Chrome extensions appear to be harvesting users’ cookies, according to a security expert the Observer spoke to, including session ID cookies that allow users to stay logged in to sites as they open and close pages. So, the cookies gathered could allow harvesters to fake their way into users’ accounts on sites like Facebook and Twitter, where it’s easy to hoover up very personal data (which allows those selling the data to tell a much richer story).
While there is no direct evidence that any company has logged in to anyone’s pages, who wants to share their keys with strangers?
We spoke to Frans Rosén, a knowledge advisor at Sweden’s Detectify, the company that reported yesterday that a few popular Chrome extensions are gathering extremely detailed data about everything their users are doing online. He said his company has been working on gathering information for this report for most of 2015.
In short: Chrome extensions operate like software on your computer. This gives spyware built into them the ability to see everything users do in the browser, even with tracking blockers installed. Whereas website trackers can only see what makes you click or holds your attention on their webpages, browser extensions can see your behavior on every page. In fact, not just on your pages, but on cookies downloaded onto the drive.
The extensions that Detectify identified default to permitting tracking of all URLs. It can be turned off, but users have to know to do it.
The Observer reported on the initial post yesterday, which doesn’t name the companies collecting the data. Mr. Rosén named two when we spoke. One of them was FairShare Labs.
FairShare’s Christian Rodriguez emailed the Observer today following our inquiries yesterday. “Overnight I had our team develop a short-term solution that we’re currently testing and hoping to release in about an hour. It will filter out sensitive cookie data client-side so it never reaches our servers. While we know that we’re adequately handling and discarding of sensitive information server-side I understand that’s not evident to a concerned third party,” he wrote.
In addition, he sent the following in a statement:
We are committed to fully safeguarding the data we receive and we’re constantly adding new layers of filtration and protection. We leverage HTTP headers, which includes cookies, but we don’t analyze cookie information and we immediately remove and discard unused information. Our engineering protocols dictated that we centralize the cleaning of this data ourselves as we felt that provided the greatest level of security and stability for ensuring it was handled properly.
The Observer has previously explained HTTP headers in prior coverage.
Don’t share cookies
The reason users don’t have to sign into Facebook again every time they reopen the page is because the company places an authorization cookie on their computer, showing that the computer has already logged in once. This can let people back in, even on another device, Mr. Rosén explained.
Here’s one Detectify showed in its blog post. Anyone with access to a cookie like this, would be able to login to the user’s account, in many cases.
Mr. Rosén said that they had tracked the cookies going back to FairShare Labs. “That is completely insane,” he said. “I can’t imagine Chrome or Google will allow that. I can’t imagine it would allow people to send over cookies to other people.”
The cookies are being sent to this site, according to Detectify. Here’s one of the cookies that Detectify wrote that it found going there. It shows a session ID with Google:
Gmail users probably have one of these IDs on their computer right now.
As we previously reported, extensions in FairShare’s network download additional code after installation. Mr. Rodriguez did not respond to our question about whether or not this was done to bypass the Chrome webstore’s guidelines.
Mr. Rodriguez wrote that the company is “migrating to a new new paradigm for improved international and cross-browser compliance.” It is a few months out from a more clear opt-out system and one that makes cookies anonymous on the users’ computers before it goes to Fairshare.
Mr. Rodriguez’s LinkedIn page lists him as Business Development there, but also as the founder of Burstworks and a data broker at Clickstre.am. He’s been at Clickstre.am and Fairshare since June 2014, while founding Burstworks in October 2012. Burstworks also describes itself as a tracking company on its webpage.
The Observer was also able to find staff shown on the Burstworks’ website soliciting Chrome developers to join the Fairshare network on Chrome developers forums.
None of the developers of the apps listed by Detectify, nor Google’s Chrome team, replied for a request for comment for this story.