Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold online.

Discuss whatever you want here ... movies, books, recipes, politics, beer, wine, TV ... everything except classical music.

Moderators: Lance, Corlyss_D

Post Reply
jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold online.

Post by jserraglio » Fri Jul 19, 2019 11:36 am

THE WASHINGTON POST

I found your data.
It's for sale.
And it's partly your fault.


PERSPECTIVE
by Geoffrey Fowler

I’ve watched you check in for a flight and seen your doctor refilling a prescription.

I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.

I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.

My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem.

The root of this privacy train wreck is browser extensions. Also known as add-ons and plug-ins, they’re little programs used by nearly half of all desktop Web surfers to make browsing better, such as finding coupons or remembering passwords. People install them assuming that any software offered in a store run by Chrome or Firefox has got to be legit.

Not. At. All. Some extensions have a side hustle in spying. From a privileged perch in your browser, they pass information about where you surf and what you view into a murky data economy. Think about everything you do in your browser at work and home — it’s a digital proxy for your brain. Now imagine those clicks beaming out of your computer to be harvested for marketers, data brokers or hackers.

Some extensions make surveillance sound like a sweet deal: This week, Amazon was offering people $10 to install its Assistant extension. In the fine print, Amazon said the extension collects your browsing history and what’s on the pages you view, though all that data stays inside the giant company. (Amazon CEO Jeff Bezos owns The Washington Post.) Academic researchers say there are thousands of extensions that gather browsing data — many with loose or downright deceptive data practices — lurking in the online stores of Google and even the more privacy-friendly Mozilla.

The extensions we found selling your data show just how dangerous browser surveillance can be. What’s unusual about this leak is that we got to watch it taking place. This isn’t a theoretical privacy problem: Here’s exactly how millions of people’s data got grabbed and sold — and the failed safeguards from browser makers that let it happen.

A ‘catastrophic’ leak

I didn’t realize the scale of the extension problem until I heard from Sam Jadali. He runs a website hosting business, and earlier this year found some of his clients’ data for sale online. Figuring out how that happened became a six-month obsession.

Jadali found the data on a website called Nacho Analytics. Just one small player in the data economy, Nacho bills itself on its website as a marketing intelligence service. It offers data about what’s being clicked on at almost any website — including actual Web addresses — for as little as $49 per month.

That data, Nacho claims, comes from people who opt in to being tracked, and it redacts personally identifiable information.

The deeper Jadali looked on Nacho, the more he found that went way beyond marketing data. Web addresses — everything you see after the letters “http” — page titles and other browsing records might not seem like they’d expose much. But sometimes they contain secrets sites forget to hide away.

Jadali found usernames, passwords and GPS coordinates, even though Nacho said it scrubs personal information from its data. “I started realizing this was a leak on a catastrophic scale,” Jadali told me.

What he showed me made my jaw drop. Three examples:

— From DrChrono, a medical records service, we saw the names of patients, doctors, and even medications. From another service, called Kareo, we saw patient names.

— From Southwest, we saw the first and last names, as well as confirmation numbers, of people checking into flights. From United, we saw last names and passenger record numbers.

— From OneDrive, Microsoft’s cloud storage service, we saw a hundred documents named “tax.” We didn’t click on any of these links to avoid further exposing sensitive data.

It wasn’t just personal secrets. Employees from more than 50 major corporations were exposing what they were working on (including top-secret stuff) in the titles of memos and project reports. There was even information about internal corporate networks and firewall codes. This should make IT security departments very nervous.

Jadali documented his findings in a report titled “DataSpii,” and has spent the last two weeks disclosing the leaks to the companies he identified — many of which he thinks could do a better job keeping secrets out of at-risk browser data. I also contacted all the companies I name in this column. Kareo and Southwest told me they’re removing names from page data.

I wondered if Jadali could find any data from inside The Washington Post. Shortly after I asked, Jadali asked me if I had a colleague named Nick Mourtoupalas. On Nacho, Jadali could see him clicking on our internal websites. Mourtoupalas had just viewed a page about the summer interns. Over months, he’d probably leaked much, much more.

I called up Mourtoupalas, a newsroom copy aide. Pardon the interruption, I said, but your browser is leaking.

“Oh, wow, oh, wow,” Mourtoupalas said. He hadn’t ever “opted in” to having his Web browsing tracked. “What have I done wrong?”

