HomesecurityFacebook: Two companies sue for Chrome extensions that steal user data

Facebook: Two companies sue for Chrome extensions that steal user data

Facebook yesterday filed a lawsuit against two companies that developed and distributed malicious Chrome extensions, with the aim of collecting without authorization and stealing user data from Facebook and Instagram. The companies to which the action was brought are BrandTotal Ltd., a company based in Israel, and Unimania Inc., established in Delaware, USA.

The two companies are behind “UpVoice” and “Ads Feed”, two Chrome extensions available in the Chrome Web Store from September and November 2019, having so far amassed more than 5.000 and 10.000 installations, respectively.

Facebook lawsuit vs companies

Regarding BrandTotal, Facebook reported that the company was urging users to install the "UpVoice" extension from Google Chrome Store, offering payments in exchange for the facility, in the form of online gift cards, while claiming that users who installed the extension could influence multibillion-dollar marketing decisions and corporate strategies. Similarly, Unimania Inc. promoted the Ads Feed expansion and claimed that users who installed the extension could influence the multi-billion dollar marketing decisions and strategies of branded companies.

However, according to the technology giant in its lawsuit, the two extensions were aimed at stealing public and non-data users from their online accounts. Specifically, Facebook claims that both extensions stole data from Facebook user accounts, Instagram, AmazonThe Twitter and the UAF YouTube-channel.

The stolen data usually included information from user profiles (name, user ID, gender, date of birth, relationship status and location information), ads and related information (advertiser name, image and text of the ad and user interaction and reaction metrics) and user ad preferences (information of interest for user ads). Both companies were not authorized for access in any of this information. In addition, Facebook claims that the data obtained illegally through the two extensions has been "packaged" and sold as "marketing intelligence" through the BrandTotal site.

Facebook: Sues two companies for Chrome extensions-stealing user data

Facebook also reports that both extensions used almost identical code for stealing user data and sending the data to the same remote servers. This data leads Facebook to the conclusion that the two companies are in fact the same company, as they have, among other things, joint employees and agents.

So Facebook asked a judge to issue an order against the two companies, to prevent them from accessing the Facebook and Instagram sites and to develop further extensions, while it demanded compensation for the damages caused, bringing profits to both companies. .

It is noteworthy that, despite the widespread data theft detected by Facebook, even at the expense of Google-owned services, the two extensions are still available in the Chrome Web Store. Facebook said it had tried several times to remove them, but Google did not respond to requests.

Facebook lawsuit

Unimania, before developing the "Ads Feed" extension, was involved in another scandal in 2018, when AdGuard found four of the company's Chrome extensions to collect data from Facebook users.

According to ZDNet, the legal department of Facebook has been filing lawsuits against many companies that abuse its platform since the beginning of 2019. Indicatively, the following cases are noted:

March 2019: Facebook has filed a lawsuit against two Ukrainian developers extensions browsers (Gleb Sluchevsky and Andrey Gorbachov) for stealing user data.
August 2019: Facebook sued them LionMobi and JediMobi, two developers Android applications for "click advertising" fraud.
October 2019: Facebook sued the Israeli company NSO Group for development and sale WhatsApp zero-day used in May 2019 to attack lawyers, journalists, human rights activists, political dissidents, diplomats and government officials.
December 2019: Facebook filed a lawsuit against her ILikeAd and two Chinese nationals, to use Facebook ads to motivate unsuspecting users to download malware on their devices.
February 2020: Facebook sued her OneAudience, an SDK maker that secretly collected Facebook user data.
March 2020: Facebook sued Namecheap, one of the largest domain name registrars on the Internet, to "expose" them hackers who created malicious domains through his service.
April 2020: Facebook sued her LeadCloak to provide software to cover misleading ads related to the pandemic COVID-19:, pharmaceuticals, diet pills and more.
June 2020: Facebook sued MGP25 Cyberint Services, a company that operated a website that sold tags "I like" and comments on Instagram.
June 2020: Facebook sued its owner, a site that stole Facebook user passwords.
August 2020: Facebook sued him MobiBurn, the maker of an ad SDK accused of stealing user data.
August 2020: Facebook sued its owner Nakrutka, a site that sold the tags "I like", The comments And them followers of Instagram.

Every accomplishment starts with the decision to try.