In our 5,000 word piece on “DataSpii,” we explained how researcher Sam Jadali spent tens of thousands of dollars investigating the murky Internet ecosystem of browser extensions that collect and share your web history. Those histories could end up at sites like Nacho Analytics, where they can reveal personal or corporate data.
Here, we want to offer more detail for the technically curious reader on exactly how these browser extensions work—and how they were discovered.
Discovering which browser extensions were responsible for siphoning up this data was a months-long task. Why was it so difficult? In part because the browser extensions appeared to obscure exactly what they were doing. Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation on Jadali’s computers to begin collection. Then, once collection started, it was carried out by code that was separate from the extensions themselves.
One example: immediately after an installation on February 5, 2019, both extensions contacted developer-designated servers and reported their installation time, installation version, current version, and unique extension ID. On February 15, the extensions received an automatic update, but they still didn’t collect any browsing history. Then, on March 1, both extensions received a second automatic update.
Almost immediately, the extensions again contacted developer-controlled servers and reported the unique ID of the extension, installation time, and current version. About one second later, the extensions received a 156KB payload, with 150KB of this being stored not in the extension folder, but in the Chrome browser system profile (in Jadali’s case, the file was located at
C:UsersAdministratorAppDataLocalGoogleChromeUser DataDefaultFile System 02p 0 0000000).
The Hover Zoom extension can be seen downloading the 156KB payload in request 2103 of the following packet capture: