Mass privacy breach found in Chrome extensions

Security analysts have uncovered a network of 287 Google Chrome browser extensions that siphon off users’ browsing data and send it to external servers, collectively installed on roughly 37.4 million devices worldwide. The discovery has alarmed privacy advocates and highlights ongoing weaknesses in browser extension marketplaces that allow ostensibly benign add-ons to conduct intrusive data collection without clear disclosure. This emergent threat comes amid broader scrutiny of how browser extensions are vetted and monitored, raising questions about user protection and platform governance.

Researchers behind the investigation built a systematic detection tool that runs Chrome in a controlled environment, routing traffic through an intercepting proxy to identify unusual network activity tied to extension behaviour. Extensions that generated outbound traffic correlated with visited URLs were flagged for exfiltrating data, a method experts say provides a scalable lens on hidden data leakage. The project consumed hundreds of CPU-days of computing time, reflecting both the scale of the analysis and the complexity of detecting covert data flows.

The breadth of the issue spans a mix of extension types marketed as productivity aids, design customisers and analytics tools, obscuring the risk for everyday users. While some of the harvested data may be officially disclosed in privacy policies, many users are unlikely to appreciate that by agreeing to permissions they are permitting access to detailed browsing histories, which can include personal identifiers and session URLs. Analysts argue this undermines genuine consent and points to a broader regulatory challenge in how data collection is governed in digital ecosystems.

Among the identified actors are well-known analytics firms and data brokers, with some extensions linked to companies like Similarweb and associated entities such as Big Star Labs. Other identified organisations include Semrush, Alibaba Group and ByteDance, although for around 20 million installations the specific collecting entity could not be conclusively determined. The presence of established firms in the dataset has triggered debate about corporate responsibility, with companies under pressure to clarify how extension-derived data is used and whether users are adequately informed.

Technical experts stress that while some extensions explicitly state data collection in their policies, the interpretation of those clauses and user understanding varies widely. “Terms of service or privacy policies frequently obscure these practices, leaving users unaware they’ve consented to data collection,” one analyst commented, underscoring the opaque nature of many agreements that accompany free software. This is particularly concerning where full browsing histories, including internal and secure URLs, can be aggregated and potentially repurposed for targeted marketing or more intrusive surveillance.

The methodological approach used in the investigation builds on earlier work in browser extension monitoring and highlights persistent blind spots in extension store curation. By correlating outbound traffic with synthetic browsing patterns, the detection system sidesteps reliance on declared permissions or code signatures, which have historically failed to catch many malicious behaviours. This technique also revealed dozens of destination IP ranges that repeatedly queried specially crafted “honey URLs,” suggesting that exfiltrated data is being actively processed or re-queried after collection.

Privacy advocates argue that the findings illustrate the urgent need for stronger safeguards in extension ecosystems. They call on browser vendors to tighten review processes, enforce stricter permission granularity and implement real-time monitoring of extension network activity. Critics point out that automated and manual vetting alone is insufficient if threat actors can embed covert channels that only manifest under specific conditions, evading detection until after widespread installation.

On the user side, cybersecurity specialists recommend that individuals audit their installed extensions, revoke unnecessary permissions, and prioritise tools with transparent open-source code and strong reputations. They also advise regular review of privacy settings within browsers and the use of dedicated privacy-enhancing tools to mitigate unwanted tracking. However, professionals caution that such individual steps, while useful, do not address structural vulnerabilities that allow malicious extensions to proliferate unchecked on popular platforms.

The broader landscape of extension security has seen similar concerns previously, with other campaigns exploiting browser add-ons to collect sensitive information across millions of users and evade platform defences. Security researchers have documented how extensions can be co-opted or sold to less scrupulous operators, turning once-helpful utilities into surveillance tools. These patterns emphasise that the ecosystem’s openness, while beneficial for innovation, also creates fertile ground for intrusion and misuse.