysis of each extension author’s website, including the extension’s terms of service and privacy policy pages. In order to find similar sites and extensions, we used search engine tools such asPublicWWW.comto perform reverse source code lookups.

Via online business online marketing online business opportunities4. Results

4.1 Observations

The sync expansion

In order to provide a consistent experience across all devices,Chrome’s Sync functionautomatically syncs bookmarks, history, settings, and browser extensions across all computers logged into Chrome using a Gmail account. Consequently, an invasive extension combined with the browser’s syncing behavior enables data collection from all logged-in locations (e.g., home and work computers).

HTTPS and HTTP environments

The browser’s powerful API functions allow extensions to tap into browser activity. When an invasive extension is installed within the browser, it can access page content — regardless of whether the site being visited is listed as secure (i.e., it uses HTTPS) or insecure (i.e., it does not use HTTPS). The extension may then collect data and send it off to a server for processing.

Redaction methods

Company X-provided page URL data of (American Airlines) displayed redacted last names with “*****”. During our analysis of Hover Zoom’s POST requests in Burp Suite, we observed redaction of common query string parameters such as “lastName.” However, passenger names from Company X-provided URL data of (Southwest Airlines) were unredacted. Our observations suggest that this is due to the query string parameter (passengerLastName) employed by Southwest’s web developers. Hover Zoom exhibited redaction capabilities for obvious query string parameters; however, we did not observe such behavior for variations of such parameters.

During our analysis of SuperZoom’s POST requests, we did not observe any redaction capabilities. As a result, query string parameters such as lastname, firstname, username, password, ssn, and apikey, were not redacted, and were visible in data delivered to customers of Company X (see Figures 22 and 23).

via online business online marketing online business opportunities

Figure 22. Company X-provided data on our page visits using a browser with the SuperZoom extension. Visible are the unredacted query strings values for lastname, username, ssn, cc, password, and apikey. Using Burp Suite, we observed the unredacted data in SuperZoom’s POST request to
Note: This is a screenshot of data within a Google Analytics account populated by Company X.

via online business online marketing online business opportunities

Figure 23. Company X-provided data for our own domain.

We did, however, note that some redaction was performed post-collection. Using a browser with a Party Y extension, we submitted a URL with the parameter “[email protected]” In each instance, regardless of whether the extension performed redaction of the email address, the address was delivered to us by Company X with the redaction

4.1.1 POST request patterns

We observed all eight extensions perform POST requests to hostnames that resolve to two groups of IPs. The first group, identified as Group A, consists of five hostnames that were observed from four extensions. The five hostnames from Group A resolve to the same two IP addresses and use a subdomain of the following names: “cr-b” or “ff-b.” The second group, identified as Group B, consists of eight hostnames that all resolve to the same five IP addresses. IP Group B hostnames use subdomains of the following patterns: “cr-input” or “ff-input.” We observe that all invasive Chrome extensions send their requests to hostnames that begin with “cr.” All invasive Firefox extensions send their requests to hostnames that begin with “ff.”

4.1.2 Hostnames

Using the available toolsets, we uncovered Party Y hostnames being used in data collection for Company X (see Table 3).

Table 3. GET and POST request Hostnames used by Party Y extensions.

Group AGroup B

Each Group A hostname has two DNS A records that resolve to and

Each Group B hostname has five DNS A records that resolve to,,,,, and

We observed eight Party Y extensions making GET or POST requests to one or more of theTable 3hostnames.

We uncovered other hostnames, as well; however, we were unable to link them to any extension (see Table 4). These hostnames use DNS A records that point to the same DNS A records as those discussed inTable 3’s respective Group A and B hostnames. It is possible these extensions were already flagged or removed from browser vendor stores. If you, the reader, recognize any of the following hostnames to an extension, or believe there are other extensions involved, please report them using theextension report form.

Table 4. Hostnames not yet identified with any particular extension.

Unidentified Group A hostnamesUnidentified Group B hostnames

4.1.3 Text analysis

Notwithstanding the Helper extension, the privacy policies of the other five extensions are nearly identical. They share the same verbiage. FairShare Labs, PanelMeasurement, and Super Zoom listed the same business address on the extension author website, extension Chrome web store page, or extension privacy policy page, respectively. Links to the policies can be found in the appendices.

4.1.4 Data collection

To simplify the results for the body of our report, we analyzed a single extension, Hover Zoom. Figures and analyses for the other five extensions can be found in the appendices.

Immediately after the installation of Hover Zoom, we observed a GET request tocr-b.hvrzm.comcontaining query strings noting a unique browser ID, the extension’s installation time, install version, current version, and Hover Zoom’s Chrome extension ID. Using screenshots from Burp Suite, we present these requests inFigures 24 through 34. We identify the individual GET and POST requests using the request number located in the left-hand column of the screenshot (see Figure 24).

We observed the extension’s automated update to a new version, but, once again, we did not observe the collection of browsing activity data; however, 24 days after installation, we did observe a second automated update to the extension. Immediately following the second automated update, a GET request to was again performed with query strings noting the unique browser ID, installation time, install version (noted as two versions prior), current version, and Chrome extension ID (see Figure 25). One second later, another GET request was made, notably with a 156KB response payload. Following this request, all subsequent browser activity data was collected and sent via POST request Notably, thecr-input.hvrzm.comhostname does not appear in the original source code of the extension, nor does it appear in an installation on a new device. InFigure 26, we observe a uniquereasonquery string parameter in the GET request.Figure 27is the 156KB response payload toFigure 26’s GET request. We found 150KB of the original 156KB response payload stored in a file located in the Google Chrome profile’s File System folder, C:UsersAdministratorAppDataLocalGoogleChromeUser DataDefaultFile System

Please Login to Comment.