Chrome Extensions Are Tracking You, Whether You Like it or Not
I mean, you probably use Ghostery to keep from being tracked while online, security tools like Spybot to remove tracking scripts and malware from your PC, extensions like PixelBlocker to block tracking pixels in email, and I’m sure you regularly clear your browser history.
I for one take every step to keep from being tracked online, but according to Detectify Labs, that may not be enough. They say that you could have an extension installed in Chrome which serves a dual purpose; it’s also tracking you and sending your data to one or more analytics services.
Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed.
The tracked browsing history data is made available through analytics services, where anyone can sign up to pay for a monthly subscription to analyze and dig through this traffic. It is still unknown what happens with some of the data, such as your personal cookies, but there’s a possibility that it is being used to enhance the profile of the user to make the analytics even more accurate in terms of location, gender, age and interests.
They are sending over everything about you. Every. Thing. Even relations between websites that is only known by the current user, since the pages themselves are not linked in any way. They also steal all your cookies and OAuth access-tokens (provided between web pages using URL fragments aka
If that last paragraph doesn’t scare you, then let me explain it a different way. If you’ve ever typed in your credit card number, SSN, or any other critical personal info in an unsecured webpage while one of these tracking extensions was watching, chances are they grabbed it.
And to make matters worse, not only are the extensions tracking users, some are also programmed to peridocially download new code which is then run as part of the extension. While Detectify Labs only observed tracking scripts being downloaded, this same technique could be used to install malware, ad insertion scripts, or who knows what.
In short, this is a serious problem for anyone who runs Chrome, and that goes double for anyone using one of the extensions wgich Detectify Labs has caught red-handed:
- SpeakIt (>1 000 000 users)
- EagleGet Free Downloader (>630 000 users)
- ProxFlow (>430 000 users)
- Emoji Input (>350 000 users)
- Instant Translate (>330 000 users)
- SuperBlock Adblocker (>110 000 users)
- SafeBrowse (>100 000 users)
But even if you’re not running one of these extensions, you could still be at risk. Detectify Labs recommended (and I concur) that Chrome users open chrome://extensions and click the details link for each extension.
You need to check to see if the extension mentions anything about tracking your web activities (and don’t forget that the words they use when mentioning this sort of tracking is de-emphasized, to say the least). If you find even a hint, you need to ask yourself just how much you need that extension.
If you’re like me and you feel that privacy and security are paramount, then the odds are good that you don’t need that nifty image macro or different colors on FB.
It’s just not worth the risk.
image by YLegrand