Popular Chrome Extensions Expose 37 Million Users’ Browsing Data

A concerning report reveals that numerous popular Chrome extensions, with a staggering 37 million installations, have been transmitting users’ browsing histories to external servers. This alarming discovery, made by an independent security researcher using the pseudonym Q Continuum, indicates that 287 extensions were involved in sending sensitive data, including search queries and timestamps, to potentially dubious entities.

The analysis demonstrated that the extensions communicated with various parties, including well-known data brokers and obscure operators. Notably, the researcher identified connections to Similarweb and a mysterious group dubbed Big Star Labs, suspected to be an affiliate of Similarweb. To uncover these practices, Q Continuum developed an automated testing pipeline that launched multiple instances of Chrome, installed the extensions, and monitored their data transmission during simulated browsing sessions.

The implications of such data collection are significant. Q Continuum expressed concern that this could lead to corporate espionage, as internal company URLs accessed by employees might be exposed. Additionally, if these extensions collect cookies, they could facilitate credential harvesting, enabling attackers to gain access to sensitive information.

Risky Extensions Identified Across Categories

The research highlighted several widely used extensions categorized as VPNs, productivity tools, and shopping aids. Extensions like Pop up blocker for Chrome, Stylish, and SimilarWeb – Website Traffic and SEO Checker were among those exhibiting risky behavior. Many boast hundreds of thousands, or even millions, of users.

Q Continuum noted that several extensions requested broad permissions across multiple websites, allowing them to track user activity and navigation events. “If an extension is just reading the page title or injecting CSS, its network footprint should stay flat regardless of how long the URL we visit is,” the researcher explained. The data indicated that when outbound traffic increased in proportion to URL length, it was likely that the extension was transmitting the URL itself to a remote server.

Obfuscation Techniques Complicate Detection

The researcher reported that many of the extensions employed sophisticated methods to obscure the data being transmitted. Outbound payloads were often encrypted or encoded, making automated scrutiny difficult. Q Continuum detailed various obfuscation techniques in a separate report, including base64 encoding and full AES-256 encryption wrapped in RSA-OAEP.

By utilizing a controlled environment with Chrome running inside a Docker container, the researcher ensured consistent analysis of each extension. This approach allowed for manual inspection of the captured data, revealing raw Google search URLs, page referrers, user IDs, and timestamps sent to a network of proprietary domains.

While the findings are troubling, Q Continuum cautioned against assuming malicious intent for all identified extensions. The researcher stated, “We should note that probably not all of the browser history leaking extensions have malicious intent.” Some extensions may require access to browsing data for legitimate functionalities, like Avast Online Security & Privacy.

The report concludes with a list of specific extensions and their respective Chrome Web Store URLs, providing a resource for users to review and consider the potential risks associated with their installed extensions. As internet security continues to be a pressing concern, this investigation underscores the need for vigilance and transparency regarding data privacy.