Your Chrome extensions may be spying on you

This image was removed due to legal reasons.

As internet browsers go, most security wonks generally agree that Google's Chrome is the best choice when it comes to privacy and online security.


But some of the Chrome store's most popular apps — Emoji Input, Speakit and SuperBlock Adblocker among them — are aggressively tracking their users, according to research by security startup Detectify. By installing third-party tracking scripts, some extensions are spying on every page a user visits, Detectify says, making it possible to "fingerprint" a specific user’s browsing history and gain access to any pages that include tokens used for authentication like Facebook Connect and shared links from sites such as Dropbox.

The extensions do this, Detectify found, by including default permissions that allow access to view all websites a user visits.

"Some of these permissions are legit, needed by the extension to work," Detectify writes, "But more often than not, the extensions are also embedding third-party scripts which are gathering all your browser traffic."

That browsing data is then put up for sale by third-party analytics services, available for viewing by anyone who pays for a monthly subscription fee.

In order to get a good sense of just how much user data is being tracked, Detectify signed up for one such service. The company found that among the data captured by the Chrome extensions was some sensitive browsing history, such as internal network URLs and pages that only one person had visited, which made it possible for the extension to access and identify a specific person's web history.

"They are sending over everything about you," the company wrote. "Every. Thing."

Detectify writes that the extensions are usually paid per user by the third party data companies to install the tracking code. That Chrome extensions are doing this is hidden in plain site, often identified in the fine print by text like this:

This image was removed due to legal reasons.

Some apps do offer the ability to opt out of tracking. Detectify recommends uninstalling any Chrome extension that is unclear about what data it collects and using incognito mode for browsing when using those extensions is a must. And in case you're wondering: Detectify says that Firefox isn't really any better.

All this makes it a little hard to swallow SuperBlock's tagline: "more privacy for you."