Follow the data

I asked Mourtoupalas if he’d ever added anything to Chrome. He pulled up his extensions dashboard and found he’d installed 17 of them. “I didn’t download anything crazy or shady looking,” he said.

One of them was called Hover Zoom. It markets itself in the Chrome Web Store and its website as a way to enlarge photos when you put your mouse over them. Mourtoupalas remembered learning about it on Reddit. Earlier this year, it had 800,000 users.

When you install Hover Zoom, a message pops up saying it can “read and change your browsing history.” There’s little indication Hover Zoom is in the business of selling that data.

I tried to reach all the contacts I could find for Hover Zoom’s makers. One person, Romain Vallet, told me he hadn’t been its owner for several years, but declined to say who was now. No one else replied.

Jadali tested the links between extensions and Nacho by installing a bunch himself and watching to see if his data appeared for sale. We did some of these together, with me as a willing victim. After I installed an extension called PanelMeasurement, Jadali showed me how he could access private iPhone and Facebook photos I’d opened in Chrome, as well as a OneDrive document I had named “Geoff’s Private Document.” (To find the latter, all he had to do was search page titles on Nacho for “Geoff.”)

In total, Jadali’s research identified six suspect Chrome and Firefox extensions with more than a few users: Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock and PanelMeasurement.

They all state in either their terms of service, privacy policies or descriptions that they may collect data. But only two of them — FairShare Unlock and PanelMeasurement — explicitly highlight to users that they collect browser activity data and promise to reward people for surfing the Web.

“If I’ve fallen in for using this extension, I know hundreds of thousands of other people easily have also,” Mourtoupalas told me. He’s now turned off all but three extensions, each from a well-known company.

The tip of the iceberg

After we disclosed the leaks to browser makers, Google remotely deactivated seven extensions, and Mozilla did the same to two others (in addition to one it disabled in February). Together, they had tallied more than 4 million users. If you had any of them installed, they should no longer work.

A firm called DDMR that made FairShare Unlock and PanelMeasurement told me the ban was unfair because it sought user consent. (It declined to say who its clients were, but said its terms prohibited customers from selling confidential information.) None of the other extension makers answered my questions about why they collected browsing data.

A few days after the shutdown, Nacho posted a notice on its website that it had suffered a “permanent” data outage and would no longer take on new clients, or provide new data for existing ones.

But that doesn’t mean this problem is over.

North Carolina State University researchers recently tested how many of the 180,000 available Chrome extensions leak privacy-sensitive data. They found 3,800 such extensions — and the 10 most popular alone have more than 60 million users.

“Not all of these companies are malicious, or doing this on purpose, but they have the ability to sell your data if they want,” said Alexandros Kapravelos, a computer science professor who worked on the study.

Extension makers sometimes cash out by selling to companies that convert their popular extensions into data Hoovers. The 382 extensions Kapravelos suspects are in the data-sale business have nearly 8 million users. “There is no regulation that prevents them from doing this,” he said.

So why aren’t Google and Mozilla stopping it? Researchers have been calling out nefarious extensions for years, and the companies say they vet what’s in their stores. “We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort,” said Google senior director Margret Schmidt.

But clearly it’s insufficient. Jadali found two extensions waited three to five weeks to begin leaking data, and he suspects they may have delayed to avoid detection. Google recently announced it would begin requiring extensions to minimize the data they access, among other technical changes. Mozilla said its recent focus has also been on limiting the damage add-ons can do.

Just as big a problem is a data industry that’s grown cavalier about turning our lives into its raw material.

In an interview, Nacho CEO Mike Roberts wouldn’t say where he sourced his data. But Jadali, he said, violated Nacho’s terms of service by looking at personal information. “No actual Nacho Analytics customer was looking at this stuff. The only people that saw any private information was you guys,” Roberts said.

I’m not certain how he could know that. There were so many secrets on Nacho that tracking down all the ways they might have been used is impossible.

His defense of Nacho boiled down to this: It’s just the way the Internet works.

Roberts said he believed the people who contributed data to Nacho — including my colleague — were “informed.” He added: “I guess it wouldn’t surprise me if some people aren’t aware of what every tool or website does with their data.”

Nacho is not so different, he said, from others in his industry. “The difference is that I wanted to level the playing field and put the same power into the hands of marketers and entrepreneurs — and that created a lot more transparency,” he said. “In a way, that transparency can be like looking into a black mirror.”

