Hundreds of widely used add-ons transmitted search queries, referrers, and timestamps via encrypted, URL-sized data packets to external servers, occasionally linked to data brokers and unidentified operators.
An estimated 37 million global installations of various Chrome extensions are actively sending users’ browsing histories to external servers.
According to discoveries by an independent security researcher operating under the pseudonym “Q Continuum,” a total of 287 extensions transmitted data that precisely matched the URLs visited during controlled browsing sessions.
“The entities behind these leaks are diverse: Similarweb, Curly Doggo, Offidocs, Chinese actors, numerous smaller, obscure data-brokers, and a mysterious ‘Big Star Labs’ which appears to be an extended arm of Similarweb,” the researcher revealed. To conduct this analysis, an automated system was developed, launching Chrome instances, installing extensions, navigating to a predefined set of websites, and capturing all outgoing communications.
The researcher cautioned that such data collection could facilitate corporate espionage by exposing internal company URLs accessed by employees. Furthermore, if extensions also manage to obtain cookies, this could aid credential harvesting by providing attackers with details of active web sessions.
Extensions Include VPNs, Productivity Tools, and Shopping Add-ons
The investigation uncovered numerous widely used extensions exhibiting risky behavior across various categories, including VPN/proxy services, coupon finders, PDF tools, and browser utilities. Many of these extensions are used by hundreds of thousands, or even millions, of users.
A few examples of these extensions are Pop up blocker for Chrome, Stylish, BlockSite block Websites, Stay Focused, SimilarWeb – Website traffic and SEO Checker, WOT: Website Security and Safety Checker, Smarty, Video Ad Blocker Plus for YouTube, Knowee AI, and CrxMouse: Mouse Gestures.
According to the researcher, several extensions requested broad host permissions (across multiple websites), allowing them to observe navigation events and page activity across various domains. “If an extension is merely reading the page title or injecting CSS, its network footprint should remain stable regardless of the URL length we visit,” the researcher stated, explaining the rationale behind their flagging.
“If the outbound traffic increases linearly with the URL length, there is a high probability that the extension is transmitting the URL itself (or the entire HTTP request) to a remote server.”
Encrypted Exfiltration Hindered Detection
The researcher noted in a blog post that several of these extensions attempted to conceal the nature of the transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, thereby preventing automated inspection.
“Manual examination of the captured traffic revealed a variety of obfuscation techniques: base64, ROT47, LZ-String compression, and full AES-256 encryption wrapped in RSA-OAEP,” the researcher elaborated in a separate report detailing the findings. “Decoding these payloads showed raw Google search URLs, page referrers, user IDs, and timestamps being sent to a network of proprietary domains and cloud-provider endpoints.”
The researcher’s testing setup involved running Chrome inside a Docker container, which allowed each extension to be isolated and analyzed consistently.
“It should be noted that probably not all of the browser history leaking extensions have malicious intent,” the researcher clarified, mentioning they had to manually remove a few false positives from the logs of extensions flagged by their automated scanner. “Some of the extensions might be benign and may need to collect browser history for functionality, such as ‘Avast Online Security & Privacy,’ for example.”
The disclosure included a list of Chrome Web Store URLs and the actors behind these extensions for reference.
