Awesome Screenshot URL tracking and niki-bot

UPDATE: Awesome Screenshot 3.7.12 now offers an 'opt-out' setting to address this (but it's on by default) - read my new article here.

Back in June, my OSSEC logs alerted me to some web crawling activity by a crawler with a user-agent of 'niki-bot'. Chances are if you grep or analyse your web logs, you've seen it too.

That in and of itself is not especially unusual. If you're anything like me, you find that crawlers are all over your logs, 24x7. You especially know this if you are running OSSEC and getting rule 31151 ('Multiple web server 400 error codes from same source ip') triggered all the time. However, niki-bot is different, and it got my attention due to the nature of the URLs it was trying to hit. Here are some examples:

64.79.85.202 - - [09/Aug/2014:15:40:37 +0100] "GET /node/6059128/webform/configure HTTP/1.1" 403 4474 "-" "niki-bot"
64.79.85.202 - - [09/Aug/2014:15:39:39 +0100] "GET /admin/structure/pages/edit/node_view HTTP/1.1" 403 4483 "-" "niki-bot"
64.79.85.202 - - [09/Aug/2014:06:59:44 +0100] "GET /node/add_to_group/257998 HTTP/1.1" 403 22037 "-" "niki-bot"

Hmm. Very specific URLs relating to certain Drupal websites within the infrastructure. Not just arbitrary, opportunistic URLs such as /user/register, but actual edit pages of specific nodes that do exist.

Here's another from our Jenkins server, which requires authentication to view any such URLs:

64.79.85.202 - - [15/Jul/2014:21:42:02 -0400] "GET /view/Deployments/job/Deploy_XXXXXXXXX_application HTTP/1.1" 400 264 "-" "niki-bot"

Wow, that's very specific. That job definitely exists, but only staff who are logged in can see it.

And here's another, from Gitlab:

64.79.85.202 - - [31/May/2014:22:59:40 +0100] "GET /client/some-project/merge_requests/22 HTTP/1.1" 400 264 "-" "niki-bot"

Wow, a merge request URL. WTF?

See any common theme (other than, in these cases, the IP address)? These are very specific URLs that definitely do exist, but are effectively behind an 'auth-wall' which no normal bot can access. These are not URLs linked anywhere, and hence why no 'normal' crawler such as Googlebot etc ever finds them. Yet niki-bot does.

Somewhat alarmed, we collated via OSSEC all cases of the logs, and gradually a picture began to emerge. Even early on in the investigation, I was 90% sure that these were all URLs that a specific staff member had visited. We had all visited many of them, but one user in particular was likely to have visited all of them due to the nature of their role. Virus scans showed up nothing on his computer.

I was not the only one to experience this, but maddeningly, there was not much reported on the internet about it. One other person had reported a similar issue, regarding a Google AppEngine URL that only he could have used. He had had no response.

Email correspondence at the time has me saying in June, "The only way these URLs would be found is client-side. Maybe some browser plugin maliciously recording someone's (Bob's?) browsing history?".

Finally, Bob reviewed his browser extensions, and we were able to determine the only extension we couldn't be 100% sure of was 'Awesome Screenshot' by Diigo. The extension was subsequently disabled, but we still didn't know for sure if that was the culprit. Time passed and we moved on.

Picking up a lead

In early August, I happened across another thread, which was effectively a cross-post by the same AppEngine user above. But in this thread, he finally had had a response in July from another user 'Vlad':


I faced the same issue.

As I found out, the attacker used the URLs, which were provided to him by chrome extension. In my case it was awesomescreenshot extension in Google Chrome, which leaked all the internal pages (in admin account) I was visiting myself. So the bot later just pinged those.

When extension is installed basically it receives access to all the pages URLs you visit. I just removed the extension, now in doubts whether I need to reset all password of all my accounts, because potentially cookies also could be leaked.


Bolstered by this corroborating story, I decided to look further into this AwesomeScreenshot extension. It wasn't long before negative reviews on the Chrome app store led me to these two articles, which both seemed to confirm that the extension contains javascript which sends browsing activity in plaintext to an upstream service lb.crdui.com, which redirects or makes use of an API belonging to webovernet.com, which some say is part of a third service called SimilarWeb. To quote from some of these linked pages:


If you try to navigate to http://s1821.crdui.com/service2 it will redirect you to http://t1.webovernet.com/service2.