He’s not entirely wrong. Large swaths of the tech industry treat tracking as an acceptable way to make money, whether most of us realize what’s really going on. Amazon will give you a $10 coupon for it. Google tracks your searches, and even your activity in Chrome, to build out a lucrative dossier on you. Facebook does the same with your activity in its apps, and off.

Of course, those companies don’t usually leave your personal information hanging out on the open Internet for sale. But just because it’s hidden doesn’t make it any less scary.

Geoffrey A. Fowler is The Washington Post’s technology columnist based in San Francisco. He joined The Post in 2017 after 16 years with the Wall Street Journal writing about consumer technology, Silicon Valley, national affairs and China.

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Fri Jul 19, 2019 2:29 pm

Fowler mentions a few specific add-ons: Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock and PanelMeasurement. These are specialized utilities that not many use; I certainly don't. The really popular add-ons, like AdBlock Plus, aren't mentioned.

Firefox has a Do Not Track option which, they say, is turned on for all new installations of Firefox. Those who've been usng Firefox since before the option was added, need to turn it on; Mozilla says so on the Firefox web site. Of course many won't bother, or even know it's there, but then many people won't have their children vaccinated against measles.
John Francis

Rach3
Posts: 1447
Joined: Tue Apr 03, 2018 9:17 am

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by Rach3 » Fri Jul 19, 2019 5:53 pm

John F wrote:
Fri Jul 19, 2019 2:29 pm
Firefox has a Do Not Track option which, they say, is turned on for all new installations of Firefox. Those who've been usng Firefox since before the option was added, need to turn it on; Mozilla says so on the Firefox web site. Of course many won't bother, or even know it's there, but then many people won't have their children vaccinated against measles.
Bravo,2 marks !! "You can't fix stupid".

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Fri Jul 19, 2019 6:53 pm

John F wrote:
Fri Jul 19, 2019 2:29 pm
These are specialized utilities that not many use; I certainly don't.
Geoffrey Fowler wrote:I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox . . . . When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem . . . . Here’s exactly how millions of people’s data got grabbed and sold — and the failed safeguards from browser makers that let it happen.
Browser extensions are hosted by the browser — they are add-on miniature apps, not part of the original application.

So if Firefox with suspect extensions installed were as leakproof as has been suggested here, then why would Mozilla, red-faced, have to scurry to shut off leaky faucets in some of their approved browser extensions after being alerted by the WAPO investigative team?

Why did Mozilla have to intervene at all if their no-tracking system is so effective?

Were some extensions not affected by the "no-tracking" feature of their Firefox browser, thereby causing Mozilla to have to make ad hoc interventions to disable them?

If so, then what about WAPO investigation's ominous assertion that they "probably identified only a fraction of the problem"?

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sat Jul 20, 2019 6:03 am

I think you're taking the Post story too much at their word. You should be putting such questions to them, not me. Fowler doesn't provide the kind of technical detail to persuade me that he is justified in pushing the panic button, and I can't find those technicalities anywhere else on the Web. If you can, I'd like to have the link(s).

Certainly privacy is an important issue, and surreptitious tracking is worrying. But if Firefox users don't make use of the protections Mozilla added to the browser years ago and has strengthened in the last couple of years, or update Firefox so that these protections are available in their copies, be it on their heads. As I said.
John Francis

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sat Jul 20, 2019 6:49 am

John F wrote:
Sat Jul 20, 2019 6:03 am
I think you're taking the Post story too much at their word . . .
. . . And I think you're taking on faith Mozilla's ability to block leaks of your browsing history and critical personal data via its add-ons and extensions.

After re-reading Fowler, I now believe that enabling Firefox's global no-tracking option will not prevent a third-party extension from logging, selling or even stealing a user's data. Worse still, that user may be lulled into a false sense of security, believing that Firebox's no-tracking protections also apply to its add-ons.

It appears that the burden has now shifted to the user, given what Fowler calls "the failed safeguards from browser makers that let it happen". Evidently, one can now no longer rely on the browser-maker; one must now exercise the same caution with extensions that one would use in installing any new piece of software from scatch.

