What is DataSpii?


The two most popular browsers, Chrome and Firefox, have created stores and online marketplaces where their users can find and download extensions that range from ad blockers to utility add-ons to grammar check extensions. But what about when the innocuous extension you downloaded begins capturing your online activities and sending your browsing activity data to a database? The DataSpii report documents the unprecedented data collection impacting millions of individuals as well as many Fortune 500 corporations.

DataSpii is the catastrophic data leak that occurred when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII), corporate information (CI), and government information (GI) — from unwitting Chrome and Firefox users. This data was then disseminated to foreign-entities and members of an online service, where it may have been appropriated or exploited by any member.

Research on DataSpii has continued to this day as the pervasiveness of invasive browser extensions remains unclear while posing an extreme risk to people, businesses, governments and institutions worldwide.

Read the full DataSpii report on SecurityWithSam.com

How does the DataSpii data leak work?

ionicons-v5-e

Melurna offers Data and Cybersecurity services to companies and organizations around the world. Founded by cybersecurity researcher, and data security expert, Sam Jadali in 2020, Melurna has been formed to help combat the global impact of the 1.5 Trillion dollar cybercrime industry.

Frequently Asked Questions About DataSpii.
ionicons-v5-q How DataSpii Works.
  • personal interests
  • tax returns
  • GPS location
  • cloud services and data
  • file attachments
  • credit card information
  • genetic profiles
  • travel itineraries
  • genealogy
  • online shopping history
  • real-time activity of employees, including the corporate tasks they were assigned
  • private LAN network structure (e.g., server type, firmware revisions, LAN IPs)
  • partial page content (includes hyperlinks embedded on a LAN website)
  • company memos
  • API keys
  • proprietary source code
  • firewall access codes
  • proprietary secrets
  • operational material
  • zero-day vulnerabilities

The DataSpii leak primarily impacted Chrome and Firefox users with one of the eight invasive extensions. However, other Chromium-based browsers (i.e., Opera) that can run Chrome extensions are also impacted.

Extension name Number of users Browser vendor Chrome extension ID
(if applicable)
Hover Zoom 800,000+ users Chrome nonjdcjchghhkdoolnlbekcfllmednbl
SpeakIt! 1.4+ million users Chrome pgeolalilifpodheeocdmbhehgnkkbak
SuperZoom 329,000+ users Chrome and Firefox gnamdgilanlgeeljfnckhboobddoahbl
SaveFrom.net Helper ≤140,000 users Firefox N/A
FairShare Unlock 1+ million users Chrome and Firefox alecjlhgldihcjjcffgjalappiifdhae
PanelMeasurement 500,000+ users Chrome kelbkhobcfhdcfhohdkjnaimmicmhcbo
Branded Surveys 8 users Chrome dpglnfbihebejclmfmdcbgjembbfjneo
Panel Community Surveys 1 user Chrome lpjhpdcflkecpciaehfbpafflkeomcnb

†The invasive data collecting behavior occurred when the SaveFrom.net Helper extension was installed from the author’s official website using Firefox on macOS or Ubuntu. We did not observe the invasive behavior when the extension was installed from a browser vendor store.

‡FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys make explicit efforts to let their users know they collect browser activity data.

Yes. During the investigation, we discovered that the URLs collected by the extensions were visited by a third-party, Amobee, shortly after collection. Shortly after disclosing DataSpii to Amobee, they admitted they “index publicly accessible internet URLs as part of their product suite that allows advertisers to place ads based on a web page’s keywords and topics.” We reached out to Amobee inquiring whether they utilize a search tool to review the indexed data. We received no response.

Over 4 million users had these extensions. As a result, tens of thousands of companies were impacted by DataSpii. In our report, we document the impact to over 50 companies. However, even if you did not have one of the extensions, you may not be immune to the data leak. If you or someone with whom you communicated with online had one of the invasive extensions installed on your computer, you may have been impacted by the DataSpii leak.

Through a process of responsible disclosure, we confirmed that staff at some of the largest corporations had one of the invasive extensions. In addition, we found many instances where one person was leaking the data of many. For example, if your accountant had one of the browser extensions, he/she may have unwittingly leaked the data of his/her clients.

In order to stop the data collection, we recommended uninstalling the extensions immediately.

To view your extensions in Chrome, manually enter the following URL in your browser: chrome://extensions
To view your extensions in Firefox, manually enter the following URL in your browser: about:addons

If you see any of the extensions, listed we recommend removing them.

In one instance, we found that a remotely deactivated extension did not stop the collection. Once the extension is removed, the collection should cease.

However, even if you do not have one of the identified extensions, you may be indirectly impacted. If you or someone with whom you communicate with online had one of the invasive extensions installed on their computer, you may have been impacted by the DataSpii leak.

  1. Remove the extensions.
  2. As a precaution, if you have downloaded one of the identified extensions, you may consider changing your passwords. Additionally, if you access services through an API via a URL, you may consider changing your API keys.
  3. For web developers, corporations, and cybersecurity professionals, we recommend removing PII, CI, and sensitive material within metadata such as URLs. We propose that companies further protect their APIs by restricting access to whitelisted IP addresses.
  4. We make additional recommendations in Section 4.6 of our report

Chrome: Manually enter the following URL in your browser: chrome://extensions On the following page, click Remove next to the extension in question.

Firefox: Manually enter the following URL in your browser: about:addons On the following page, click Remove next to the extension in question

In Chrome, manually enter the following URL: chrome://extensions
At the top-right of your screen, toggle “Developer mode”.
Click ‘Inspect views background page’ next to the extension in question.
Click the Network Tab. Hit Command-R (Mac) or Ctrl-R (Windows) to refresh the page
Network activity may be logged there

We have published an indicator (IOC) file to help security organizations add rules to detect and block the data leak. You can download the file here.

We have not heard of any reports; however, there is no way to know for sure if this has been exploited or used in the real world yet with malicious intent or for personal gain.

Sam Jadali discovered DataSpii while using a marketing intelligence service and noticed that a plethora of data was being collected. He then determined that the data in question was being collected by web browser extensions and contained PII, API keys and more. Sam is a cybersecurity and threat researcher.

Google and Mozilla responded to our findings and remotely disabled the extensions identified by our report.

While Opera extensions are not affected, the Opera browser is capable of running Chrome extensions. We reported our findings to Opera’s security team and they have also remotely disabled the Chrome extensions identified by our report.

Sam is continuously researching cybersecurity practices, threats and more. He further details the extent and nature of the DataSpii leak on his personal website, SecurityWithSam.com.

DataSpii (pronounced data-spy) was coined for the leak’s ability to spy on an individual’s personally identifiable information (PII). The PII acronym is also interchangeable with sensitive personal information (SPI).

Any operating systems capable of running the browsers in question are affected.

The full report can be found on Sam's personal website, SecurityWithSam.com.

Worried about the use of browser extensions by your employees?

Schedule a consultation with Melurna’s team and let's talk about how to mitigate the risks browser extensions pose to your organization and decide whether an actionable plan needs to be created and put in place to help protect your business, employees, and user data.
Talk to Our Experts