Security researcher identifies 287 Chrome extensions with 37 million installs that secretly share users' browsing data with analytics companies, raising serious privacy concerns.
A security researcher has uncovered a massive data privacy breach involving 287 Chrome extensions that have been secretly harvesting and selling users' browsing history data to analytics companies and data brokers.
The extensions, which collectively have been installed over 37 million times, were found to be transmitting detailed records of users' web browsing activity to more than 30 different companies, according to research published by a security researcher operating under the pseudonym "Q Continuum."
The Scope of the Breach
The affected extensions span a wide range of categories, from seemingly innocuous tools to more specialized utilities. What makes this particularly concerning is that many of these extensions request access to browsing history without providing clear justification for why such access is necessary for their functionality.
Q Continuum's automated testing system, which used Docker with Chromium behind a man-in-the-middle proxy, executed synthetic browsing workloads and correlated outbound network requests with visited URLs. This methodology revealed that approximately 20 million of the 37.4 million relevant installations were sending data to unknown entities, while the remainder were linked to known companies including:
- Similarweb
- Big Star Labs (reportedly an arm of Similarweb)
- Semrush
- Alibaba Group
- ByteDance
- And 25+ other data collection entities
The Privacy Implications
Browsing history data is particularly sensitive because it can reveal intimate details about users' interests, health concerns, financial situations, and personal lives. While the data is often anonymized, academic research has demonstrated that it can frequently be de-anonymized by cross-referencing with public social media profiles.
"There is a moral aspect to the whole issue," Q Continuum explained in their report. "Imagine that you build your business model on data exfiltration via innocent looking extensions and using that data to sell them to big corporates. Well, that's how Similarweb is getting part of the data."
The researcher emphasized that users should assume they are the product whenever using free software that isn't open source, highlighting the fundamental tension between "free" services and user privacy.
Google's Limited Use Policy and Its Loophole
Google's Chrome Web Store maintains a Limited Use policy designed to prevent extensions from sharing user data with third parties. However, security researcher Wladimir Palant pointed out that this policy contains an exception that can be exploited by companies with sufficient legal resources.
Similarweb's privacy policy does disclose its collection of browsing data, claiming that it scrubs the data on the client side to remove personally identifiable information. However, the company also acknowledges that "Some of this data may include Personal Data and Sensitive Data depending on the searches conducted and content you view."
A Similarweb financial filing from February 27, 2025, explicitly confirms the company's reliance on data gathered through browser extensions and apps, stating that their platform "depends in part on the ability to obtain data from our contributory network through browser extensions, mobile apps and other products."
Historical Context and Ongoing Concerns
This discovery is not an isolated incident. Just two months prior, researchers identified several ad-blocking and VPN extensions in the Chrome Web Store capturing chatbot conversations. In March 2025, research revealed that generative AI extensions were found to be capturing and sharing sensitive user data.
The practice of data harvesting through browser extensions has been a known concern for years. Q Continuum's research builds upon work published in 2017 by Michael Weissbacher et al., titled "Ex-Ray: Detection of History-Leaking Browser Extensions."
What Users Can Do
For the millions of users who have installed these extensions, the revelation raises serious questions about digital privacy and the true cost of "free" software. While some data collection practices are disclosed in privacy policies, the complexity and length of these documents often mean users don't fully understand what they're agreeing to.
The findings underscore the urgent need for greater awareness and more robust safeguards to protect users from the growing risks posed by malicious extensions. As Q Continuum's research demonstrates, even seemingly harmless browser tools can serve as conduits for extensive data collection and monetization.
Neither Similarweb nor Google responded to requests for comment on the findings, leaving users to wonder about the extent of data collection practices across the broader ecosystem of browser extensions and free software tools.
Comments
Please log in or register to join the discussion