Note that.. "webovernet.com". Back to the linked article:

You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.


The relationship with niki-bot

None of the articles that explain the tracking by the extension, seem aware that the niki-bot crawler appears to return back to URLs harvested from such extensions as Awesome Screenshot, for who knows what purpose (reconnaissance of some sort?). That's fair enough, these guys may not be sysadmins with access to web logs. But per the AppEngine case, there was clearly a link.

So I began to wonder two things:

1) What is the relationship between crdui.com and webovernet.com/similarweb.com ?

2) What is the relationship between these and niki-bot?

Looking into crdui.com, which is a 'domains by proxy' privately-registered domain name like webovernet is, I noticed it was registered on December 24, 2013. Lo and behold, that just happens to be the date that my logs pick up niki-bot for the first time!

/var/log/apache2/other_vhosts_access.log.33.gz:207.182.143.242 - - [24/Dec/2013:22:37:50 +1100] "GET / HTTP/1.1" 200 13723 "-" "niki-bot" 115 14164

Meanwhile, other online services appear to link the IP 64.79.85.202 to both similarweb.com and niki-bot.

At least two IPs in my logs have been used by niki-bot: 209.190.113.82 and 64.79.85.202. These are in the 209.190.0.0/17 and 64.79.64.0/19 subnets announced by AS10297, belonging to eNET, Inc.

t1.webovernet.com, mentioned in one of the above articles, resolves to two IPs 209.190.8.242 and 64.79.86.18. Both in the same subnets as the above.

The Bitcoin service BitBargain, only 2 days ago, also wrote about the niki-bot and had their attention brought to it same as me - the 'secret' URLs standing out in the logs. Independently from my research, they were able to cross-reference the IP 64.79.85.202 to a known Adware executable called similarwebie.exe. The plot thickens! Their case may not have been from Awesome Screenshot - as Howtogeek reports, other Chrome extensions such as Hoverzoom have been known to send data to the webovernet service too. However, that extension, according to the article, at least offers an opt-out checkbox in its settings page.

The connection between these services and the niki-bot are still not clear to me, and perhaps never will be. I think it's unlikely that the crawler tool belongs to Awesome Screenshot, but more likely is part of a wider set of tools belonging to the advertising companies etc. I don't think it or the screenshot extension are used to harvest sensitive credentials, but clearly there is some sort of market value perceived in crawling the URLs for data later.

A closer look at the Awesome Screenshot extension

Returning to Awesome Screenshot, I decided to look at the source code of the extension and found that it indeed does POST requests to crdui.com URLs, evidently to get some sort of return value of whether there were 'related' URLs from the upstream service (presumably similarweb). Take a look at the extension's data on your hard drive, specifically the file 'javascripts/Tr/tr.js' (I guess 'Tr' here is short for 'tracker'). On my Linux machine running Chromium, this file is in ~/.config/chromium/Default/Extensions/xxxxxxxxxxxxxxxxxxxxx/3.7.11_0/javascripts/Tr/tr.js where xxxxxxxxxxxxxxxxx is presumably the identifier of the extension itself. I am basing the version number here on the new version 3.7.11 from August 14 (which actually came out after I first published this post.. but sadly that new version still continues to use this tracking nastiness).

Analysing the traffic in Wireshark the POST data appears to be twice base64-encoded (why?) and sent over plaintext to those URLs. Decoding the data shows essentially the URL string you visited. I couldn't find evidence that it captures or sends cookies or the actual POST data that is, say, sent in a login form (using gmail.com as a test) - just the URLs. Some people in the links/reviews have claimed it captures their session data but I didn't see this myself.

