Chrome extensions spying on 37M users' browsing data
3 months ago
- #chrome-extensions
- #data-exfiltration
- #privacy
- 287 Chrome extensions were found to exfiltrate browsing history, affecting ~37.4 million users (~1% of Chrome's user base).
- Actors behind the data leaks include Similarweb, Curly Doggo, Offidocs, Chinese entities, and obscure data brokers like 'Big Star Labs'.
- The research used an automated scanning pipeline with Docker, MITM proxy, and synthetic workloads to detect URL leakage based on traffic correlation.
- Data exfiltration poses risks like profiling for targeted ads, corporate espionage, and credential harvesting via leaked internal URLs or cookies.
- Examples of leaking extensions include 'Pop up blocker for Chrome™', 'Stylish', 'BlockSite', 'Similarweb', and 'WOT', with various obfuscation techniques.
- Some extensions use encryption (AES-256 + RSA) or multiple encoding layers (Base64, LZString, XOR) to hide exfiltrated URLs.
- Honeypot data linked Similarweb extensions to scrapers like Kontera, suggesting active data brokerage networks.
- The scale of exposure (~37.4M users) is comparable to Poland's population, highlighting significant privacy risks.
- Users are advised to treat free, closed-source extensions cautiously, assuming they may collect and monetize browsing data.