Chrome Extensions Are Bypassing Ghostery and Other Tracking Blockers

Security firm Detectify signed up for one of the third-party data services to find out what your browser is letting them harvest

Sundar Pichai, then senior vice president of Chrome, speaks at Google's annual developer conference, Google I/O, in San Francisco on June 28, 2012. AFP PHOTO/Kimihiro Hoshino. (Photo: KIMIHIRO HOSHINO/AFP/Getty)

Sundar Pichai, then senior vice president of Chrome, speaks at Google’s annual developer conference, Google I/O, in San Francisco on June 28, 2012. AFP PHOTO/Kimihiro Hoshino. (Photo: KIMIHIRO HOSHINO/AFP/Getty)

Swedish security firm Detectify, has found that even if users run popular tracking blockers such as Ghostery, their online behavior may still be tracked and watched by some Chrome extensions. To verify the vulnerability, the company first subscribed to a third party data service to see what they were collecting (and selling), and then it investigated how the extensions seemed to be getting around the tracking blockers.

The company has published its results in a blog post this morning. The post’s authors, Frans Rosén and Linus Särud, from the Detectify team, write:

Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed.

In the data, the company was even able to find visits to URLs for private pages and pages used only within companies. They write, “They are sending over everything about you. Every. Thing. Even relations between websites that is only known by the current user, since the pages themselves are not linked in any way.”

In its explanation for how it works—and how it seems to be getting past the team monitoring extensions in the Chrome store—the team reports that the extensions appear to download additional tracking code after installation. That way, Google devs won’t detect malicious code when it’s posted in the store.

Here are the extensions the post lists that users should watch out for:

  • HoverZoom
  • SpeakIt
  • Free Smileys & Emoticons
  • EagleGet Free Downloader
  • ProxFlow
  • Emoji Input
  • Instant Translate
  • FB Color Changer
  • Flash Player+
  • SuperBlock Adblocker
  • SafeBrowse
  • JavaScript Errors Notifier

The company even ran a small test, where one member of their team visited one site, created just for the experiment. No one else even knew the URL existed, and it was linked nowhere. The team member visited it one time, and Detectify was able to find that visit in the third party data later.

Detectify was the company that warned Patreon about its security vulnerability before its recent breach. The Observer recently reported on the different privacy levels afforded by Firefox’s private mode over Chrome (though at the end of the post Detectify does not give Mozilla very high marks for its browser’s extension policy either).