From the mentioned extensions, the Semrush level and PI level transfer users’ full browsing domain in “plain text” to rank.trellian.com, effectively revealing their web activity. MSN New Tab/HomePage sends persistent machine ID, OS version and extension version using an unencrypted SendpingDetails request that can be used to track users in a session.
In addition, although DualSafe password manager does not leak passwords, it still pushes analysis such as browser language and version to http on stats.itopupdate.com.
“We used to refer to these (extended) BHO assistant objects as browser assistant objects – a very common way to compromise the various results of the browser, from stealing certificates and surveillance users to simply establishing users on the internet to identify and track users,” Bugcrowd Ciso Trey Forey said. “Ultimately, this can manifest itself as a form of malware and inevitably create a new surface of attack that inevitably attacks and compromises a very secure browsing experience.”