Meanwhile, absent my own technical expertise, I'm cheerfully gonna credit Fowler's. Notice that he employed an independent security expert to verify the results of his investigation. Notice also that the browser companies thought enough of his alerts to immediately disable the rogue extensions he found, suggesting that they found his results credible.

Bottom line:
My wife uses Firefox for all sorts of sensitive transactions that require personal data. As a precaution, in the wake of Fowler's daunting report, I have uninstalled every single extension in her browser except ad-blocking, and I am starting to worry even about that one. These extensions were superfluous features originally installed for the sake of convenience when I believed that Mozilla stood behind them. Now that I know they are not being vetted, I bid them a not-so-fond farewell.

I've been using manually enabled no-tracking in Firefox for many years. Unfortunately, I now think that alone will not prevent the kind of security leaks Fowler exposed in his report.

Rach3
Posts: 1447
Joined: Tue Apr 03, 2018 9:17 am

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by Rach3 » Sat Jul 20, 2019 5:30 pm

I use a Mac and only Safari and Mozilla browsers. I have never added , nor have, any of the plug-ins, extensions mentioned in the article.

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sat Jul 20, 2019 7:15 pm

Rach3 wrote:
Sat Jul 20, 2019 5:30 pm
I have never added, nor have, any of the plug-ins, extensions mentioned in the article.
The security threat, as Fowler states, probably involves many more add-ons and extensions than are mentioned in his report. And neither Mozilla nor Google has a handle on it yet, though Mozilla is trying.

Electing safety over risk, I have uninstalled all extensions in both Firefox and Chrome.

lennygoran
Posts: 15128
Joined: Tue Mar 27, 2007 9:28 pm
Location: new york city

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by lennygoran » Sat Jul 20, 2019 8:11 pm

jserraglio wrote:
Sat Jul 20, 2019 7:15 pm
Electing safety over risk, I have uninstalled all extensions in both Firefox and Chrome.
I use Firefox on my PC-how do I find out if I have any extensions-also I use Chrome on my tablet--then I use firefox there-- how do I find out if there are extensions there? Regards, Len

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sat Jul 20, 2019 9:52 pm

In Firefox, click Tools in the main menu at the top, then Add-ons. The Add-ons installed in your Firefox are listed under Extensions and Plug-ins.

Firefox comes with some Add-ons installed by Mozilla and these should be left alone, as they may be needed to view some items in web sites. If you're unsure about any Add-on, you can disable it without deleting it - click on the three dots to the right to see the options. If that breaks anything on the web sites you visit, you can enable it again.
John Francis

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sun Jul 21, 2019 3:20 am

Here's information from the Mozilla Blog about how Firefox now handles tracking and intends to. I summarized this briefly earlier in this thread, but this spells it out.

When it comes to privacy, default settings matter!
Peter Dolanjski
June 4, 2019

What if I told you that on nearly every single website you visit, data about you was transmitted to dozens or even hundreds of companies, all so that the website could earn an additional $0.00008 per ad! This is a key finding from a new study on behaviorally targeted advertisements from Carnegie Mellon University and it should be a wake-up call to all of us. The status quo of pervasive data collection in service of ad targeting is untenable. That is why we’re announcing some key changes to Firefox.

Today marks an important milestone in the history of Firefox and the web. As of today, for new users who download and install Firefox for the first time, Enhanced Tracking Protection will automatically be set on by default, protecting our users from the pervasive tracking and collection of personal data by ad networks and tech companies.

It seems that each week a new tech company decides to decree that privacy is a human right. They tout how their products provide people with “choices” to change the settings if they wish to opt into a greater level of privacy protection to exemplify how they are putting privacy first. That begs the question — do people really want more complex settings to understand and fiddle with or do they simply want products that respect their privacy and align with their expectations to begin with?

Privacy shouldn’t be relegated to optional settings

When thinking about consumer privacy online, I’m reminded of the behavioral economics studies which led to 401K plans (US retirement savings plans) moving from voluntary enrollment to auto-enrollment. Not too long ago most defined contribution retirement savings plans in the US required employees to sign-up and volunteer to start participating. Participation rates were very low. Why was that? Was it because people didn’t care about saving for retirement? Not at all! There were simply too many barriers to aligning with people’s expectations and desires and the benefits of saving for retirement aren’t felt immediately.

