8M users' AI conversations sold for profit by "privacy" extensions

Yeah IT pros and tech aware "power" users can always take these measures but the very availability of poor or maliciously coded extensions and apps in popular app stores makes it a problem considering normies will get swayed by the swanky features the software promises and will click past all misgivings and warnings. Social engineering attacks are impossible to prevent using technical means alone. Either a critical mass of ordinary people need to become more safety/privacy conscious or general purpose computing devices will become more & more niche as the very industry which creates these problems in the first place by poor review will also sell the solution of universal thin-clients and locked down devices, of course with the very happy cooperation of govts everywhere.

> I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not automated scans.

I think we need both human review and for somebody to create an antivirus engine for code that's on par with the heuristics of good AV programs.

You could probably do even better than that since you could actually execute the code, whole or piecewise, with debugging, tracing, coverage testing, fuzzing and so on.

The question is, does Mozilla rigorously review every single update of every featured extension? Or did they just vet it once, and a malicious developer may now introduce data collection or similar "features" though a minor update of the extension and keep enjoying the "recommended" badge by Mozilla?

> I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.

If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P

While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs.

The same applies to code editor extensions!

> They look really legitimate on the outside

If that looks use-italics "really legitimate" to you, then you might be easily scammed. I'm not saying they're not legitimate, but nothing that you shared is a strong signal of legitimacy.

It would take a perhaps a few hundred dollars a month to maintain a business that looked exactly like this, and maybe a couple thousand to buy one that somebody else had aged ahead of time. You wouldn't have to have any actual operations. Just continuously filed corporate papers, a simple brochure website, and a couple virtual office accounts in places so dense that people don't know the virtual address sites by heart.

Old advice, but be careful believing what you encounter on the internet!

https://www.manhattanvirtualoffice.com/

The NY address is a virtual office.

https://themillspace.com/wilmington/

The DE address is a virtual office plus coworking facility.

> Urban VPN is operated by Urban Cyber Security Inc., which is affiliated with BiScience (B.I Science (2009) Ltd.), a data broker company.

> This company has been on researchers' radar before. Security researchers Wladimir Palant and John Tuckner at Secure Annex have previously documented BiScience's data collection practices. Their research established that:

> BiScience collects clickstream data (browsing history) from millions of users Data is tied to persistent device identifiers, enabling re-identification The company provides an SDK to third-party extension developers to collect and sell user data

> BiScience sells this data through products like AdClarity and Clickstream OS

> The identical AI harvesting functionality appears in seven other extensions from the same publisher, across both Chrome and Edge:

Hmm.

> They look really legitimate on the outside

Hmm, what, no.

We have a data collection company, thriving financially on lack of privacy protections, indiscriminant collection and collating of data, connected to eight data siphoning "Violate Privacy Network" apps.

And those apps are free... Which is seriously default sketchy if you can't otherwise identify some obviously noble incentives to offer free services/candy to strangers.

Once is happenstance, twice is coincidence, three (or eight) times is enemy action.

The only thing that could possibly make this look any worse is discovering a connection to Facebook.

You can get a mailing address and phone number for like $15/mo. You can incorporate a US business for only a couple hundred dollars.

> Urban VPN is operated by Urban Cyber Security Inc., which is affiliated with BiScience (B.I Science (2009) Ltd.), a data broker company.

BiScience is an Israeli company.

Is the agent address real?

1000 N. WEST ST. STE. 1501, WILMINGTON, New Castle, DE, 19801

It almost matches this law firms address but not quite.

https://www.skjlaw.com/contact-us/

Brandywine Building 1000 N. West Street, Suite 1501 Wilmington DE 19801

Being a real business doesn't necessarily mean they can be trusted. Real companies do shady stuff all the time.

Judging from their website, all links eventually point to either the VPN extension download website, or a signup link. I'm not surprised if some nation state supported APT is behind this shit.

If Google would care at all for their users, they'd tell WhatsApp to not require the use of the Contacts permission only to add names to numbers when you don't share the Contacts with the App.

Or they'd tell WhatsApp to allow granting microphone permissions for one single call, instead of requesting permanent microphone permissions. All apps that I know of respect the flow of "Ask every time", all but Meta's app.

Google just doesn't care.

I think what's going on there is that "While using" includes when a navigation app is running in the background, which is visible to the user (via e.g. a blue status bar pill). "Always" allows access even when it's not clear to the user that an app is running.

The developer documentation is actually pretty clear about this: https://developer.apple.com/documentation/bundleresources/ch...

And what are the odds that mossad are getting access to this data?

For the same reason you trust your ISP? It handles all your internet traffic; and depending on where you live, probably has government-mandated back doors, or is willing to cooperate with arbitrary requests from law-enforcement agencies.

That's why TLS exists, after all. All Internet traffic is wiretapped.

A lot of people from poor countries where they can't access a lot of websites/services and also can't pay for a VPN use these "free" VPNs

but other than that I would never trust anything other than Mullvad/IVPN/ProtonVPN

The use case is people that are urged to view something that is blocked (torrent / adult / gambling). They want it now, and they don't want to get involved with some shady company that slaps on a 2 year contract and keeps extending indefinitely. These people instead find "free vpn" in the web store and decide to give it a try.

VPNs are just one example. How many chrome extensions do you have that you don't use all the time, like adblockers, cookie consent form handlers or dark mode?

Yeah free VPN is totally a problem, but there's TLS so at least those users aren't getting their bank account information stolen.

I would figure state actors don’t need to go through the trouble of a browser extension. But, yeah.

Download Valley strikes again!

I’m not sure there’s much more juice to squeeze here via automated or semi-automated means. They could perhaps be doing these kind of human-in-the-loop reviews themselves for all extensions that hit a certain install count, but that’s not a popular technique at Google.

Do you think Google wants to have the extensions system, given that this is how people block ads?

Google is doing code review on extensions?

Is this even a problem that code review could find? Once they have your conversation data what happens then isn't part of the plug-in.

Its the reason why they found it because the code was in extension. Before manifest v3, extensions could just load external scripts and there's no way you could tell what they were actually doing.

Let me ask you this way: How do you think they make money?