If you use Google Chrome, there is a one-in-a-hundred chance that a small tool you installed to make life easier is actually a stalker. A security researcher going by the name Q Continuum has released a report detailing how 287 different browser extensions are actively stealing the web histories of roughly 37.4 million people.
These extensions, usually disguised as “harmless tools” like ad blockers or search assistants, are feeding your private data to a network of global corporations and data brokers. According to the team of researchers behind this discovery, this isn’t just a minor leak; it is a massive “harvesting operation” where your “sensitive browsing history” is turned into a product.
Decoding the Deception
To catch these extensions, the team built a trap using a man-in-the-middle proxy, basically a checkpoint that monitors data leaving a computer. Using Docker to simulate real browsing, they scanned the top 32,000 apps on the Chrome Web Store.
Probing further, they identified that many of these tools are sending user data in plain text and also using “obfuscation” to hide their tracks, scrambling history into codes like Base64 or AES-256 encryption before sending it off. Some even wait for you to accept a privacy policy first. Researchers noted that based on this finding, the 37.4 million figure is likely a “conservative lower bound,” and the real number could be much higher.
The Big Names Involved
While you might think these are just small, rogue developers, the truth is more startling. The primary suspect, as per researchers is Similarweb, which is linked to extensions reaching 10.1 million users. Other recipients include Alibaba Group, ByteDance, Semrush, and Big Star Labs.
Interestingly, of the 37.4 million installations reviewed, about 20 million could not be linked to a specific company. The rest were traced back to the major firms mentioned above. A few “reputable” tools were also flagged, including:
- Stylish (a custom theme tool)
- Ad Blocker: Stands AdBlocker
- Poper Blocker, CrxMouse, and Block Sit
- SimilarWeb – Website Traffic & SEO Checker
A Marketplace for Your Privacy
It turns out there is a worrying trend where popular tools are sold to third parties specifically to be turned into spying devices. These actors sometimes use multiple extensions to hide their tracks. The research also points to “policy exceptions” within the Chrome Store that might actually permit this collection under certain rules.
This stolen data includes your Google search URLs and user IDs, which are detailed enough to be “de-anonymized” and linked back to your real identity. The report concludes that this remains a “cat and mouse game,” and the safeguards currently in place are simply “insufficient” to keep users safe.
Expert’s Analysis:
In a comment shared with Hackread.com, John Carberry, Solution Sleuth, Xcape Inc., noted that this discovery reveals the extension ecosystem as a “vast, legalized surveillance system.” He explained that the investigation uncovered a concerning “transparency gap.”
“The investigation uncovered a concerning “transparency gap,” with nearly 20 million users being tracked by unidentified collectors, likely hidden through shell companies or vague analytics partners. This isn’t necessarily about outright malware, but rather routine data harvesting that users don’t anticipate or fully grasp. For businesses, this goes beyond a mere privacy issue; the exposure of full URLs can reveal internal corporate domains, session tokens in query strings, and sensitive cloud resources.”
Carberry warned that for businesses, this goes beyond privacy; the exposure of full URLs can reveal “internal corporate domains” and “sensitive cloud resources.” He concluded with a warning for all web users: “If you aren’t paying for the product with your wallet, you’re paying for it with your information; in the digital economy, ‘free’ is just a down payment on your privacy.”
(Photo by Growtika on Unsplash)
Deeba Ahmed
