Security News This Week: Browser Extensions Scraped Data From Millions of People

Slack passwords, NSO spyware, and more of the week's top security news.
A browser extension sucks up data for money
Casey Chin

Europeans had to navigate by the stars this week—well, GPS, but still—after the continent's burgeoning Galileo satellite navigation network went dark for a full seven days. The incident is a warning for everyone of how fallible the infrastructure of our modern lives really is.

In more uplifting news, security researchers made an app designed to kill, to prove a point about the intense risks of internet-connect health devices, and the need for the companies who make them to stop ignoring those risks. (Wait, sorry, murder apps are not uplifting.)

We explained how to clear out your zombie apps and online accounts, and why Microsoft’s very serious BlueKeep bug hasn’t wreaked havoc on the Windows devices of the world. Yet.

Oh, and we—like everyone else—took note of this week’s viral app, FaceApp, which shows you how you’ll look when you’re old. Though people were quick to point out its security risks, we reminded you that if you’re worried about FaceApp, you’re really going to panic when you learn about a little old app called Facebook.

But that’s not all. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

If you use browser extensions, you’ll want to read this. Ars Technica reporter Dan Goodin brings news of a major new privacy failure, dubbed DataSpii, recently unearthed by security researchers. Seems that some widely used Chrome and Firefox browser extensions scraped and sold the data of more than 4.1 million people, until the researcher alerted Google and Mozilla. These extensions took the URL and other details from your browsing history and sold them to a data firm called Nacho Analytics, which marketed itself as providing a “god mode for the internet.” Nacho Analytics then published them, for a fee. Because of the way many of the pages were protected—or rather, not protected—those published links often allowed people to see the content of the pages themselves. Among the sensitive pieces of information spilled? Tax returns, doctor-patient communications, and links to Nest cameras. The scariest thing about DataSpii is that it likely represents a small fraction of the extensions out there invading your privacy. As Goodin found when he dug into the research, many of these extensions and Nacho Analytics reference this spying and selling in the fine print of their terms of service. So what can you do to protect yourself? First, read the whole Ars story to see if you were caught up in DataSpii, and second: read the fine print before installing any extensions.

An Israeli spyware company popular with intelligence agencies across the world, and famous for exploiting Whats­App with just a phone call, has a new sales pitch. Citing unnamed sources, the Financial Times reports that NSO Group is now telling governments and potential customers that its spyware can access personal data from the servers of all of Big Tech companies. The important thing to note, though, is that it apparently claims to do so by compro­mising your device's authentication tokens. In other words, they haven't hacked the cloud, but the smartphones and computers of people who access it. Bottom line, as always: If a nation state targets you, you're toast.

How do you hack an election? Let me count the ways. Through disinformation campaigns, gerrymandering, breaching voter roles, and—oh yeah—targeting the voting machines themselves. Though experts have warned for years that voting machines are insecure, companies and municipalities have been slow to upgrade and secure them—despite voting machines being listed as critical infra­structure by the US government. This week, software giant Microsoft announced it has developed open source software that can help make voting machines more secure. The company is giving the software away for free in the hopes that it can help shore up systems ahead of the presidential election next year. Microsoft also announced it has found 781 attempted cyberattacks by foreign hackers targeting political organizations so far this year.

After Slack was breached in 2015, the company reset the passwords of those whose accounts had been affected. But recently, the company says it received a batch of breached credentials through its bug bounty program and realized they were from the same 2015 incident. On Thursday it announced it had decided to reset the passwords of all users who were active on Slack during the 2015 breach. If you, like me, are one of those people but haven’t had your password reset by Slack, that’s likely because you had already changed it since 2015, or you use some kind of single-sign-on authentication service, according to Slack.


More Great WIRED Stories