Analytics services are tracking users via Chrome extensions

It’s quite possible that, despite your belief that the Google Chrome is the safest browser there is and your use of extensions that prevent tracking, your online movements are still being tracked.

The culprits? Popular Chrome extensions like HooverZoom, Free Smileys & Emoticons, Flash Player+, SuperBlock Adblocker and many more.

The fact was brought to the wider public’s attention by Detectify Labs researchers, who have signed up for one of the analytics services that provides user information gathered by Chrome extensions.

This information includes URLs that users visited (browsing history), cookies, OAuth access-tokens, and shared links from sites such as Dropbox and Google Drive (which, when shared by employees, often lead to confidential company data).

After signing up for the service, the researchers were able to see common URLs used by employees on targeted companies, internal network URLs and separated websites for internal use only, internal PDFs, and pages which only one person had visited.

“The tracked browsing history data is made available through analytics services, where anyone can sign up to pay for a monthly subscription to analyze and dig through this traffic,” the researchers explained.

“It is still unknown what happens with some of the data, such as your personal cookies, but there’s a possibility that it is being used to enhance the profile of the user to make the analytics even more accurate in terms of location, gender, age and interests. Through these services, we’ve been able to confirm that even browsing patterns from only one user ended up in the search results, making it possible to fingerprint a specific user’s browser history.”

If you’re wondering how you didn’t notice this data collection before, the explanation is simple: the offending extensions use different tactics to hide their tracking scripts’ activities – from running in a separate background instance of the extension (so that network traffic is hidden from tracking prevention tools) and packing data to make it difficult to identify, to using different subdomains for each extension and enabling tracking by default.

What’s more, some third-party tracking services use a tracking script SDK inside the extensions, which allows them to download new scripts.

“Our guess is that this is a way to bypass any filters used by Chrome Web Store to identify malicious extensions and abuse of privacy. It’s also a great way for the tracking scripts to be auto updated, without forcing the user or the owner of the extension to update the extension,” the researchers posited.

And, if you believe that the developers of these extensions tricked you into allowing this, you haven’t read carefully the information on each extension provided in the Chrome Web Store. Because the explanation IS there, but is difficult to notice due to the Chrome Web Store’s GUI, and due to the fact that descriptions of why tracking scripts are included and the scripts’ privacy policies being (I’m quoting the researchers here) “a complete joke.”

But why would extension developers include these scripts in their offerings, you ask? The answer is money.

“Many of these extensions are being paid per user by the third party to install the tracking code in their extensions. We’ve seen some indications on Chrome Extension-forums that it’s around $0.04 per user/month. For plugins with over tens and hundreds of thousands of users that equals a substantial amount of monthly income,” the researchers noted.

Now that you know this, you might want to check whether the extensions you use are doing this, and uninstall them if they do. The researchers also advised that, if you need some of these extensions, you should use Incognito mode for your regular browsing and make sure no extension is enabled in Incognito mode.

Finally, they also urged users to send business documents via email instead of through a shared link on a file sharing service like Google Drive or Dropbox.

For more information about the offending extensions, and for techniques to find others that do the same thing, check out Detectify Labs’ blog post.