Hypertext Transfer Protocol
    POST /service2 HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): POST /service2 HTTP/1.1\r\n]
            [Message: POST /service2 HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: POST
        Request URI: /service2
        Request Version: HTTP/1.1
    Host: s1821.crdui.com\r\n
    Connection: keep-alive\r\n
    Content-Length: 864\r\n
        [Content length: 864]
    Accept: application/json, text/javascript, */*; q=0.01\r\n
    Origin: chrome-extension://alelhddbbhepgpmgidjdcjakblofbmce\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36\r\n
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n
    Accept-Encoding: gzip,deflate,sdch\r\n
    Accept-Language: en-US,en;q=0.8\r\n
    \r\n
    [Full request URI: http://s1821.crdui.com/service2]
Line-based text data: application/x-www-form-urlencoded
    [truncated] e=Y3oweE9ESXhKbTFrUFRJeEpuQnBaRDA1UVhORmJtZHdPVFV3Tm5SclRWa21jMlZ6Y3owek1ETTBNVEEzTURneU1EVTNOelEwTURBbWMzVmlQV05vY205dFpTWnhQV2gwZEhCekpUTkJMeTkzZDNjdVoyMWhhV3d1WTI5dEwybHVkR3d2Wlc0dmJXRnBiQzlvWld4d0wyRmliM1YwTG1oMGJXd21kRzEyU

0000  52 54 00 12 35 02 08 00 27 c0 fe bb 08 00 45 00   RT..5...'.....E.
0010  05 76 d3 71 40 00 40 06 30 0c 0a 00 02 0f ad 2d   .v.q@.@.0......-
0020  78 c8 df 8f 00 50 56 f5 2d 1c 0f e2 68 02 50 18   x....PV.-...h.P.
0030  39 08 37 6d 00 00 50 4f 53 54 20 2f 73 65 72 76   9.7m..POST /serv
0040  69 63 65 32 20 48 54 54 50 2f 31 2e 31 0d 0a 48   ice2 HTTP/1.1..H
0050  6f 73 74 3a 20 73 31 38 32 31 2e 63 72 64 75 69   ost: s1821.crdui
0060  2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e   .com..Connection
0070  3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 6f   : keep-alive..Co
0080  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 38 36   ntent-Length: 86
0090  34 0d 0a 41 63 63 65 70 74 3a 20 61 70 70 6c 69   4..Accept: appli
00a0  63 61 74 69 6f 6e 2f 6a 73 6f 6e 2c 20 74 65 78   cation/json, tex
00b0  74 2f 6a 61 76 61 73 63 72 69 70 74 2c 20 2a 2f   t/javascript, */

