Probably not surprising but the browser extension “Keepa – Amazon Price Tracker” is keeping close track on your shopping behavior. What makes this case particularly notable is its privacy policy which claims otherwise.

For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account.

Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server.

Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users.

It deeply satisfies me to see search requests like “is miui spyware” in my logs. So people actually want to know, and they find my article. I hope that quite a few choose not to buy hardware then.

Older research by so Canvas Defender was adding constant noise to the canvas data, and that noise vector could be easily extracted. Not only did this allow removing the noise, it was also an additional attribute!

Those browser extensions with anti-fingerprinting functionality? The sad truth is, they usually make matters worse. Not only do they fail to remove fingerprinting data reliably, they give websites additional data to work with.

Hey , don’t you want to start using Referrer Policy on your website? Currently, when your users click a link you will typically leak their user ID and some info about how they organize their feeds via the Referer header.

“So is this some outdated functionality that is no longer in use and that nobody bothered removing yet? Very likely. Yet it could jump to life any time to collect more detailed information about your browsing habits.”

Show thread

“So that’s where this Honey privacy statement is clearly wrong: while the data collected doesn’t contain your email address, Honey makes sure to associate it with your account among other things. And the account is tied to your email address.”

Show thread

So when I order something in a -based shop, and they show the shipping address on the map in the order confirmation – they implicitly tell Maps which shops I buy at and when, and there is no opt out? How convenient…

The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data?

I've published an update on the situation (no technical details this time). Yes, a change has been implemented. The default behavior is nothing short of horrifying however. If you use a Xiaomi browser, you should ditch it ASAP.

I investigated the inner workings of 's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.

Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata.

While Avast is planning to shut down Jumpshot, there is an ongoing investigation into their practices. I wonder how this will go, according to Avast they are fully compliant...

Show thread

Even this limited sample contains lots of names, email addresses and even home addresses of Avast users. Jumpshot customers could have easily deanonymized the users the data belongs to, and some probably did.

Show thread

I got my hands on a sample of Jumpshot data. My analysis confirms what everybody already suspected: Avast failed anonymizing the data they sold, leaving plenty of personal data untouched.

I'm rather late to the party but the Avast story took the not quite unexpected turn. I wonder whether this investigation will really conclude that Avast's practices were all GDPR-compliant.

keeps stating that any data shared with was "de-identified." Experts have been skeptical (in fact, I found a four years old quote from @gcluley on the matter) and I now found quite a bit of info suggesting that they were right.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.