Google Chrome and Mozilla Firefox users may have had their entire online history siphoned and stored by third-party developers.
That’s according to a prominent security researcher who found a popular plugin for the Google Chrome and Mozilla Firefox was recording everything users did online.
The software, which is designed to allow users to customise the appearance of how webpages appear inside the web browsers, has been hijacked by spyware.
The extension, which has more than 1.8 million users worldwide, may have been recording the browsing history of everyone who uses it.
Worse still, this browsing data could be linked to details that make users identifiable in the real world, making them vulnerable to hackers and blackmailers.
The finding was made by Robert Theaton, a software engineer from San Francisco, who discovered the software, dubbed Stylish, had been recording browser history since January 2017, when it was bought by new owners SimilarWeb.
Writing on his blog, Theaton said: “It only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier.
“This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.”
Stylish sends complete browsing activity back to its servers, together with a unique identifier, he claims.
That includes actual Google search results from your browser window.
This allows its new owner, SimilarWeb, to connect an individual with all of their online activity.
Those who have created a Stylish account on userstyles.org will have a unique identifier that can easily be linked to a login cookie and text files intended to help users access a website faster and more efficiently.
This means that not only does SimilarWeb own a copy of any user’s complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.
“As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected,” ghacks.net reported at the time.
“This information powers some of the extension’s functionality such as the ability to reveal styles to users when they visit sites in the browser.”
In a statement, Google said it took user privacy seriously and security had been one of the company’s core tenets since the beginning.
• Google Chrome provides users with the ability to easily adjust their privacy settings. Users can control whether their Google Account is used for syncing their browsing activity, passwords or bookmarks by singing in. Instructions for controlling other privacy settings can be found on the company’s website.
• Chrome browser and Chrome OS use various identifiers, some of which may be unique and stable. When an identifier is used in Chrome browser, we disclose its nature and purpose in our Privacy Whitepaper.
How can you protect your information online?
1. Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
2. Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
3. Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
4. Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.
Source: NZ Herald