00c0  2a 3b 20 71 3d 30 2e 30 31 0d 0a 4f 72 69 67 69   *; q=0.01..Origi
00d0  6e 3a 20 63 68 72 6f 6d 65 2d 65 78 74 65 6e 73   n: chrome-extens
00e0  69 6f 6e 3a 2f 2f 61 6c 65 6c 68 64 64 62 62 68   ion://alelhddbbh
00f0  65 70 67 70 6d 67 69 64 6a 64 63 6a 61 6b 62 6c   epgpmgidjdcjakbl
0100  6f 66 62 6d 63 65 0d 0a 55 73 65 72 2d 41 67 65   ofbmce..User-Age
0110  6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20   nt: Mozilla/5.0
0120  28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f   (X11; Linux x86_
0130  36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f   64) AppleWebKit/
0140  35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c   537.36 (KHTML, l
0150  69 6b 65 20 47 65 63 6b 6f 29 20 55 62 75 6e 74   ike Gecko) Ubunt
0160  75 20 43 68 72 6f 6d 69 75 6d 2f 33 36 2e 30 2e   u Chromium/36.0.
0170  31 39 38 35 2e 31 32 35 20 43 68 72 6f 6d 65 2f   1985.125 Chrome/
0180  33 36 2e 30 2e 31 39 38 35 2e 31 32 35 20 53 61   36.0.1985.125 Sa
0190  66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 43 6f 6e   fari/537.36..Con
01a0  74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69   tent-Type: appli
01b0  63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72   cation/x-www-for
01c0  6d 2d 75 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68   m-urlencoded; ch
01d0  61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 41 63 63   arset=UTF-8..Acc
01e0  65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a   ept-Encoding: gz
01f0  69 70 2c 64 65 66 6c 61 74 65 2c 73 64 63 68 0d   ip,deflate,sdch.
0200  0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   .Accept-Language
0210  3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 38   : en-US,en;q=0.8
0220  0d 0a 0d 0a 65 3d 59 33 6f 77 65 45 39 45 53 58   ....e=Y3oweE9ESX
0230  68 4b 62 54 46 72 55 46 52 4a 65 45 70 75 51 6e   hKbTFrUFRJeEpuQn
0240  42 61 52 44 41 31 55 56 68 4f 52 6d 4a 74 5a 48   BaRDA1UVhORmJtZH
0250  64 50 56 46 56 33 54 6d 35 53 63 6c 52 57 61 32   dPVFV3Tm5SclRWa2
0260  31 6a 4d 6c 5a 36 59 33 6f 77 65 6b 31 45 54 54   1jMlZ6Y3owek1ETT
0270  42 4e 56 45 45 7a 54 55 52 6e 65 55 31 45 56 54   BNVEEzTURneU1EVT
0280  4e 4f 65 6c 45 77 54 55 52 42 62 57 4d 7a 56 6d   NOelEwTURBbWMzVm
0290  6c 51 56 30 35 76 59 32 30 35 64 46 70 54 57 6e   lQV05vY205dFpTWn
02a0  68 51 56 32 67 77 5a 45 68 43 65 6b 70 55 54 6b   hQV2gwZEhCekpUTk
02b0  4a 4d 65 54 6b 7a 5a 44 4e 6a 64 56 6f 79 4d 57   JMeTkzZDNjdVoyMW
02c0  68 68 56 33 64 31 57 54 49 35 64 45 77 79 62 48   hhV3d1WTI5dEwybH
02d0  56 6b 52 33 64 32 57 6c 63 30 64 6d 4a 58 52 6e   VkR3d2Wlc0dmJXRn
02e0  42 69 51 7a 6c 76 57 6c 64 34 64 30 77 79 52 6d   BiQzlvWld4d0wyRm
02f0  6c 69 4d 31 59 77 54 47 31 6f 4d 47 4a 58 64 32   liM1YwTG1oMGJXd2
0300  31 6b 52 7a 45 79 55 46 52 52 64 30 31 45 53 58   1kRzEyUFRRd01ESX
0310  56 4e 55 31 6f 77 59 6c 64 5a 4f 55 31 54 57 6e   VNU1owYldZOU1TWn
