Facebook has filed legal action against two Chrome extension developers that the company said was scraping user profile data – including names and profile IDs – as well as other browser-related information.
The two unnamed developers under the business name Oink and Stuff, developed Chrome malicious browser extensions, which actually contained hidden code “that functioned like spyware,” alleges Facebook.
The four malicious extensions include: Blue Messenger, which bills itself as a notification alert app for Facebook’s Messenger communications feature; Green Messenger, which is a messenger app for WhatsApp; Emoji Keyboard, a shortcut keyboard app and Web for Instagram plus DM, which offers tools for users to direct message others on the Instagram app.
The Oink and Stuff developers “misled users into installing the extensions with a privacy policy that claimed they did not collect any personal information,” Jessica Romero, director of platform enforcement and litigation with Facebook, said in a Thursday post.
In its Chrome extension webpage description for Web for Instagram plus DM, for instance, the company says: “We don’t store, access, transmit or share any sensitive or user private information.”
On its website, Oink and Stuff claims that it has more than 1 million active users and said it was founded in 2014. The company offers extensions for Chrome, Firefox, Opera and Microsoft Edge (as well as Android apps offered. via Google Play. It’s not clear if extensions offered on these other browsers were found to be malicious.
Several of the extensions offered by the company (including Green Messenger and Blue Messenger) appear to still be available on various marketplaces including Chrome and Google Play. Threatpost has reached out to Google for further comment.
When Facebook users installed these extensions on their browsers, they were actually installing the concealed code, designed to scrape their Facebook data, according to Facebook. If users visited Facebook’s website, for instance, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account.
“The defendants did not compromise Facebook’s security systems,” clarified Romero. “Instead, they used the extensions on the users’ devices to collect information.”
The extensions also scraped information from unknowing users’ browsers that was unrelated to Facebook. Facebook did not clarify what this data was. Facebook also did not say how many users were affected.
Facebook Inc. and Facebook Ireland filed the legal action, in Portugal, saying the two developers violated the social media giant’s Terms of Service and Portugal’s Database Protection Law, according to Facebook.
The company is seeking a permanent injunction against the two, and demanding that they delete “all Facebook data in their possession.”
Data scraping is a challenge that Facebook continues to grapple with, starting in the wake of the Cambridge Analytica scandal, in which Facebook allowed a third-party application to scrape and then hand over the data of up to 50 million platform users to the company.
In 2018, Facebook CEO Mark Zuckerberg said millions of users of the social network may have had their data scraped by malicious actors using a reverse search tool. In March 2019, Facebook sued two Ukrainian men that it said used quiz apps and malicious browser extensions to scoop up private data from 63,000 platform users, and then used that data for advertising purposes.
“This case is the result of our ongoing international efforts to detect and enforce against those who scrape Facebook users’ data, including those who use browser extensions to compromise people’s browsers,” said Romero.
Oink and Stuff did not respond to a request for comment from Threatpost.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.