this post was submitted on 11 Feb 2026
200 points (99.5% liked)

Technology

81026 readers
4749 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
200
Spying Chrome Extensions: 287 Extensions spying on 37M users (rawcdn.githack.com)
submitted 1 day ago* (last edited 19 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
26 comments fedilink hide all child comments
 

Archive.

LinksGitHub

This investigation surveyed the entire Chrome Web Store, filtering extensions that request sensitive permissions (history, tabs, webRequest, etc.) and we scanned with our method top 32,000 extensions ordered by user count. Using Docker with Chromium behind a man‑in‑the‑middle proxy, we simulated browsing sessions and recorded every outbound request. By correlating request size with URL length we derived a leakage metric (Redp); values ≥ 1.0 indicate definite history exfiltration, while 0.1 ≤ Redp < 1.0 suggest probable leakage.

The pipeline flagged 287 extensions that actively transmit users’ browsing histories. Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ‑String compression, and full AES‑256 encryption wrapped in RSA‑OAEP. Decoding these payloads showed raw Google search URLs, page referrers, user IDs and timestamps being sent to a network of proprietary domains and cloud‑provider endpoints.

We leveraged the leakage further and by browsing URLs of the honeypot in the sandboxed environment we allowed those data to be leaked. Honeypot URLs lured some actors and were accessed by known scraper IPs (Amazon Japan, Google LLC, Kontera), confirming active harvesting pipelines. We applied OSINT to the leaking extensions and managed uncover some actors.

Aggregating install counts gave an exposure of roughly 37.4 million users, representing roughly about 1 % of global Chrome users. The majority of the activity clusters around a handful of actors: SimilarWeb (≈ 10 M users), Alibaba‑related groups, Bytedance, and a cluster of Chinese data‑broker firms. Many extensions appear under reputable brand names (e.g., “SimilarWeb - Website Traffic & SEO Checker”) while others masquerade as utilities such as ad blockers (“Ad Blocker: Stands AdBlocker”) or AI assistants.

Limitations include the inability to see WebSocket or DNS‑tunneled traffic and the fact that some extensions only leak after a privacy‑policy popup is accepted, meaning the 37.4 M is a conservative lower bound.

you are viewing a single comment's thread
view the rest of the comments
[–] Armand1@lemmy.world 32 points 1 day ago (1 children)

I've gone through the list a bit and out of the most popular ones that spied on you, most were adblocks, coupon finders or AI Chatbots.

Some notable extensions:

  • Stylish. A theming extension, I used to use this back in the day!
  • Smarty. Some sort of coupon code thing like Honey
  • Video Ad Blocker Plus for YouTube™
  • Video Downloader PLUS
  • Karma - Another coupon thing
  • Audio editor online Audacity. Some sort of web-based Audacity clone?
  • GIMP online - Same sort of thing as above with GIMP
  • Ground News Bias Checker - To be fair it probably makes sense this one sends the URL you are visiting, as it's purpose is to look up the bias of the publication you are looking at.

Worth a read regardless.

[–] x00z@lemmy.world 6 points 19 hours ago

Stylish is long known and the opensource Stylus fork is suggested. https://github.com/openstyles/stylus