We are in a similar position with respect to software privacy settings. Pervasive tracking is too opaque and potential privacy harms are never felt immediately. The general argument from tech companies is that consumers can always decide to dive into their browser settings and modify the defaults. The reality is that most people will never do that. Yet, we know that people are broadly opposed to the status quo of pervasive cross-site tracking and data collection, particularly when they learn the details on how tracking actually works.

We also know that traditional privacy features such as Chrome’s Incognito mode are failing to live up to consumer expectations. The feature might keep your spouse from knowing what you’re thinking about getting them for your anniversary by erasing your history, but it does not prevent third-party tracking. Our research shows that Firefox users are seeking out privacy protection, particularly through the use of Firefox’s Private Browsing mode. In fact, nearly 25% of web page loads in Firefox take place in a Private Browsing window. The good news for these users is that Firefox’s Private Browsing mode has long put users first by blocking tracking. The bad news is that this generally isn’t true for many popular browsers, which allow tracking even in private browsing/incognito mode. A recent study found that users don’t understand this and think their data is being protected, when it is actually not.

As was the case with retirement savings plans, what this shows us is that the burden needs to shift from the consumers to the companies whereby the complexity of privacy settings shouldn’t be placed on users to figure out. The product defaults should simply align with consumer expectations. That is the approach we are taking in Firefox.

Enhanced Tracking Protection by Default

As stated above, new Firefox users will have strong privacy protection from the moment they install. We also expect to deliver the same functionality to existing users over the coming months. Because we are modifying the fundamental way in which cookies and browser storage operate, we’ve been very rigorous in our testing and roll-out plans to ensure our users are not experiencing unforeseen usability issues. If you’re already using Firefox and can’t wait, you can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of your browser, then Content Blocking. Go to your privacy preferences and click on the Custom option on the right side. Mark the Cookies checkbox and make sure that “Third-party trackers” is selected...

https://blog.mozilla.org/blog/2019/06/0 ... gs-matter/

Of course this requires users to "dive into their browser settings and modify the defaults," for which Dolanjski criticizes other browsers. The blog promises eventually to make anti-tracking the default for existing users, though without saying when or how. I'd guess it will be done in a Firefox update; install it and presto, tracking will be blocked. Meanwhile, users who are more savvy than the average can turn it on themselves following the two simple steps described in the blog.
John Francis

lennygoran
Posts: 15128
Joined: Tue Mar 27, 2007 9:28 pm
Location: new york city

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by lennygoran » Sun Jul 21, 2019 7:05 am

John F wrote:
Sat Jul 20, 2019 9:52 pm
In Firefox, click Tools in the main menu at the top, then Add-ons. The Add-ons installed in your Firefox are listed under Extensions and Plug-ins.
John thanks-I found out they recommend some extensions but I seem to only have one-2 are not on right now-the photos below show what I have and also my plugin state. Regards, Len

Image



Image

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sun Jul 21, 2019 7:44 am

John F wrote:
Sun Jul 21, 2019 3:20 am
Here's information from the Mozilla Blog about how Firefox now handles tracking and intends to. I summarized this briefly earlier in this thread, but this spells it out.
Not very comforting. Nothing in the article about blocking tracking by add-ons and extensions. That was the vulnerability Fowler exposed in Moxilla and is the specific subject of this thread.

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sun Jul 21, 2019 7:46 am

AdBlock Plus and the plug-ins are all anyone really needs. In addition I've installed Enhancer for YouTube, Open Link with New Tab, Undo Close Tab, and Video DownloadHelper, the latter can record a video on the web to the computer's hard drive. Those who are on Facebook might want Facebook Container, which makes it harder for Facebook to track you.
John Francis

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sun Jul 21, 2019 7:50 am

John F wrote:
Sun Jul 21, 2019 7:46 am
AdBlock Plus and the plug-ins are all anyone really needs.
Actually, one doesn't need any of them. I've uninstalled them all. Not worth the risk, to be running unvetted software within a browser when performing sensitive tasks.

When Mozilla gets its act together (which I gather it, and Google, have recently started to do) https://betanews.com/2019/05/02/mozilla ... ated-code/ and certifies the add-ons and extensions it offers to the general user to be tracking-code-free, then I will gladly reinstall them.

Till then, ain't gonna happen.

