37M Chrome Extensions Leak Browsing Data

🔑 Enhanced Key Takeaways

•287 Chrome extensions with 37.4 million combined installations were found exfiltrating browsing history data to over 30 companies, with approximately 20 million installations sending data to unknown entities[1]
•153 of the confirmed data-leaking extensions began transmitting browsing history immediately after installation, accounting for 27.2 million installs alone[2]
•Data collection involves 32 separate publishing entities with suspected coordinated infrastructure overlapping with known spyware distribution networks, indicating a centralized data broker operation rather than independent rogue developers[2]
•Outbound data payloads use sophisticated obfuscation techniques including base64, ROT47, LZ-String compression, and AES-256 encryption wrapped in RSA-OAEP to evade detection[4]
•Affected extensions span multiple categories including VPNs, productivity tools, coupon finders, PDF utilities, and browser utilities—many with hundreds of thousands to millions of users—creating widespread exposure to corporate espionage and credential harvesting risks[3][4]

🛠️ Technical Deep Dive

• Researcher Q Continuum built an automated testing pipeline that launched Chrome instances, installed extensions, visited predefined websites, and captured outbound communications to identify data exfiltration patterns • Encrypted payloads were decoded to reveal raw Google search URLs, page referrers, user IDs, and timestamps being transmitted to proprietary domains and cloud-provider endpoints[4] • Extensions requested broad host permissions (cross-website access) enabling comprehensive browsing history collection[3] • Data collection infrastructure includes companies such as Similarweb, Big Star Labs (identified as a Similarweb subsidiary), Semrush, Alibaba Group, and ByteDance[1] • Similarweb's February 27, 2025 financial filing confirmed the company's reliance on data gathered from browser extensions and apps distributed through Chrome Web Store, Google Play, and Apple App Store[1] • A related cluster of 30 malicious extensions with over 260,000 installs employed advanced manipulation techniques including hidden iframe injection, real-time browser UI manipulation, tracking pixels, session data exfiltration, webpage content replacement, phishing overlays, and silent user redirection[2]

🔮 Future ImplicationsAI analysis grounded in cited sources

This discovery underscores critical vulnerabilities in the browser extension ecosystem and highlights the urgent need for enhanced security governance within app stores. The coordinated nature of the operation—involving 32 publishing entities and centralized data broker infrastructure—suggests that extension-based surveillance has become a systematic, profitable business model. Organizations face elevated risks of corporate espionage through employee browsing data exposure, while individual users confront privacy erosion and credential harvesting threats. The incident may accelerate regulatory scrutiny of extension permissions, data collection practices, and app store vetting procedures. Additionally, the sophisticated obfuscation techniques employed (AES-256 encryption, RSA-OAEP wrapping) indicate that malicious actors are investing in advanced evasion methods, potentially outpacing detection capabilities.

⏳ Timeline

2025-06

Ox Security researchers began attempting to disclose vulnerabilities in popular VSCode extensions, with no maintainer response received

2025-02

Similarweb filed financial disclosure attesting to reliance on data from browser extensions and third-party app stores

2026-02

Security researcher Q Continuum published findings identifying 287 Chrome extensions leaking browsing data to 30+ companies across 37.4 million installations

37M Chrome Extensions Leak Browsing Data

⚡ 30-Second TL;DR

🧠 Deep Insight

🔑 Enhanced Key Takeaways

🛠️ Technical Deep Dive

🔮 Future ImplicationsAI analysis grounded in cited sources

⏳ Timeline

📎 Sources (6)

👉Related Updates