Security researchers uncover massive data exfiltration operation through Chrome extensions, revealing Similarweb and other actors collecting browsing data from millions of users.
A comprehensive security investigation has revealed that 287 Chrome extensions are secretly collecting browsing data from approximately 37.4 million users worldwide, representing roughly 1% of Chrome's global user base. The findings expose a widespread data collection operation involving major players like Similarweb alongside numerous smaller data brokers and Chinese actors.
The Automated Discovery Method
Researchers developed an automated scanning pipeline that runs Chrome inside Docker containers, routing all traffic through a man-in-the-middle proxy to monitor outbound requests. The system uses a leakage metric that correlates outbound traffic volume with URL length to identify suspicious extensions.
The methodology is straightforward: if an extension's network footprint grows linearly with URL length, it likely ships the URL itself to remote servers. Using this approach, researchers flagged extensions with a leakage ratio (R) of 1.0 or higher as definitely leaking, and those with 0.1 ≤ R < 1.0 as probable leaks requiring manual review.
The scan required approximately 930 CPU days to complete, with each extension taking an average of 10 minutes to analyze. The researchers chose not to release their source code to prevent attackers from adapting their methods.
Who's Behind the Data Collection?
OSINT analysis revealed several key actors behind the data collection:
- Similarweb - The primary suspect, linked to multiple extensions including "Similar Sites" and "WOT: Website Security and Safety Checker"
- Curly Doggo and Offidocs - Associated data brokers
- Big Star Labs - Believed to be an arm of Similarweb due to shared characteristics
- Chinese actors - Multiple unidentified entities
- Kontera - A major scraper linked to AWS infrastructure
The Honeypot Operation
To track data flow, researchers set up honeypots and supplied extensions with "honey URLs." Five distinct IP ranges repeatedly hit these honeypots:
54.92.107.92- Associated with HashDit34.29.32.249- Associated with Blocksi AI Web Filter- Multiple AWS IPs linked to Kontera
This confirmed that exfiltrated data is being sold to data brokers who aggregate and resell it to consumers.
Real-World Examples of Data Exfiltration
Pop up blocker for Chrome™ - Poper Blocker
This extension sends browsing data to api2.poperblocker.com using ROT47 obfuscation. The payload contains detailed browsing information including URLs, timestamps, and user identifiers.
Stylish - Custom themes for any website
Stylish uses a complex encryption scheme involving AES-256 and RSA-OAEP-256. The extension generates a one-time AES key, encrypts data with it, then encrypts the AES key with a hardcoded RSA public key before transmission.
BlockSite - Block Websites and Stay Focused
BlockSite uses LZString compression for its data exfiltration, sending compressed URL parameters directly in the request.
Similarweb - Website Traffic and SEO Checker
Similarweb extensions use multi-layer URL encoding to obfuscate their data collection. The payload includes search queries, referrer information, and engagement metrics.
WOT: Website Security and Safety Checker
WOT employs XOR encryption with a hardcoded key, reversing strings and applying base64 encoding multiple times.
Smarty extension
This extension demonstrates that data exfiltration can occur through request headers, not just POST payloads.
Super PiP - Picture-in-Picture
Super PiP uses Google Analytics as a data exfiltration channel, sending browsing data through standard GA measurement protocols.
Why This Matters
The scale of exposure is staggering - 37.4 million users is roughly equivalent to the entire population of Poland. Even if some extensions aren't actively selling data, the potential for misuse is alarming.
Threat Model Implications
Profiling & Targeted Advertising - Aggregated browsing histories are gold for ad-tech firms.
Corporate Espionage - Employees using "productivity" extensions could inadvertently leak internal URLs, SaaS dashboards, or intranet access.
Credential Harvesting - Some extensions request cookies; combined with browsing history, attackers gain complete session pictures.
The Bigger Picture
This investigation confirms what security researchers have suspected for years: free browser extensions often monetize user data. The problem isn't new - similar issues were identified in 2017 and 2018 - but the scale has grown dramatically as Chrome's extension ecosystem expanded to roughly 240,000 extensions.
The findings serve as a stark reminder: if you're using free software that isn't open source, you should assume you're the product. The moral implications are significant - businesses built on data exfiltration through innocent-looking extensions raise serious ethical questions.
Technical Deep Dive
The researchers' approach was inspired by previous work but scaled for the modern extension ecosystem. The key innovation was using synthetic browsing workloads with increasing consistent payloads sent to google.com (never leaving the Docker container) combined with regression analysis to detect correlation between outbound traffic and URL length.
This method effectively distinguishes between extensions that merely read page content versus those actively exfiltrating URLs. The threshold of R ≥ 1.0 provides high confidence that the payload size matches or exceeds the URL length, indicating direct URL transmission.
Moving Forward
The research highlights the urgent need for better extension vetting processes and user awareness. While some flagged extensions may have legitimate reasons for collecting browsing data (like security tools), the sheer scale of the operation suggests systematic abuse of the Chrome extension ecosystem.
The investigation serves as both a warning and a call to action for users to be more discerning about the extensions they install, and for platform providers to implement stronger safeguards against data exfiltration through browser extensions.
For those interested in supporting further research into web extensions, mobile apps, and VSCode extensions, the researchers have provided cryptocurrency donation addresses for continued investigation into these critical security issues.
Comments
Please log in or register to join the discussion