{"id":15811,"date":"2026-02-16T11:27:48","date_gmt":"2026-02-16T11:27:48","guid":{"rendered":"https:\/\/newestek.com\/?p=15811"},"modified":"2026-02-16T11:27:48","modified_gmt":"2026-02-16T11:27:48","slug":"leaky-chrome-extensions-with-37m-installs-caught-shipping-your-browsing-history","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15811","title":{"rendered":"Leaky Chrome extensions with 37M installs caught shipping your browsing history"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>An estimated 37 million worldwide installations of a clutch of leaky Chrome extensions are transmitting users\u2019 browsing histories to external servers.<\/p>\n<p>According to findings by an independent security researcher using the pseudonym \u201cQ Continuum,\u201d a total of 287 extensions sent data that closely matched the URLs visited during simulated browsing sessions.<\/p>\n<p>\u201cThe actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, Chinese actors, many smaller obscure data-brokers, and a mysterious \u2018Big Star Labs\u2019 that appears to be an extended arm of Similarweb,\u201d the researcher said. To conduct the analysis, the researcher built an automated pipeline that launched Chrome instances, installed extensions, visited a predefined set of websites, and captured outbound communications.<\/p>\n<p>The researcher warned that such data collection could enable <a href=\"https:\/\/www.csoonline.com\/article\/4118607\/five-chrome-extensions-caught-hijacking-enterprise-sessions.html\">corporate espionage<\/a> by exposing internal company URLs accessed by employees, and in cases where extensions also obtain cookies, could facilitate credential harvesting by providing attackers with details of active web sessions.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Extensions include VPNs, productivity tools, and shopping add-ons<\/h2>\n<p>The research identified numerous widely distributed extensions with risky behavior across categories such as VPN\/proxy services, coupon finders, PDF tools, and browser utilities. Many of these have hundreds of thousands or millions of users.<\/p>\n<p>A few of these extensions include Pop up blocker for Chrome, Stylish, BlockSite block Websites, Stay Focused, SimilarWeb \u2013 Website traffic and SEO Checker, WOT: Website Security and Safety Checker, Smarty, Video Ad Blocker Plus for YouTube, Knowee AI, and CrxMouse: Mouse Gestures.<\/p>\n<p>According to the researcher, several of the extensions requested broad host permissions (cross-websites). This allowed them to observe navigation events and page activity across domains. \u201cIf an extension is just reading the page title or injecting CSS, its network footprint should stay flat regardless of how long the URL we visit is,\u201d the researcher said, explaining the logic behind their flagging.<\/p>\n<p>\u201cIf the outbound traffic grows linearly with the URL length, we have a high probability that the extension is shipping the URL itself (or the entire HTTP request) to a remote server.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Encrypted exfiltration made detection difficult<\/h2>\n<p>The researcher said in a blog <a href=\"https:\/\/qcontinuum.substack.com\/p\/spying-chrome-extensions-287-extensions-495\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a> that several of these extensions attempted to hide the nature of transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, preventing automated inspection.<\/p>\n<p>\u201cManual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ-String compression, and full AES-256 encryption wrapped in RSA-OAEP,\u201d the researcher said in a separate <a href=\"https:\/\/github.com\/qcontinuum1\/spying-extensions\/blob\/main\/report.pdf\">report<\/a> published on the findings. \u201cDecoding these payloads showed raw Google search URLs, page referrers, user IDs, and timestamps being sent to a network of proprietary domains and cloud-provider endpoints.<\/p>\n<p>The researcher\u2019s testing environment ran Chrome inside a Docker container, allowing each extension to be isolated and analyzed consistently.<\/p>\n<p>\u201cWe should note that probably not all of the browser history leaking extensions have malicious intent,\u201d the researcher said, clarifying they had to manually remove a few false positives from the logs of extensions tagged by their automated scanner. \u201cSome of the extensions might be benign and may need to collect browser history for functionality such as \u2018Avast Online Security &amp; Privacy,\u2019 for example.\u201d<\/p>\n<p>The disclosure included a list of Chrome Web Store URLs and actors behind these extensions for reference.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>An estimated 37 million worldwide installations of a clutch of leaky Chrome extensions are transmitting users\u2019 browsing histories to external servers. According to findings by an independent security researcher using the pseudonym \u201cQ Continuum,\u201d a total of 287 extensions sent data that closely matched the URLs visited during simulated browsing sessions. \u201cThe actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, Chinese actors,&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15811\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15811","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15811"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15811\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}