Source URL: https://tech.slashdot.org/story/25/07/09/2257245/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots?utm_source=rss1.0mainlinkanon&utm_medium=feed
Source: Slashdot
Title: Browser Extensions Turn Nearly 1 Million Browsers Into Website-Scraping Bots
Feedly Summary:
AI Summary and Description: Yes
**Summary:** The text discusses the alarming discovery of over 240 browser extensions that have exploited users’ browsers to scrape sensitive data without their consent. This incident highlights substantial privacy and security implications, especially regarding how easily malicious activities can be disguised as benign functionalities within software. The large-scale collection of personal and sensitive information from various platforms, including financial and proprietary data, raises critical concerns for security professionals.
**Detailed Description:** The text outlines a significant security breach involving a multitude of browser extensions that covertly transformed users’ browsers into web-scraping bots. These extensions, which had gained nearly a million installs across various platforms, were reported to serve seemingly innocuous purposes, masking their true functionality.
Key Points:
– **Nature of Extensions:**
– The extensions included functionalities like managing bookmarks, boosting speaker volumes, and generating random numbers.
– However, they all utilized MellowTel-js, an open-source JavaScript library linked to the monetization of the extensions.
– **Scope of Data Collection:**
– The harvest included a wide array of sensitive data such as:
– Surveillance videos from Nest
– Tax returns
– Billing invoices
– Business documents
– Presentation slides from platforms like Microsoft OneDrive and Intuit.com
– Personal vehicle identification numbers along with buyer information
– Patient data and doctor visit details
– Travel itineraries from major travel websites
– Facebook Messenger attachments and photos, even if set to private
– **Affected Companies:**
– The data collection extended to proprietary information belonging to notable companies like Tesla, Blue Origin, Amgen, Merck, Pfizer, and Roche, emphasizing the extensive reach and serious implications of the breach.
– **Current Status of Extensions:**
– The response to the discovery revealed that:
– Out of 45 known Chrome extensions, 12 are no longer active, with some removed for malware issues or removing the harmful library.
– Among 129 Edge extensions, eight are now inactive.
– From 71 Firefox extensions, two have been flagged as inactive, with similar actions taken.
**Practical Implications:**
– Security professionals must remain vigilant about browser extensions’ security risks, particularly those that claim to offer helpful features.
– There is a pressing need for robust vetting processes for software and browser extensions, especially regarding their access and use of sensitive data.
– Organizations should enhance privacy policies and monitor compliance with data protection regulations to safeguard against unauthorized data collection.
This incident underscores the importance of continuous security education for users related to the software they install and use, as well as the necessity for more stringent regulatory oversight concerning data privacy and security in software development.