Image via Alex Haney
Facebook has filed a lawsuit today against two companies for creating and distributing malicious browser extensions that scraped user data without authorization from the Facebook and Instagram websites.
Named in the lawsuit are BrandTotal Ltd., an Israeli-based company with a Delaware subsidiary, and Unimania Inc., incorporated in Delaware.
The two companies are behind UpVoice and Ads Feed, two Chrome extensions available on the official Chrome Web Store since September and November 2019, where they racked up more than 5,000 and 10,000 installs, respectively.
“BrandTotal enticed users to install the UpVoice extension from the Google Chrome Store by offering payments in exchange for installs, in the form of online gift cards, and claiming that the users who installed the extension became ‘panelists . . . [who] impact the marketing decisions and brand strategies of multi-billion dollars (sic) corporations’,” Facebook said in court documents filed today.
“Similarly, Unimania promoted its Ads Feed extension on the Google Chrome Store by claiming that the users became ‘a panel member of an elite community group that impacts the advertising decisions of multi-billion dollar corporations!’,” Facebook added.
But Facebook claims that despite their descriptions, both extensions were malicious and designed to scrape public and non-public data from users’ online accounts.
According to court documents, Facebook claims the UpVoice extension scraped data from user profiles at Facebook, Instagram, Amazon, Twitter, LinkedIn, Pinterest, and YouTube.
Similarly, Ads Feed collected data from users accessing their Facebook, Instagram, Amazon, Twitter, and YouTube profiles, respectively.
Scraped data usually included user profile information (name, user ID, gender, date of birth, relationship status, and location information), advertisements and advertising metrics (name of the advertiser, image and text of the advertisement, and user interaction and reaction metrics), and user Ad Preferences (user advertisement interest information) — none of which the company was authorized to possess.
The Menlo Park-based social media giant claims that data illegally acquired through the two extensions has been re-packaged and sold as “marketing intelligence” via BrandTotal’s website.
Facebook claims the two companies are the same
Facebook says both extensions used almost identical code to scrape data from users and sent the data back to the same remote servers. In fact, Facebook believes the two companies are the same.
“Defendants shared common employees and agents,” Facebook explained in its complaint.
“For example, BrandTotal’s Chief Product Officer and General Manager (Ex. 5), created Facebook accounts in the name of Unimania and the Ads Feed extension. BrandTotal’s Chief Technology Officer and co-founder (Ex. 5) also administered Unimania accounts on Facebook.”
Facebook is now seeking to put a stop to this schem. The social network has asked a judge to issue a permanent injunction against both companies to prevent them from accessing the Facebook and Instagram websites, block them from developing further extensions, and has asked for compensatory damages based on the two companies’ previous profits.
Both extensions are still available for download
Yet, in spite of the extensive data scraping behavior detected by Facebook, even against Google-owned services, the two extensions are still available on the Chrome Web Store.
Facebook said it tried numerous times to have them taken down, but Google has not responded to its requests.
Unimania, before developing the Ads Feed extension, was previously involved in another scandal in 2018 when AdGuard found four of the company’s Chrome extensions scraping Facebook user data.
Since early 2019, Facebook’s legal department has been filing lawsuits against several third-parties that have been abusing its platform. Previous lawsuits include:
March 2019 – Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.August 2019 – Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.October 2019 – Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.December 2019 – Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware. February 2020 – Facebook sued OneAudience, an SDK maker that secretly collected data on Facebook users.March 2020 – Facebook sued Namecheap, one of the biggest domain name registrars on the internet, to unmask hackers who registered malicious domains through its service.April 2020 – Facebook sued LeadCloak for providing software to cloak deceptive ads related to COVID-19, pharmaceuticals, diet pills, and more.June 2020 – Facebook sued to unmask and take over 12 domains containing Facebook brands and used to scam Facebook users.June 2020 – Facebook sued MGP25 Cyberint Services, a company that operated an online website that sold Instagram likes and comments.June 2020 – Facebook sued the owner of Massroot8.com, a website that stole Facebook users’ passwords.August 2020 – Facebook sued MobiBurn, the maker of an advertising SDK accused of scraping user data.August 2020 – Facebook sues the owner of Nakrutka, a website that sold Instagram likes, comments, and followers.