Key Findings

• 287 different Chrome browser extensions are actively stealing the web histories of roughly 37.4 million people

• These extensions, often disguised as "harmless tools" like ad blockers or search assistants, are feeding user data to a network of global corporations and data brokers

• The research team identified many of these tools sending user data in plain text and using "obfuscation" techniques to hide their tracks, scrambling history into codes before sending it off

• The primary suspect is Similarweb, which is linked to extensions reaching 10.1 million users, while other recipients include Alibaba Group, ByteDance, Semrush, and Big Star Labs

Background

To catch these extensions, the research team built a trap using a man-in-the-middle proxy to monitor data leaving user computers. They scanned the top 32,000 apps on the Chrome Web Store and found that many of these "tools" are actually sending user data to third-party companies, sometimes after users accept a privacy policy.

Scope of the Harvesting Operation

The researchers note that the 37.4 million figure is likely a "conservative lower bound," and the real number of impacted users could be much higher. Of the 37.4 million installations reviewed, about 20 million could not be linked to a specific company, indicating a complex network of data collectors.

Involvement of Reputable Brands

Interestingly, the research also flagged a few "reputable" tools, including Stylish (a custom theme tool), Ad Blocker: Stands AdBlocker, Poper Blocker, CrxMouse, and Block Sit, as well as the SimilarWeb website traffic and SEO checker.

The Marketplace for User Privacy

The report suggests a worrying trend where popular tools are sold to third parties specifically to be turned into spying devices. These actors sometimes use multiple extensions to hide their tracks, taking advantage of "policy exceptions" within the Chrome Store that might permit data collection under certain rules.

Risks to Businesses

The exposed data includes Google search URLs and user IDs, which are detailed enough to be "de-anonymized" and linked back to users' real identities. As noted by the expert, this goes beyond a privacy issue for businesses, as the exposure of full URLs can reveal internal corporate domains, session tokens, and sensitive cloud resources.

Conclusion

The researchers conclude that this remains a "cat and mouse game," and the safeguards currently in place are simply "insufficient" to keep users safe. They have created a regression model to help users and companies identify suspicious traffic and potential data harvesting threats.

Sources

• https://hackread.com/chrome-extensions-harvest-browsing-data-37m-users/

• https://www.youtube.com/shorts/Y5KNGyZao0g

• https://x.com/HackRead/status/2022797076237529429

• https://www.news4hackers.com/287-chrome-extensions-caught-stealing-browsing-data-from-37-million-users/

• https://www.reddit.com/r/InfoSecNews/comments/1r4xgv9/287_chrome_extensions_caught_harvesting_browsing/