Google has removed a data-scraping Chrome extension from its browser mart after security firms reported that the add-on was silently transferring information about more than a million users.
The Webpage Screenshot extension had been downloaded more than 1.2 million times, according to a cached version of its Chrome Web Store page.
The add-on was not the one with the same name that remains in the add-on store; that extension was created by the U.S.-based 64 Pixels.
Reports by a pair of security firms, including Sweden's Sentor and Danish vendor Heimdal Security, fingered the add-on in posts Tuesday and Wednesday, respectively. Researchers from each company found that the extension -- which as its name suggests captured screenshots of content displayed by Chrome -- sniffed out and then transmitted URLs and tab titles of pages browsed by the user, as well as the user's location.
The add-on also assigned a unique identifier to each user.
In an example, a Sentor researcher pointed out that if the user was accessing an online email account from Chrome, the data scraper lifted the subject of the message as well as the sender's email address. The information was then transferred to an IP address in the U.S.
Critically, the add-on did not include the data scraping code in its published-on-the-store form. Instead, Webpage Screenshot downloaded additional code from an Amazon cloud server a week after it was installed to activate the spying and scraping.
In its terms and conditions, Webpage Screenshot did acknowledge that it captured user data. Text in the Chrome Web Store description did the same: "Usage of the Webpage Screenshot extension requires granting it permission to capture anonymized click stream data."
People face that kind of trade-off daily, said Wim Remes, the manager of strategic services at security firm Rapid7.
"There is no such thing as free. In an online world where personal information has become our accepted currency, users have to make decisions on what the functionality they desire is worth," said Remes in an email. "App stores could enforce proper advertisement of what the apps gather, but I'm not convinced that we can have free apps without some form of compromise."
Sentor traced Webpage Screenshot's author using WHOIS and claimed that the developer was based in Israel. The add-on's website was empty as of early Thursday, and the developer declined to answer most of Computerworld's questions, including what was done with the data scraped from users.
"Private data never sent to any server," the developer of Webpage Screenshot replied in an email today. Sentor and Heimdal said different.
A cache of the webpagescreenshot.info website was still available on Google's search engine.
Google removed Webpage Screenshot from the Chrome Web Store on Tuesday.
Just last week Google announced it had disabled nearly 200 "deceptive Chrome extensions" that had been distributed to more than 14 million users via its add-on market, part of an effort to clean up its own ecosystem. At the time, Google claimed that it had adopted technology created by researchers at the University of California, Berkeley, "to catch these extensions [and] scan all new and updated extensions."