Article Details

Devilish devs spawn 287 Chrome extensions to flog your browser history to data brokers. Add-ons with 37M installs leak visited URLs to 30+ recipients, researcher says. They know where you've been and they're going to share it. A security researcher has identified 287 Chrome extensions that allegedly exfiltrate browsing history data for an estimated 37.4 million installations. Browsing history data – a record of websites visited – reveals potentially sensitive information about people's activities and interests. Though it may be anonymized, academics have shown [PDF] that you can often trace it back to individuals using public social media profiles.  The sharing of browsing history data thus erodes personal privacy, though at least some of the info harvesting the researcher detected is disclosed in privacy policies. Even so, individuals who have installed these extensions may not realize that the privacy policies they accepted were not promising privacy. The researcher, who goes by the name "Q Continuum" in a nod to Star Trek: The Next Generation, explained the motivation for the project in an online post, acknowledging that data harvesting of this sort is a longstanding concern for browser extensions. Indeed, it was only two months ago that we reported on how several ad blocking and VPN extensions in the Chrome Web Store were spotted capturing chatbot conversations. And in March 2025, we discussed research showing that generative AI extensions were found to be capturing and sharing sensitive user data. Also, as we've noted, developers of popular Chrome extensions face constant solicitations to sell out to buyers interested in inserting data gathering scripts. Q observes that Chrome extensions in the past have been called out for exfiltrating user browsing data that gets collected by data brokers like Similarweb and Alexa. The research report [PDF] represents an effort to document that web analytics biz Similarweb and other data harvesting companies are still at it. "Why does it matter?" Q Continuum asks. "There is a moral aspect to the whole issue. Imagine that you build your business model on data exfiltration via innocent looking extensions and using that data to sell them to big corporates. Well, that's how Similarweb is getting part of the data. That should remind us that whatever software you are using for free and it is not open sourced, you should assume you are the product." The report says that data leaking extensions tend to share a common trait: they purport to be harmless tools while requesting access to sensitive data like browsing history without a sound justification. "Many users, even when aware of surveillance, fail to grasp the risks or consequences of such access," the report says. "This constitutes a privacy breach, as terms of service or privacy policies frequently obscure these practices, leaving users unaware they've consented to data collection." Q's research builds upon work published [PDF] in 2017 by Michael Weissbacher et al., "Ex-Ray: Detection of History-Leaking Browser Extensions." Q developed an automated testing system using Docker with Chromium behind a man-in-the-middle (MITM) proxy that executed synthetic browsing workloads and correlated outbound network requests with visited URLs to detect history leakage. The testing pipeline revealed more than 30 companies involved in collecting browsing data. For around 20 million of the 37.4 million relevant installations, the collecting entity was unknown. For the remainder, it was companies like Similarweb, Big Star Labs (said to be an arm of Similarweb), Semrush, Alibaba Group, ByteDance, and others. "The findings highlight the urgent need for greater awareness and more robust safeguards to protect users from the growing risks posed by malicious extensions," Q's report says. Similarweb, the focus of the report, did not respond to a request for comment. The company's extension privacy policy discloses its collection of browsing data. The company claims both that it scrubs browsing data on the client side to remove information that could identify an individual and that "Some of this data may include Personal Data and Sensitive Data depending on the searches conducted and content you view." A Similarweb financial filing from February 27, 2025, attests to the company's reliance on data gathered from browser extensions and apps. The company's risk boilerplate says, "Our platform and solutions depend in part on the ability to obtain data from our contributory network through browser extensions, mobile apps and other products distributed through third-party online platforms and stores such as Chrome Web Store, Google Play and the Apple App Store." Google also did not immediately respond to our inquiry. As noted by security researcher Wladimir Palant, Google's Chrome Web Store has a Limited Use policy intended to prevent data from being shared with data brokers. But the policy allows for an exception that can be abused by unscrupulous companies.