Back on the 12th August I wrote about my discovery of forced opt-in spyware in the popular Google Chrome extension 'Awesome Screenshot', which tracks and sends all browsing history over plaintext HTTP to an upstream marketing service.

The article was picked up by Hacker News, several Reddits, and even Matt Mullenweg, the creator of Wordpress. It received over 25,000 visits and several tech-related blogs spanning more than four different languages subsequently wrote about it. One enterprising infosec researcher even wrote Snort signatures for detecting it - finally, something truly 'Awesome' to come out of this :)

The extension itself received numerous poor ratings in the Chrome store and, according to my records, dropped over 10,000 installations.

None of this was apparently enough for Diigo or Awesome Screenshot to respond to the volume of complaints directed at them on Twitter, nor for Google to pull the extension down from their store despite many who confirmed they reported it for abuse. Silence is the same as a loud 'shut up, user!' in my opinion, and it was disappointing to 'hear' it.

Nonetheless, it appears a new update to Awesome Screenshot has arrived in the store as of the 26th August: version 3.7.12. I installed this version in a sandbox and found that the behaviour I reported on, remains the default behaviour - that being, your browsing activity being sent upstream over plaintext HTTP to the lb.crdui.com / SimilarWeb service. The spyware contained in javascripts/Tr/tr.js is still present and loaded in the source code.

However, there is now a setting hidden in a collapsed 'Advanced Option' section of the extension's Options (preferences) page, which contains a checkbox that states:

Enable non-personal, anonymous usage statistics.

Help us collect non-personal, statistical URL information. These URLs are used to get popular URLs for marketing research purpose. It helps us generate a small mount [sic] of money to support the development.

The checkbox is turned on by default - that means that existing or new users who upgrade or install the extension, will not experience anything different to the original behaviour, unless they view the Options page and uncollapse this section to turn off the checkbox. Diigo are doing their best to try and ensure you don't do this.

I unchecked the setting, clicked Save, restarted my browser, and I can confirm that the functionality works as expected - no longer do I see my data go upstream to the lb.crdui.com or s.sitebeacon.co in this way.

So there you have it - we complained, and Awesome Screenshot 'responded' (in a rather indirect way) by making it possible to at least opt-out of this nasty behaviour. Having said that, the tracking javascript is still loaded in the background.html - just conditionally activated via javascripts/CBDC/CBDC.js depending on your settings.

Either way, this is an extension with a long history of upsetting its more tech-savvy customers by injecting ads and other unwelcome 'features' in the past. Here are some historical articles on this sort of thing perpetrated by this organisation:

Think Twice Before Installing Any Chrome Extension - August 18 2011
Screenshot extension injects ads - June 19 2014

As well as comments in their own extension's Details page:

"Sorry for the messing up of price comparison feature. We already removed it in this new version."

"[Optional search enhancement feature】Since many users don't like it, we remove this feature."

Given the new 'opt-out' feature is tucked away quietly and is not mentioned in the Details of the extension in the Chrome App store, it would not be unreasonable of you to assume that similar nasty decisions will be made at your expense by this organisation in the future. The evidence and the history gives little reason to think otherwise. Not to mention whether other nefarious settings may appear in future upgrades which are turned on by default, with no encouragement given to the user to check any such new options post-upgrade.

What bothers me more than any of this, and as a systems administrator leaves me still unsatisfied by the change, is this still unexplained 'niki-bot' crawler, which returns regularly to my servers to scrape or conduct reconnaissance (who knows?) on URLs harvested by this auto-enabled setting. That is not going to go away now - thanks very much! As I've already mentioned, the bot doesn't respect robots.txt, so don't bother Disallow'ing it there. Just put a blanket ban on it via mod_rewrite, OSSEC active-response rules, Snort, or whatever suits you. This thing needs to just die.

You can read this OMGChrome article to find out alternative screenshot extensions who don't assume their customers' data is a commodity to be traded, hidden, behind the scenes.

If you are reading this, you are probably savvy enough to know always to do your research first on what software you're installing/using. Finally, I highly recommend running some form of outbound firewall to trap this sort of thing - Little Snitch for Mac (as seen in the first screenshot), is an excellent example. If you can recommend equivalent software firewalls for Windows/Linux, put it in the comments.