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sun Jul 21, 2019 9:47 am

jserraglio wrote:
Sun Jul 21, 2019 7:44 am
Not very comforting. Nothing in the article about blocking tracking by add-ons and extensions. That was the vulnerability Fowler exposed in Moxilla and is the specific subject of this thread.
There's an article on LifeHacker that essentially repeats the Post article but provides a bit more informaton.

https://lifehacker.com/uninstall-these- ... 1836539093

The eight extensions, only three of them for Firefox and some with fewer than 10 users, are:

Branded Surveys (Chrome)
FairShare Unlock (Chrome and Firefox)
HoverZoom (Chrome)
Panel Community Surveys (Chrome)
PanelMeasurement (Chrome)
SaveFrom.net Helper (Firefox)
SpeakIt! (Chrome)
SuperZoom (Chrome and Firefox)

I don't use any of them and indeed never heard of them before reading the articles. I'd be more alarmed if there were many more Firefox extensions including some of the most popular ones like AdBlock Plus. Let's face it, a determined hacker can get into a bank or the U.S. Government, so I've no illusions about the security of my little home computer. But I'll certainly keep an eye out for any further news of this kind.
John Francis

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sun Jul 21, 2019 10:00 am

But let's face it, you wouldn't stop locking your doors just because a burglar determined enough can always find a way to break into your house and rob you.

At any rate, Mr. Fowler suggests that there are probably many more rogue extensions than the eight he found, according to academics he interviewed that have studied the problem.

The thing is, no one knows for sure how many. There may be 8 or there may be 8,000. So Mozilla and Google really need to up their game and start vetting whatever they offer to the general public. If Apple can do it, so can they, especially Google with its deep pockets.

Till then, erring on the side of caution seems the net course for me. The add-ons I had installed now reside in Trash.

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sun Jul 21, 2019 12:48 pm

Actually, Mozilla has been vetting Firefox extensions for years and has listed many which have passed muster on https://addons.mozilla.org/en-US/firefox/extensions/, with "Recommended" opposite the ones it recommends. Those who want to download YouTube videos don't need to use SaveFrom.net Helper, which is not listed, when Mozilla recommends several alternatives, including the add-on I use, Video DownloadHelper. Mozilla has also changed its program interface for extensions to WebExtensions, which at a blow made many older ones inoperable, including a couple I depended on. Moving the goalposts is a pretty good defense.

Here's Mozilla's review procedure:
Firefox addons can be developed and distributed by anyone. The official Firefox library of extensions, however, is located at addon.mozilla.org (AMO).

The AMO website’s review process for Legacy Extensions was extremely lengthy and consisted only of manual review of code within an extension for any malicious indicators. With Firefox WebExtensions, the AMO has modified their review process. There is an automated review that forces the addon to pass a number of tests in a sandboxed environment for general security. Following this is a manual review of the app. Developers who submit their extensions for review are required to send in human-readable code for the review. The addon is reviewed against the policy in place for addons.​

In between the automated check and the human-review, the addon is free to exist on the AMO site and available for download if it passes the automated review.​ This potentially presents an opportunity for malicious addons to exist on the site if the automated review does not catch them. There have already been several reported issues regarding this.​However, Firefox addons can be removed from the AMO site if the human-reviewer finds anything wrong with the addon. They can even be blocklisted if they severely violate the AMO policy on extensions.
https://www.google.com/url?sa=t&rct=j&q ... UiVhRv43b3

Mozilla can't prevent thousands of people from putting their extensions up on the Web without submitting them for review. Many of these may be "rogue extensions," for all we know. And Mozilla can't prevent users from ignoring its recommendations and going out on the wild and woolly web - which is what the users of those 8 troublesome extensions clearly did. All the extensions I use have Mozilla's recommendation.

As you say, no one knows for sure how many nasties there are. Only 8 of them - and a queer selection at that - are known for sure to be baddies, a tiny sample of the thousands of extensions out there and the hundreds vetted by Mozilla. Until I see a report based on a much larger sample more representative of those that many people actually use, I'm not pushing the panic button. Others may differ. :)
John Francis

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Sun Jul 21, 2019 3:07 pm

My reaction hardly amounts to panic: uninstalling convenience apps that were never really needed in the first place. But call it panic if you wanna. Better panic than Blind Faith dancing cheek-to-cheek with Inertia.

