Browser Extensions Scraped Data From Millions of People

Security News This Week: Browser Extensions Scraped Data From Millions of People

Casey Chin
Europeans had to navigate by the stars this week—well, GPS, but still—after the continent's burgeoning Galileo satellite navigation network went dark for a full seven days. The incident is a warning for everyone of how fallible the infrastructure of our modern lives really is.

In more uplifting news, security researchers made an app designed to kill , to prove a point about the intense risks of internet-connect health devices, and the need for the companies who make them to stop ignoring them. (Wait, sorry, murder apps are not uplifting.)

We explained how to clear out your zombie apps and online accounts, and why Microsoft’s very serious BlueKeep bug hasn’t wreaked havoc on the Windows devices of the world, yet.Oh, and we—like everyone else—took note of this week’s viral app, FaceApp, which shows you how you’ll look when you’re old. Though people were quick to point out its security risks, we reminded you that if you’re worried about FaceApp, you’re going to panic when you learn about a little old app called Facebook .

But that’s not all. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

DataSpii Reveals Some Browser Extensions are Spying on You—and Selling Your Private Data

If you use browser extensions, you’re going to want to pay attention to this one. Ars Technica reporter Dan Goodin brings the news of a major new privacy failure recently unearthed by security researchers: widely used Chrome and Firefox browser extensions scraped and sold the data of more than 4.1 million people, until the researcher alerted Google and Mozilla. These extensions took the URL and other details from your browsing history and sold them to a data firm called Nacho Analytics, which marketed itself as providing a “god mode for the internet.” Nacho Analytics then published them, for a fee. Because of the way many of the pages were protected—or rather, not protected—those published links often allowed people to see the content of the pages themselves. Among the sensitive pieces of information spilled? Tax returns, doctor-patient communications, and links to Nest cameras. The scariest thing about DataSpii is that it likely represents a small fraction of the extensions out there that invade your privacy. As Goodin found when he dug into the research, many of these extensions and Nacho Analytics reference this spying and selling in the fine print of their terms of service. So what can you do to protect yourself? First, read the whole Ars story to see if you were caught up in DataSpii, and second: read the fine print before installing any extensions .

NSO Group Says Its Spyware Can Scrape Your Data From the Cloud

An Israeli spyware company popular with intelligence agencies across the world, and famous for exploiting WhatsApp with just a phone call , has a new sales pitch. Citing unnamed sources, the Financial Times reports that NSO Group is now telling governments and potential customers that its spyware can access personal data from the servers of all of big tech’s companies. The important thing to note, though, is that it apparently claims to do so by compromising your device's authentication tokens. In other words, they haven't hacked the cloud, but the smartphones and computers of people who access it. Bottom line, as always: If a nation state targets you, you're toast.

Microsoft Is Giving Away Free Security Software for Voting Machines

How do you hack an election? Let me count the ways. Through disinformation campaigns, gerrymandering, breaching voter roles, and—oh yeah—targeting the voting machines themselves. Though experts have warned for years that voting machines are insecure , companies and municipalities have been slow to upgrade and secure them—despite voting machines being listed as critical infrastructure by the US government. This week, software giant Microsoft announced it has developed a open source software that can help make voting machines more secure. The company is giving the software away for free in the hopes that it can help shore up systems ahead of the presidential election next year. Microsoft also announced it has found 781 attempted cyberattacks by foreign hackers targeting political organizations so far this year.

Slack Is Updating One Percent of All User Passwords

After Slack was breached in 2015, the company reset the passwords of those whose accounts had been affected. But recently, the company says it received a batch of breached credentials through its bug bounty program and realized they were from the same 2015 incident. On Thursday it announced it had decided to reset the passwords of all users who were active on Slack during the 2015 breach. If you, like me, are one of those people but haven’t had your password reset by Slack, that’s likely because you had already changed it since 2015, or you use some kind of single sign on authentication service, according to Slack.
  • The hard-luck Texas town that bet on bitcoin—and lost
  • How Waze data can help predict car crashes
  • Notifications are stressing us out. How did we get here ?
  • The simple way Apple and Google let abusers stalk victims
  • Disney's new Lion King is the VR-fueled future of cinema
  • 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones
  • 📩 Hungry for even more deep dives on your next favorite topic? Sign up for the Backchannel newsletter