More on DataSpii: How extensions hide their data grabs—and how they’re discovered

better overview of the Dataspii fiasco

Discovering which browser extensions were responsible for siphoning up this data was a months-long task. Why was it so difficult? In part because the browser extensions appeared to obscure exactly what they were doing. Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation on Jadali’s computers to begin collection. Then, once collection started, it was carried out by code that was separate from the extensions themselves.

This payload contained a minified JavaScript file that was responsible for collecting a user’s browsing data and sending it to a developer-controlled server.

“If people examine the extension itself, they’re not going to see that data collection instruction set,” Jadali told Ars. “It’s in an entirely different place.”

“We repeated this experiment six times, under numerous scenarios,” Jadali wrote in a detailed report. “Each time we obtained the same result. In the past, similar [delaying] tactics have been used to avoid data collection” by other browser extensions.

and uBO/uM creator, sounding disgusted (almost defeated while holding to hope it can be mitigated?)