The news that Mozilla has been 'checking' extensions all along yet somehow missed 8 rogue apps that a lowly amateur reporter was able to ferret out by poking around a bit is cold comfort, to say the least. To assert that they (not Mozilla by the way) have found only 8 little buggers so far out of the many thousands of add-ons out there is a bit like saying, "No worries, sweetie, only one of the millions of your boyfriend's sperm got you pregnant, and a queer little bugger it was too!". If one can be enough, eight can be too many.

The news that Mozilla has been standing guard makes me worry even more. What the hell else did the Watchman miss? Independent academics who have studied the issue of browser extensions believe Mozilla and Chrome probably are hosting lots more spyware. No one knows for sure, and that's the worry.

But that doesn't put the matter to rest: why did Mozilla unwittingly unleash on an unsuspecting public software that was stealing their data? At the same time lulling us into a false sense of security by promoting its stringent anti-tracking measures while allowing 3rd-party apps to circumvent that anti-tracking with obfuscated code?

The fact is that Mozilla did not announce new rules to combat this problem till June of this year--rival Google had already done so six months earlier in January, 2019. https://betanews.com/2019/05/02/mozilla ... ated-code/
And that was no doubt after the Post had shared with them the rogue apps it had found while preparing its report.

Does this smell like resolute advance measures or reaction after the fact? To me it sure looks like Mozilla was a day late and a dollar short.

Bottom line: the Post report makes it abundantly clear that Mozilla needs to get its act together. Until then, I shall bid au revoir to Firefox extensions. There are plenty of safer alternatives, the Opera browser being only one of the better known ones.

In fairness to Mozilla, though, it should be pointed out that for surfers who like to live dangerously, the Firefox browser, especially one chock full of extensions, may be the ultimate way rad tube.

John F
Posts: 21045
Joined: Mon Mar 26, 2007 4:41 am
Location: Brooklyn, NY

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by John F » Sun Jul 21, 2019 6:48 pm

Hey, wait a minute. "Why did Mozilla unwittingly unleash on an unsuspecting public software that was stealing their data?" Mozilla did not "unleash" those three Firefox add-ons; to the contrary, they did not include those add-ons in their official Firefox library of extensions at addon.mozilla.org (AMO). Their developers "unleashed" the add-ons by writing them and putting them on their web sites.

You seem to think that Mozilla should go out on the web and test every single add-on, even those with hardly any users, whether or not they have been submitted for review. (Which malefactors will never do, of course.) Any that they don't find and test, according to you, they've "missed." But add-ons proliferate like malware, which some of them are; there would be no end to it, Mozilla would have no time and resources to do anything else, and it really isn't necessary. Mozilla takes the more doable and reasonable approach of providing recommendations for a large number of add-ons they have tested and found safe to use.

If it turns out that any of these recommended add-ons is a bad one, meaning that Mozilla's test system "missed" it, that would be different. I'll be looking for news of that. Meanwhile, from my knowledge and long experience on the Internet, not blind faith or inertia, I'll continue as before.

P.S. About "obfuscated code." "Programming code is often obfuscated to protect intellectual property and prevent an attacker from reverse engineering a proprietary software program." It can also be used "to hide or disguise the code's true purpose," as with malware, but one shouldn't assume that this is always what code obfuscation is for.
John Francis

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Mon Jul 22, 2019 4:02 am

John F wrote:
Sun Jul 21, 2019 6:48 pm
one shouldn't assume that this is always what code obfuscation is for.
Whoa there, pardner! :? Mozilla announced on June 10, presumably after they were privy to the findings in the Post report, that it would ban extensions that contained obfuscated code. Sounds to me like ole Mozilla is aimin' to lock the barn door after the horses done got loose.

As for those 8 nondescript parasitic tapeworms in Firefox and Chrome that we're not supposed to get our shorts in a twist about b/c they have obscure names and supposedly are used only by a few, the Post report found that they had infected at least 4 million users of Firefox and Chrome:
Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up.
He that lieth down with dogs shall rise up with fleas. If you're a devotee of dogs and don't mind being bitten now and again by a few fleas, then by all means, keep using Firefox, I'm sure it's fine for casual surfing, just as Google's insecure Gmail is okay for casual messaging. My wife insists on using the damn thing--she uses Chrome too, to make matters worse.

