Popular Chrome extensions spy on users

An IT research community named "Q Continuum" has automatically analyzed tens of thousands of the most popular Chrome extensions. Nearly 300 of them, some with millions of installations each, are sending user browser histories to their manufacturers. Users are usually unaware that they are being spied on.

The analysis and its results are made available by „Q Continuum“ in a Github project. For the experimental setup, they put Chrome into a Docker container and routed the traffic through a man-in-the-middle proxy. They observed the outgoing requests in terms of how they correlated with the length of the URLs presented to the Chrome browser. The IT researchers used synthetic browser data, specifically consistently formed requests to google.com, which however never left the Docker container. A script then examines the outgoing data to determine the extent of the outgoing traffic.

The idea behind this: If an extension merely reads the page title or injects its own CSS into the page, the network footprint should remain low, regardless of how long the visited URL is. However, if the outgoing traffic increases linearly with the URL length, the extension is highly likely to be sending the URL or the entire HTTP request to a server on the internet. This allowed them to narrow down extensions that are very likely to be spying on sensitive data.

Hundreds of sometimes popular extensions are spying

In total, the analysts examined the 32.000 most popular Chrome extensions out of the 240.000 available in the Chrome Webstore. They identified 287, some of them very popular, candidates that exfiltrate data. A total of 37.4 million users have installed these plug-ins in their web browsers and are being researched by them.

This data can be used for profiling and targeted advertising, but also for industrial espionage or credential theft, "Q Continuum" explains the potential dangers. On the other hand, not every extension is automatically acting with malicious intent. In first place is "Avast Online Security & Privacy" with six million installations, a plug-in for website reputation checking. Apparently, it does not use a local database but sends URLs to the manufacturer's servers for checking. However, Avast in particular has a less than glorious past: Due to data transfer, the company had to pay a $16.5 million fine in the USA in 2024, as the collected data from over 100 million users was sold through the subsidiary Jumpshot. In second place are the extensions "Ad Blocker: Stands AdBlocker" and "Monica: ChatGPT AI Assistant | DeepSeek, GPT-4o, Claude 3.5, o1 &More", each with 3 million users.

The website provides a list of the Chrome extensions observed during the spying. Detailed insights are provided in the approximately 260-page PDF, of which the last about 150 pages, however, only contain details about the affected extensions such as IDs, names, user numbers, and similar. Those who do not want their browser extensions to send their browser history to the providers should check the extension list and uninstall the add-ons if necessary.

Browser extensions are often useful helpers, but they can also be data leaks that violate privacy. Some actors exploit this for their own enrichment by monetizing the data obtained. The phenomenon itself is already older. Around 2019, IT security researcher Sam Jadali examined 200 Chrome and Firefox extensions and also caught them collecting data. In addition, third parties had access to this transferred data. This spying scheme, named "DataSpii", affected the browsing data of 4.1 million people.

(dmk)