Nortonでこんな警告が出た
ー
ちなみにアドオン(拡張機能)の設定を見ると、オフになっていた
ノートンが自動的にオフにしてくれたのだろうか?
http://chrome://extensions/?id=pgeolalilifpodheeocdmbhehgnkkbak
提供元が
ソース Chrome Web Store
となっており、 sketchboy.com という会社が開発している模様
どのように攻撃をしかけてきていたのか気になります。
ー
Privacy policy comparisons can be made here:
Hover Zoom: http://www.hoverzoom.net/disclosure/_pp.pdf
SpeakIt!: http://skechboy.com/speakit/disclosure/_pp.pdf
FairShare Unlock: http://privacy-policy.fairsharelabs.com/
PanelMeasurement: https://www.panelmeasurement.com/privacy
SuperZoom: http://funnerapps.com/privacy.php
SaveFrom.net Helper: https://en.savefrom.net/privacy-policy.html
Branded Surveys: https://surveys.gobranded.com/page/branded-surveys-privacy-policy
Panel Community Surveys: https://www.panelmeasurement.com/privacy
ー
DataSpii - A global catastrophic data leak via browser extensions
Extension #2: SpeakIt!
Available on: Chrome
Chrome Web Store extension ID: pgeolalilifpodheeocdmbhehgnkkbak
Installation count: 1,494,570 users (Chrome Web Store, May 18, 2019)
Chrome Web Store link: https://chrome.google.com/webstore/detail/speakit/pgeolalilifpodheeocdmbhehgnkkbak?hl=en-US
Website/developer: Skechboy.com
Privacy policy: https://skechboy.com/speakit/disclosure
Background
The Chrome Web Store describes SpeakIt!, which has more than 1.4 million users, as a “free text to speech extension that reads selected text using TTS technology with language auto-detection” [17]. Like Hover Zoom, SpeakIt!’s data collection process did not begin until 24 days after installation.
SpeakIt!’s history is provided in the Discussion section of this report.
SpeakIt! observations
GET or POST Requests to the following hostnames were observed:
skechboy.com
cr-b.getspeakit.com
cr-b.hvrzm.com
cr-input.getspeakit.com
Data collection process
The SpeakIt! data collection patterns exhibit stark similarities to those of Hover Zoom. Immediately after installation, a GET request was made to cr-b.getspeakit.com noting the installation time along with a unique browser ID. Using Burp Suite, we captured such requests. The requests can be seen in a series of figures that follow. We identify the individual GET and POST requests using the request number located in the left-hand column of the screenshot (see Figure A1).
画像
Figure A1. On Feb 5, 2019, SpeakIt! was installed on a newly provisioned Windows Server 2016 Standard virtual machine with Chrome, Burp Suite, and the FoxyProxy Standard extension preinstalled. Immediately upon SpeakIt! installation, GET request #69 was made to cr-b.hvrzm.com with parameters notating the installTime and browser ID. After installation, browser activity data collection was not observed until March 1, 2019.
画像
Figure A2. Response to GET request #2090. Interestingly, the 156KB response from cr-b.getspeakit.com also mentions the hostname cr-b.hvrzm.com.
Excluding the orange-highlighted text in Figure A2, nearly all contents of the response were saved within the following file: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\File System\001\p\00\00000000.
画像
Figure A3. Request #5576. A POST request is made to cr-input.getspeakit.com containing an encoded payload with browsing activity data. The encoded data from this figure can be viewed here and decoded using the DataSpii decoder, https://decoder.dataspii.com.
画像
Figure A4. The partially redacted URL of GET Request #5562 from Figure A3 can be seen in the Google Analytics property that obtains its data from the Company X service. Like Hover Zoom, SpeakIt! performs redaction of parameters such as “lastname”; it does not redact all forms such as “last.” The redaction was visible in the decoded POST request.
Note: This is a screenshot of data within a Google Analytics account populated by Company X.
ー
redactionは編集・改訂・改訂版の意味
上記の警告が出ています。
SpeakItは"Assistive Technology”なる書籍でも紹介されているツールだったのですが
Assistive Technology - Emily C. Bouck - Google ブックス
いったいどんな情報をSpeakItがSkechboy.comに送信していたのか気になります。
ちなみに類似名称のアドオン拡張機能もあります
Speak It for Chrome - テキスト音声 - Chrome ウェブストア
文字を選択して右クリックしてアイコンを選択するだけで読み上げてくれます
ー