But drawing on "my knowledge and long experience on the Internet", when I do banking or transact any other sensitive matter online, I'm a-gonna look elsewhere for a secure web browser.
Last edited by jserraglio on Mon Jul 22, 2019 8:54 am, edited 3 times in total.

lennygoran
Posts: 15128
Joined: Tue Mar 27, 2007 9:28 pm
Location: new york city

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by lennygoran » Mon Jul 22, 2019 6:09 am

jserraglio wrote:
Mon Jul 22, 2019 4:02 am
If you're a devotee of dogs and don't mind being bitten now and again by a few fleas, then by all means, keep using Firefox, I'm sure it's fine for casual surfing, just as Google's insecure Gmail is okay for casual messaging. My wife insists on using the damn thing--she uses Chrome too, to make matters worse.
I've been following this thread as best I can with my limited computer knowledge-I've loved Firefox since I went to it and both my wife and I have tablets which use Chrome-she uses Gmail which I don't like-for me its AOL Compuserve. As for the smartphones I'm not even sure what we're using-probably Chrome-all I know is when I want to read the NYTimes on the bus I open the smartphone and hit NYTimes from my smartphone's home page. I guess so far we've been lucky not to encounter any major problems-maybe they've occurred and we don't even know about them yet! Regards, Len :?

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Mon Jul 22, 2019 6:56 am

lennygoran wrote:
Mon Jul 22, 2019 6:09 am
I've loved Firefox since I went to it and both my wife and I have tablets which use Chrome-she uses Gmail which I don't like-for me its AOL Compuserve.
Hello, Len. For casual use, no worries. I use Chrome and Gmail myself. If you need encrypted email, try Protonmail, it's free. My daughter uses it b/c as an HR manager specializing in labor law, she deals with sensitive material on a daily basis. She closed her Gmail account and convinced me that I had to treat mine with extreme caution. For example, married men shouldn't write love letters in Gmail to anyone but their wives, unless they wouldn't mind having them quoted someday on somebody else's Twitter feed. Even a cetain WH occupant, an alleged Adderall addict, an unindicted co-conspirator in a criminal scheme to hide an affair from the voters, and an accused rapist knows that!
They're bringing drugs. They're bringing crime. They're rapists...
For sensitive financial transactions, my wife still uses Firefox (I earn the dough, she manages it--conventional, eh?). Now I am a-gonna try to wean her off Firefox for tasks that require security, but in the interim I uninstalled all third-party extensions from her copy of Firefox, even the Mozilla-approved ones.

I have lost confidence in Mozilla ever since I read the WashPost report. It used to wear the crown for security. No longer, in my view. About all I would hazard now is that it's probably more secure and private than Chrome. If I had to do sensitive tasks online, I would use Opera for now, but there are even more secure browsers out there which I am actively investigating.

On the iPhone. I run ProtonVPN (free and a snap to use) which hides my IP address and location. For occasional secure tasks, I use SavySoda's Private Browsing Web Browser. DuckDuckGo Privacy Browser probably is just as good. No matter which browser you use on the phone (I use mostly Safari for mundane tasks, but occasionally Chrome and Opera) you might link to the DuckDuckGo search engine https://duckduckgo.com instead of Google or Bing if you don't wanna be tracked.

Hope this helps a bit. NOBODY and NOTHING has all the answers about online security. I trust no one that clings to a one-size-fits-all solution out of sheer inertia.
Last edited by jserraglio on Mon Jul 22, 2019 8:01 am, edited 2 times in total.

lennygoran
Posts: 15128
Joined: Tue Mar 27, 2007 9:28 pm
Location: new york city

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by lennygoran » Mon Jul 22, 2019 7:52 am

jserraglio wrote:
Mon Jul 22, 2019 6:56 am
Hope this helps a bit. NOBODY and NOTHING has all the answers about online security. I trust no one that clings to a one-size-fits-all solution out of sheer inertia.
Joseph thanks-I'll study some of these things but you were right on the money when you used the term inertia-mea culpa-wait I'm blaming the gardening for all this! Regards, Len [yep-fleeing] :lol:

jserraglio
Posts: 5845
Joined: Sun May 29, 2005 7:06 am
Location: Cleveland, Ohio

Re: Are you using Mozilla Firefox or Google Chrome extensions? Your personal data may be leaking, harvested and sold onl

Post by jserraglio » Mon Jul 22, 2019 8:04 am

Me? I hate change more than most. The 12 Steps are my mantra.

Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 12 guests