0320  70 6a 61 6a 46 76 5a 45 68 53 64 30 70 55 54 6b   pjajFvZEhSd0pUTk
0330  4a 4d 65 54 6c 75 59 6c 64 47 63 47 4a 44 4e 57   JMeTluYldGcGJDNW
0340  70 69 4d 6a 42 32 53 6d 35 4f 65 56 42 58 61 44   piMjB2Sm5OeVBXaD
0350  42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 57   BkSEJ6SlROQkx5OW
0360  35 69 56 30 5a 77 59 6b 4d 31 61 6d 49 79 4d 48   5iV0ZwYkM1amIyMH
0370  5a 4b 62 6b 35 35 55 46 64 6f 4d 47 52 49 51 6e   ZKbk55UFdoMGRIQn
0380  70 4b 56 45 35 43 54 48 6b 35 64 46 6c 58 62 48   pKVE5CTHk5dFlXbH
0390  4e 4d 62 57 52 32 59 6a 4a 6b 63 31 70 54 4e 57   NMbWR2YjJkc1pTNW
03a0  70 69 4d 6a 42 32 59 6c 64 47 63 47 4a 44 4f 47   piMjB2YldGcGJDOG
03b0  31 6a 4d 30 6b 35 59 55 68 53 4d 47 4e 49 54 57   1jM0k5YUhSMGNITW
03c0  78 4e 4d 45 56 32 54 44 4a 47 61 6c 6b 79 4f 54   xNMEV2TDJGalkyOT
03d0  46 69 62 6c 4a 36 54 47 31 6b 64 6d 49 79 5a 48   FiblJ6TG1kdmIyZH
03e0  4e 61 55 7a 56 71 59 6a 49 77 64 6c 55 79 56 6e   NaUzVqYjIwdlUyVn
03f0  6c 6b 62 57 78 71 57 6c 56 34 64 6c 6f 79 62 48   lkbWxqWlV4dloybH
0400  56 4b 56 45 35 48 59 7a 4a 57 65 57 52 74 62 47   VKVE5HYzJWeWRtbG
0410  70 61 55 31 56 36 55 6b 63 78 61 47 46 58 64 32   paU1V6UkcxaGFXd2
0420  78 4e 61 6c 70 33 57 56 68 4f 65 6d 46 59 57 6d   xNalp3WVhOemFYWm
0430  78 4b 56 45 35 46 5a 45 68 4b 4d 56 70 54 56 58   xKVE5FZEhKMVpTVX
0440  6c 4f 62 6b 70 30 53 6c 52 4f 52 56 70 74 52 6e   lObkp0SlRORVptRn
0450  4e 6a 4d 6c 56 73 54 57 70 61 61 6d 49 79 4e 54   NjMlVsTWpaamIyNT
0460  42 68 56 7a 55 78 57 6c 4e 56 65 6c 4a 48 61 44   BhVzUxWlNVelJHaD
0470  42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 58   BkSEJ6SlROQkx5OX
0480  52 5a 56 32 78 7a 54 47 31 6b 64 6d 49 79 5a 48   RZV2xzTG1kdmIyZH
0490  4e 61 55 7a 56 71 59 6a 49 77 64 6d 4a 58 52 6e   NaUzVqYjIwdmJXRn
04a0  42 69 51 7a 68 73 54 57 70 61 65 6d 4e 35 56 58   BiQzhsTWpaemN5VX
04b0  70 53 52 45 56 73 54 57 70 61 65 6c 6b 79 54 57   pSREVsTWpaelkyTW
04c0  78 4e 4d 46 46 34 53 6c 52 4a 4d 6d 4a 49 55 6e   xNMFF4SlRJMmJIUn
04d0  52 6a 52 33 64 73 54 54 42 53 61 31 70 58 57 6d   RjR3dsTTBSa1pXWm
04e0  68 6b 56 33 67 77 53 6c 52 4a 4d 6d 4a 49 55 6e   hkV3gwSlRJMmJIUn
04f0  52 6a 52 33 68 71 57 56 64 4f 62 31 70 54 56 58   RjR3hqWVdOb1pTVX
0500  70 53 52 45 6c 73 54 57 70 61 62 47 4a 59 53 57   pSRElsTWpabGJYSW
0510  78 4e 4d 46 46 34 53 6d 35 4f 65 56 42 58 61 44   xNMFF4Sm5OeVBXaD
0520  42 6b 53 45 4a 36 53 6c 52 4f 51 6b 78 35 4f 58   BkSEJ6SlROQkx5OX
0530  52 5a 56 32 78 7a 54 47 31 6b 64 6d 49 79 5a 48   RZV2xzTG1kdmIyZH
0540  4e 61 55 7a 56 71 59 6a 49 77 64 6d 46 58 4e 54   NaUzVqYjIwdmFXNT
0550  42 69 51 7a 6c 73 59 6d 6b 35 64 46 6c 58 62 48   BiQzlsYmk5dFlXbH
0560  4e 4d 4d 6d 68 73 59 6b 68 42 64 6c 6c 58 53 6e   NMMmhsYkhBdllXSn
0570  5a 6b 57 46 46 31 59 55 68 53 64 47 4a 42 50 54   ZkWFF1YUhSdGJBPT
0580  30 25 33 44                                       0%3D

