Damage Control

287 Chrome Extensions Leak Browsing Histories of 37M Users, Many Tied to Similarweb

Data PrivacyCorporate AccountabilityBrowser SecuritySupply Chain Security
Added Feb 11
Link205
Article: NegativeCommunity: Very PositiveConsensus
287 Chrome Extensions Leak Browsing Histories of 37M Users, Many Tied to Similarweb

An automated MITM-based scan of Chrome extensions found 287 that exfiltrate browsing histories, affecting roughly 37.4 million users. Regression-based leakage detection and honeypot OSINT link many to Similarweb, a likely affiliate Big Star Labs, and scrapers like Kontera. Examples reveal techniques from plaintext to strong crypto, underscoring serious risks of profiling and corporate data leakage.

Key Points

  • Methodology: Dockerized Chromium + MITM proxy with synthetic URLs; leakage scored via a linear bytes_out-to-URL-length regression (R), with staged testing and manual review.
  • Findings: 287 Chrome extensions leak browsing history, totaling ~37.4 million installs (~1% of Chrome’s user base).
  • Attribution: OSINT and honeypot hits tie leaks to a web of actors, including Similarweb, a likely affiliate Big Star Labs, Curly Doggo, Offidocs, and scrapers like Kontera.
  • Techniques: Exfiltration ranges from simple URL/query logging to ROT47/base64/LZ-String obfuscation and AES/RSA encryption; repeated schemas imply shared code or operators.
  • Risks: Large-scale profiling, targeted advertising, corporate espionage via internal URL leakage, and potential credential/session abuse; some extensions may have legitimate needs but still pose privacy risks.

Sentiment

The Hacker News community overwhelmingly agrees with and supports the article's findings. The discussion is treated less as a revelation and more as long-overdue documentation of a well-known systemic problem. The dominant sentiment is frustration with Google for failing to police its own extension store, combined with alarm at the scale of the data collection. While there is minor pushback suggesting some findings may be superficial or that the problem extends beyond extensions to browsers themselves, these voices are far outnumbered by those validating the research and sharing their own corroborating experiences.

In Agreement

  • The Chrome Web Store is essentially unregulated and Google is negligent in policing it, despite having the resources to run exactly the kind of automated scanning pipeline the researchers built.
  • The practice of buying popular extensions to inject spyware is widespread and well-documented, with multiple extension developers confirming they receive constant buyout offers.
  • Google's Manifest V3 changes were motivated more by protecting their ad business than by genuine security concerns, as evidenced by the continued existence of these spyware extensions.
  • The extension permission model is dangerously broad — even simple extensions can access password fields and full page content without granular permissions.
  • URL exfiltration captures more than just browsing history — query parameters often contain authentication tokens, making this a session compromise risk.
  • Enterprise environments are particularly vulnerable because companies spend heavily on endpoint security but allow employees to install unaudited Chrome extensions with broad permissions.
  • Similarweb and affiliated entities are actively and aggressively pursuing browsing data collection, corroborated by firsthand accounts of their business practices.
  • The auto-update mechanism for extensions is a critical vulnerability because a legitimate extension can silently become malware after a sale or compromise.
  • Firefox's recommended extensions program with manual vetting represents a better security model than Chrome's approach.

Opposed

  • The article may be too superficial — some identified extensions could have legitimate reasons for sending URLs to remote servers, such as site categorization, and the researchers may not have adequately distinguished between legitimate and malicious behavior.
  • Relying solely on open-source extensions is not a complete solution since you cannot verify that the published binary was actually built from the open-source code, and sophisticated supply chain attacks can be difficult to detect even with source access.
  • Chrome itself and all browsers spy on users, so focusing specifically on extensions may miss the bigger picture.
  • Community-driven open-source scanning efforts could backfire by giving bad actors the tools to evade detection.