Security researcher Charlie Belmer tests out Mozilla plugins

In today’s digitally reliant world of unpatched vulnerabilities and endless terms and conditions, it feels like there’s no escaping the fact that your personal data can be collected – or potentially abused.

This click-friendly environment, one that favors convenience over any future implications, has made browser plugins an area of particular concern when it comes to personal information security.

“Plugins ask for a lot of trust,” says Charlie Belmer, director of Secure DevOps at GE Power.

“By installing them, we give them access to significant amounts of information about us, both explicit and implicit.”

Belmer recently launched a project outlining the data collection ability of Firefox browser plugins with over 1,000 installs – approximately 1,300 of them, most boasting privacy-conscious results.

Each plugin is rated based on passive data collection and whether it tracks page views without user interaction, which Belmer was able to determine using the open source scrapy crawler to collect the information from Mozilla.

“There are a number of plugins that send details about every page you visit, which is kinda scary when you think about it,” Belmer told The Daily Swig.

“Those data sets can be used for things like discovering proprietary business information, health information, and more.”

Belmer also took into account if a browser plugin responded to third-party data requests and, on top of that, whether it sent more than one request.

“The ones to really watch out for are the plugins that send one or more requests for every page the browser looks at,” he said.

The majority of Mozilla plugins (91%) send no third-party requests, and only 69 (5%) send more than a single request, Belmer found.

Browser plugins from security vendors such as Comodo, Avast, Norton, and Avira were unsurprisingly the least privacy conscious of the bunch.

“When you couple that with the data they are likely collecting from desktop AV [antivirus] products, it is an ugly picture,” Belmer said, explaining how these plugins typically track all sites that have been visited, as opposed to regularly-updated black and whitelists.

“I have never heard of them using that data for anything bad, but as a privacy advocate and developer, I don’t see a good reason for the design, aside from data collection for individualized and aggregate analytics,” he added.

Shodan, an IoT security search engine, was also fairly high on the list for scaping data at a constant rate and sending data on every request.

“I believe the service has to send data back to Shodan to get results, so I don’t necessarily mind sending the data,” Belmer said.

“I do have a problem that data is sent without plugin interaction. In this case, I would want the plugin to send data when I did something like open a page -> click Shodan plugin -> click ‘analyze url for vulnerabilities’ or something similar.”

Plugins permitting zero interaction data collection were the main focus of Belmer’s project, as opposed to those that gather information based on user clicks.

“While it’s true that most plugins will access the page you are visiting to perform some action, only a minority of plugins actually send what they see back to a separate web service to be collected by a company,” Belmer said.

“Rather, everything is kept local within the browser and the user’s machine – where it generally should be.”
In central services, however, Belmer thinks developers need to be more up front about how and when they collect data.

“Generally, I don’t ever want my browsing data collected and stored,” he said.

“If they [plugins] do send any data back to a central service, they should comply with GDPR, and allow me to view and delete the data from their storage.”

He added that plugins should only collect data when it’s explicitly requested, and hopes to expand his project to extensions made for Chrome.

“I certainly use FireFox because it is a great browser that also generally respects privacy,” he said.

“It isn’t the most private browser you can use, but is highly configurable and they do seem to take their plugin marketplace more seriously than Chrome/Google does.”

Belmer recommends sticking with EFF Privacy badger, Ublock Origin, UMatrix, BitWarden, and UserAgentSwitcher – plugins designed to “enhance privacy or security”.


RELATED Hidden code gives plugin developers admin access to WordPress sites