Base64-decoded output of this POST request:

s=1821&md=21&pid=9AsEngp9506tkMY&sess=303410708205774400&sub=chrome&q=https%3A//www.gmail.com/intl/en/mail/help/about.html&tmv=4002.1&tmf=1&sr=http%3A//gmail.com/&sr=https%3A//gmail.com/&sr=https%3A//mail.google.com/mail/&sr=https%3A//accounts.google.com/ServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%3A//mail.google.com/mail/%26ss%3D1%26scc%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1&sr=https%3A//mail.google.com/intl/en/mail/help/about.htm)


Furthermore, there appears no way to turn off this feature, even though Awesome Screenshot's Twitter feed is full of apologies to users 10 or so days ago from time of writing, apparently regarding a now-disabled 'price comparison' functionality that was also being injected.

To summarise

The tracking and transmission of your browsing history is happening automatically, silently, with no proper explanation in the extension's details on the Chrome App Store. The potentially sensitive URLs are sent over plaintext HTTP in easily base64-decryptable form, and through the use of some 'niki-bot' crawler (which is apparently so malicious its User-Agent requires obfuscation with no reference to SimilarWeb, Awesome Screenshot, or any other explanation for its use - nor does it bother to respect robots.txt), seems to intend to make further reconnaissance against these URLs at a later date. I see little difference between a client-side attack and this 'service', except that it can be argued that the end user willingly (but maybe unwittingly) entered into the agreement.

The extension's page provides only this vague disclaimer:

[Updated privacy policy] Usage of the Awesome Screenshot browser extension requires granting it permission to capture anonymized click stream data. No personally identifying information will be captured in connection with this data. Please review our specific EULA https://www.diigo.com/extensions_terms.html and privacy policy https://www.diigo.com/extensions_privacy.html for more details.


Why is this functionality necessary for a screenshot tool?

If it's not necessary, why is there no opt-out?

Their privacy policy states:

When users access the software, certain non-personally and personally identifiable information (the "User Information") may be collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.



Funny to see 'anonymized', 'personally identifiable information' and 'unique device identifier' listed in the same context. Without 'limitation'.

Is a URL 'private'?

Of course, any URL that is not completely firewalled off and reachable by a bot in some way (even if it 403s etc due to ACLs), is technically not 'private'. However, as @aussielunix noted, this client-side attack of sniffing traffic straight out of the browser would lead to exposure of things such as Private Gists at Github - hard-to-guess URLs that are not entirely private but also not intended for chance discovery, for whatever reason.

Furthermore, how anonymous is it when a crawler returns later to check the URL out? How is it anonymous when I can identify, based on this crawler, which user had installed the extension at one of the organisations I'm involved with, based on URLs that are not intended for third parties to know about? What about Dropbox share URLs, Spideroak temporary URLs? Or, in Bitbargain's case above, 'unique trade ID URLs... accessible only to the buyer and the seller involved in the trades'.

The fact is, URLs aren't anonymous. Any simple URL such as www.example.com/user/1234/edit, immediately indicates something other than 'anonymous' activity. Like all metadata, it can infer identity, infer activity.

Naturally any form of client-side compromise, keyloggers etc, runs the same risk of this sort of exposure of your browsing history. Tracking of user activity like this, is perhaps not even illegal (though I am astonished that Chrome allows it in this extension's case, given there seems no way to opt out!), since the advertising company can hide behind the veneer of 'market research' and 'analytics' to help their customers gain 'a competitive edge', yadda yadda.

It's a bit much in my opinion, though, to keep this a secret from users who are installing what appears to be a very popular browser extension, not to mention the apparent lack of opt-out functionality. It consistently came as a surprise to the users I spoke with who installed this tool that this was happening. When installing the extension, Chrome requires confirmation to allow the extension to 'Access your data on all websites / access your tabs and browsing activity'. Take the time to read this, and be aware that this means 'watch everything you do online, potentially reporting it to third parties silently'.

My advice is to disable this extension if you use it (and any such extensions that require such absurd permissions to your data), and also to report it to Chrome to see what their assessment is.



P.S How funny that there's a similarly named Android malware called 'Nickibot' whose purpose is to "steal information and send it to a remote server". Wow, that sounds familiar!

Related sourced articles

https://groups.google.com/forum/#!topic/google-appengine/jEihs3D7Gig
https://gist.github.com/mvirkkunen/89f61a06819530e48b53
http://superuser.com/questions/778479/network-sniffer-identifying-strang...
http://www.howtogeek.com/180175/warning-your-browser-extensions-are-spyi...
http://blog.bitbargain.com/post/94349494452/niki-bot-similarsites-spywar...

Tags: