How we looked for data leakage in SimilarWeb
Good day.
It all started half a year ago. We work with a small team on the project, the project has already been launched on the network and it has been successfully operating for several months. Somehow we were talking about visiting statistics, user transfer sources, and the like. The managers sent me a link to the SimilarWeb page with our resource. What I saw, I was very puzzled. In addition to other information on the page there is information about the subdomains that SimilarWeb found. Imagine my surprise when I saw internal subdomains in the top 5 that are used only by employees and are not accessible from the outside (such as jira.mycomp.org, ci.mycomp.org, git.mycomp.org).
Only one thing came to mind: someone in the team has some kind of nastiness that merges the data on the visited URLs. Part of the team works remotely, all have different operating systems and browsers. I communicated with each individually, asked to scan the system with an antivirus, requested a list of extensions used.
Googling has issued several articles on the purchase of the StylishWeb extension by the company. I put this application to myself and made sure that it really merges the data. How it works: when installing an extension, you agree to the terms of data collection (and the application is currently in the store and does not hide the fact that data will be collected for SimilarWeb). Further, when switching to any page (even https), the extension in the background starts sending data to the url h___s: //userstylesapi.com/tic/stats. It looks like this:
')
The e parameter in FormData contains twice wrapped in Base64 data:
Thus, with each click information is transmitted to the visited URL.
We cleaned the workers and home computers, deleted the extension from those who had it, and wrote in the instructions for the future. Further it was necessary only to wait. Data for SimilarWeb is updated within one month.
However, two months have passed, and the situation has not changed. Domains continued to hang in the resource list. So not all cleaned out. We decided to calculate the "scammer" in another way. For each team member, a special URL of the following form was created: coder-124.mycomp.ru, coder-523.mycomp.ru, etc. They gave the task to go to this URL daily and make a few clicks, the process was put on monitoring, so that no one would forget. After a month of mocking developers, we still got the fruits. One of the URL was at the bottom of the list. Target detected, it remains to understand how the data merge.
The result was surprised, the data is drained by the Chrome extension ... But not Stylish ... As it turned out, the data is merged by the Frigate extension. When installing, the extension shows the following message:
Suppose ... Then we looked at how it transmits this data:
When you go to any page on two URLs (I wonder why two), the following data is sent:
The e parameter in FormData contains twice wrapped in Base64 data:
I do not think that all this data is necessary for the selection of a proxy server. Yes, and the mechanisms are very similar.
By the way, in the friGate Light extension there is no such functionality ...
Instead of a conclusion.
I can assume that if there was a second extension, then there is a third and fourth one. Most likely, this mode of cooperation of SimilarWeb with the developers of browser extensions will be further developed. I urge you to check your extensions (Chrome, Firefox - it doesn’t matter) and if you find one like that, write in the comments. It is interesting to know how deep the problem is.
And remember, big brother is always watching you :)
All the best.
It all started half a year ago. We work with a small team on the project, the project has already been launched on the network and it has been successfully operating for several months. Somehow we were talking about visiting statistics, user transfer sources, and the like. The managers sent me a link to the SimilarWeb page with our resource. What I saw, I was very puzzled. In addition to other information on the page there is information about the subdomains that SimilarWeb found. Imagine my surprise when I saw internal subdomains in the top 5 that are used only by employees and are not accessible from the outside (such as jira.mycomp.org, ci.mycomp.org, git.mycomp.org).
Only one thing came to mind: someone in the team has some kind of nastiness that merges the data on the visited URLs. Part of the team works remotely, all have different operating systems and browsers. I communicated with each individually, asked to scan the system with an antivirus, requested a list of extensions used.
Googling has issued several articles on the purchase of the StylishWeb extension by the company. I put this application to myself and made sure that it really merges the data. How it works: when installing an extension, you agree to the terms of data collection (and the application is currently in the store and does not hide the fact that data will be collected for SimilarWeb). Further, when switching to any page (even https), the extension in the background starts sending data to the url h___s: //userstylesapi.com/tic/stats. It looks like this:
')
The e parameter in FormData contains twice wrapped in Base64 data:
ZG0xMFBUTW1iR0YyUFRJeEpuZDJQVEVtWjNJOU1pNHdMamttY0hobFBURm5aamhwTjJnNU5qVTVOekZ4ZERob05tTTVhamc0T0hCME5DWnpiblU5Sm1kd1BXaDBkSEJ6SlROQkpUSkdKVEpHZFhObGNuTjBlV3hsY3k1dmNtY2xNa1p6ZEhsc1pYTWxNa1ppY205M2MyVWxNa1p1WlhkbGMzUXRjM1I1YkdWekptTm9QVGttWkdrOVlUTmxNMlV5WVRneA== vmt=3&lav=21&wv=1&gr=2.0.9&pxe=1gf8i7h965971qt8h6c9j888pt4&snu=&gp=https%3A%2F%2Fuserstyles.org%2Fstyles%2Fbrowse%2Fnewest-styles&ch=9&di=a3e3e2a81 Thus, with each click information is transmitted to the visited URL.
We cleaned the workers and home computers, deleted the extension from those who had it, and wrote in the instructions for the future. Further it was necessary only to wait. Data for SimilarWeb is updated within one month.
However, two months have passed, and the situation has not changed. Domains continued to hang in the resource list. So not all cleaned out. We decided to calculate the "scammer" in another way. For each team member, a special URL of the following form was created: coder-124.mycomp.ru, coder-523.mycomp.ru, etc. They gave the task to go to this URL daily and make a few clicks, the process was put on monitoring, so that no one would forget. After a month of mocking developers, we still got the fruits. One of the URL was at the bottom of the list. Target detected, it remains to understand how the data merge.
The result was surprised, the data is drained by the Chrome extension ... But not Stylish ... As it turned out, the data is merged by the Frigate extension. When installing, the extension shows the following message:
Suppose ... Then we looked at how it transmits this data:
When you go to any page on two URLs (I wonder why two), the following data is sent:
The e parameter in FormData contains twice wrapped in Base64 data:
Y3oweE9ERTBKbTFrUFRJeEpuQnBaRDFzWW5keE1FeHBTVW8xZFhFeWFEY21jMlZ6Y3owMU56TXpNVFl6TWpVeU1EazJOemd3TURBbWMzVmlQV05vY205dFpTWnhQV2gwZEhCekpUTkJMeTltY21rdFoyRjBaUzV2Y21jdmNuVXZKbWh5WldabGNtVnlQV2gwZEhCekpUTkJMeTkzZDNjdVoyOXZaMnhsTG5KMUx5WndjbVYyUFdoMGRIQnpKVE5CTHk5bWNta3RaMkYwWlM1dmNtY3ZjblV2Sm5SdGRqMDBNREUxSm5SdFpqMHhMakU9 s=1814&md=21&pid=lbwq0LiIJ5uq2h7&sess=573316325209678000&sub=chrome&q=https%3A//fri-gate.org/ru/&hreferer=https%3A//www.google.ru/&prev=https%3A//fri-gate.org/ru/&tmv=4015&tmf=1.1 I do not think that all this data is necessary for the selection of a proxy server. Yes, and the mechanisms are very similar.
By the way, in the friGate Light extension there is no such functionality ...
Instead of a conclusion.
I can assume that if there was a second extension, then there is a third and fourth one. Most likely, this mode of cooperation of SimilarWeb with the developers of browser extensions will be further developed. I urge you to check your extensions (Chrome, Firefox - it doesn’t matter) and if you find one like that, write in the comments. It is interesting to know how deep the problem is.
And remember, big brother is always watching you :)
All the best.
Source: https://habr.com/ru/post/444770/
All Articles