With more than 1.3 million users, Diigo’s ‘Awesome Screenshot’ Chrome extension is an undeniably popular utility — but is its usefulness a front for something more sinister?
According to an investigation conducted by Miguel Jacq, a Linux system administrator with more than 10 years of experience, it seems so.
Despite the exuberant name Awesome Screenshot is doing something decidedly unawesome in the background: harvesting your browsing data.
Sniffing n’ Sleuthing
The behaviour in this add-on came to light when Miguel Jacq noticed hits to private URLs on one of the servers he manages were being made by something announcing itself as ‘niki-bot’.
Since this was pinging the kind of internal infrastructure links that regular web crawlers don’t have access to, Jacq dug a bit deeper, uncovering some kind of ‘browsing tracking’ software that was running on an employee’s computer.
“We had all visited many of the[se pages], but one user in particular was likely to have visited all of them due to the nature of their role. Virus scans showed up nothing on his computer,” he explains.
A bit of further sleuthing quickly threw up the culprit: Diigo‘s innocuous sounding ‘Awesome Screenshot’ extension for Google Chrome.
Awesome Screenshot Not Quite So Awesome After All
For all its usefulness the Awesome Screenshot tool is imbibed with an ulterior purpose: to track and send details of every page visited and search term entered by those with it installed. This data is shunted over to a third-party service at “lb.crdui.com“, a domain believed to be a redirect/API wrapper for the third-party service SimilarWeb.
If accurate, it’s likely that SimpleWeb pay Diigo to gather information on browsing habits, which they then subsequently sell or lease on to other companies for competition analysis purposes.
Now, in fairness, Diigo is not doing anything novel in partnering with a third-party company in this manner. The ‘malware’ furore earlier in the year flagged up the extent of the problem, forcing Google to bring in new guidelines that add-ons hosted in the store have to abide by.
Browsing habits are expensive currency in the online marketplace.
But while extensions tracking your every online move for the benefit of advertisers is nothing new, something about the way niki-bot works is. Rather than simply log sites and move on, this bot is allegedly still returning to tracked websites (including those private, internal pages) for reasons, as of writing, yet unknown.
‘No Personally Identifiable Data’
Diigo recently appended an updated privacy policy to the Chrome Web Store listing for this extension, which reads:
“Usage of the Awesome Screenshot browser extension requires granting it permission to capture anonymised click stream data. Anonymous usage and browsing activity may be collected for research purposes and may be shared in aggregate with third parties. No personally identifying information will be captured in connection with this data.”
But as Miguel Jacq notes, this truncated privacy statement contradicts the EULAs it goes on to link to, EULAs that usage of the software ‘agrees’ to. These state:
“…certain non-personally and personally identifiable information (the “User Information”) may be collected, stored and used for business and marketing purposes [and] includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioural, software and hardware information.”
‘No personal identifying information’ seems to be double-speak for ‘all the personal identifying information’!
Play It Safe, Kids
The takeaway in all this is that when you install an extension in Chrome don’t just idly click through the permissions prompt. Pay attention to what it is asking for; the next time you see “access all your data on all sites” maybe question whether sacrificing your privacy is a price worth paying.
How many of us actually take the time to read over install permissions, much less give thought to what something like ‘read and change all your data on websites you visit‘ might entail?
Judging by the 1.3 million users of Awesome Screen, clearly not enough.
For the full security rundown on niki-bot do read the full article on Miguel Jacq’s blog, linked to below.
- Source: H/t Miguel Jacq