The 1% Breach: 287 Chrome Extensions Caught Spying on 37M Users

A sweeping new investigation by Q Continuum has uncovered a massive surveillance network operating within the Chrome Web Store, revealing that nearly 1% of all Chrome users worldwide are currently being tracked by malicious browser extensions. The report details a sprawling ecosystem of 287 extensions that actively exfiltrate browsing history, affecting an estimated 37.4 million users.

To uncover this network, Q Continuum researchers didn’t just analyze code; they watched the traffic. They constructed a sophisticated “automated scanning pipeline” designed to catch extensions in the act of stealing data.

“We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man-in-the-middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it,” the report explains.

This behavior-based approach allowed them to bypass static obfuscation techniques and identify extensions that were silently transmitting visited URLs to remote servers.

The investigation identified a wide range of actors behind these operations, ranging from well-known analytics firms to obscure entities. While some data collection is expected in the modern web, these extensions were flagged specifically for exfiltrating detailed browsing history without clear user consent.

“The actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, chinese actors, many smaller obscure data-brokers, and a mysterious ‘Big Star Labs’ that appears to be an extended arm of Similarweb,” the researchers noted.

The report highlights that this is not a new problem, citing historical precedents like the “Stylish” extension scandal of 2018. However, the scale remains alarming. “Those extensions collectively have ~37.4 M installations – roughly 1% of the global Chrome user base,” Q Continuum states.

One of the most clever—and insidious—techniques detailed in the report involves the abuse of legitimate infrastructure. Instead of sending stolen data to a suspicious, unknown server, some extensions piggyback on Google Analytics (GA) to exfiltrate user data.

By encoding the stolen URLs into standard analytics parameters, the attackers can hide their traffic amidst the noise of legitimate web activity. The report cites “Super PiP – Picture-in-Picture” (extension ID: jjjpjmbnbdjhbkclajpagjkefefnednl) as a prime example of this tactic.

“GA can be also used for data exfiltration where even parameter can be simply visited URL,” the report explains, showing how sensitive data is smuggled out via standard HTTP requests to Google’s own servers.

The sheer volume of installations suggests that the current vetting process for the Chrome Web Store is struggling to keep pace with data-hungry developers. As the report concludes, the motivation is clear: user data is a commodity, and as long as it holds value, extensions will continue to be a primary vector for extraction.

Related Posts:

• Grok 2 Goes “Open Source,” But the Catch Is in the Fine Print
• Facebook and thousands of companies are spying on you
• OpenAI Turns ChatGPT Into a “Super App” with the New Apps SDK Integration