This investigation surveyed the entire Chrome Web Store, filtering extensions that request sensitive permissions (history, tabs, webRequest, etc.) and we scanned with our method top 32,000 extensions ordered by user count. Using Docker with Chromium behind a man‑in‑the‑middle proxy, we simulated browsing sessions and recorded every outbound request. By correlating request size with URL length we derived a leakage metric (Redp); values ≥ 1.0 indicate definite history exfiltration, while 0.1 ≤ Redp < 1.0 suggest probable leakage.
The pipeline flagged 287 extensions that actively transmit users’ browsing histories. Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ‑String compression, and full AES‑256 encryption wrapped in RSA‑OAEP. Decoding these payloads showed raw Google search URLs, page referrers, user IDs and timestamps being sent to a network of proprietary domains and cloud‑provider endpoints.
We leveraged the leakage further and by browsing URLs of the honeypot in the sandboxed environment we allowed those data to be leaked. Honeypot URLs lured some actors and were accessed by known scraper IPs (Amazon Japan, Google LLC, Kontera), confirming active harvesting pipelines. We applied OSINT to the leaking extensions and managed uncover some actors.
Aggregating install counts gave an exposure of roughly 37.4 million users, representing roughly about 1 % of global Chrome users. The majority of the activity clusters around a handful of actors: SimilarWeb (≈ 10 M users), Alibaba‑related groups, Bytedance, and a cluster of Chinese data‑broker firms. Many extensions appear under reputable brand names (e.g., “SimilarWeb - Website Traffic & SEO Checker”) while others masquerade as utilities such as ad blockers (“Ad Blocker: Stands AdBlocker”) or AI assistants.
Limitations include the inability to see WebSocket or DNS‑tunneled traffic and the fact that some extensions only leak after a privacy‑policy popup is accepted, meaning the 37.4 M is a conservative lower bound.
If a organization with a tiny fraction of Google’s resources can detect these extensions Google can too. There is only one reason malware extensions and Android apps are being distributed by Google - they make more money distributing malware than they would if they detected and blocked it.
And these assholes pretend they are blocking app stores like F-Droid (which has never had a malware distribution problem) for “our protection.”
Google just shrugs and points to the little messagebox that pops up and explains almost nothing asking you for permission.
I’ve disabled Google’s Play Protect after it deleted multiple apps I rarely use and all their settings and being forced to spend hours configuring them again. I know I can manually change individual app settings to prevent that from happening, but given all the years Google’s been spreading malware why trust them? The fact Google regularly distributes malware and then wants permission to scan my phone for malware is laughable.
I avoid apps from the Google store because they can be downright dangerous, but I have few worries about that “dangerous” third party F-droid store.
using chrome
and using non-free extensions as well
I’ve gone through the list a bit and out of the most popular ones that spied on you, most were adblocks, coupon finders or AI Chatbots.
Some notable extensions:
- Stylish. A theming extension, I used to use this back in the day!
- Smarty. Some sort of coupon code thing like Honey
- Video Ad Blocker Plus for YouTube™
- Video Downloader PLUS
- Karma - Another coupon thing
- Audio editor online Audacity. Some sort of web-based Audacity clone?
- GIMP online - Same sort of thing as above with GIMP
- Ground News Bias Checker - To be fair it probably makes sense this one sends the URL you are visiting, as it’s purpose is to look up the bias of the publication you are looking at.
Worth a read regardless.
Stylish is long known and the opensource Stylus fork is suggested. https://github.com/openstyles/stylus
Great work to the investigators here. I’m going to comb through this list a little. See what things stand out.
Another interesting one. These extensions are all related:
wow so many trade mark violations, so blantant that even a shit a automated system shouldve caught it, but no google is too busy selling ads and profiling users
deleted by creator
for “pelotudos” (idiots)
they can use Brave, it’s easy-peasy (not nuclear science)
Using a reskinned Google Chrome protects you from malicious Chrome extensions how, exactly?
Yeah the Brave CEO has donated to anti LGBTQ campaigns.
No thanks
He also created JavaScript, IIRC.
Big no thanks /j
Just to add a little context to this. The Brave CEO donated $1k to California’s Proposition 8 almost 20 years ago (in 2008). 6 years later he formally apologized for it and stepped down as the CEO of Mozilla.
https://wikipedia.org/wiki/Brendan_Eich
His apology is viewable on his website: https://brendaneich.com/Years later, Brave would get in trouble again for rerouting people’s traffic through referral links to make them money.
Some more context, Brendan Eich tenure as CEO of Mozilla lasted just 11 days due to the massive backlash which also caused half of the board to step down.
Despite it being so long ago and such a small amount donated, I’m inclined to believe that a leopard doesn’t change his spots, he just hides it better now.
Brave is in the list.
And how exactly does this protect against spying extensions?
It’s pretty hypocritical for you to call other people idiots.
Brave is shit
No bueno.
