🕷️
SetupAI
37M Chrome Extensions Leak Browsing Data
🖥️#browser-security#data-leak#extensionsStalecollected in 52h

37M Chrome Extensions Leak Browsing Data

PostLinkedIn
🖥️Read original on Computerworld

💡Popular AI tools like Knowee leak your history—check your extensions now

⚡ 30-Second TL;DR

What changed

37M installs across 287 extensions leak URLs to data brokers

Why it matters

Researcher Q Continuum detected URL leaks via automated analysis.

What to do next

Audit installed Chrome extensions for broad permissions using chrome://extensions/.

Who should care:Enterprise & Security Teams

🧠 Deep Insight

Web-grounded analysis with 6 cited sources.

🔑 Key Takeaways

  • 287 Chrome extensions with 37.4 million combined installations were found exfiltrating browsing history data to over 30 companies, with approximately 20 million installations sending data to unknown entities[1]
  • 153 of the confirmed data-leaking extensions began transmitting browsing history immediately after installation, accounting for 27.2 million installs alone[2]
  • Data collection involves 32 separate publishing entities with suspected coordinated infrastructure overlapping with known spyware distribution networks, indicating a centralized data broker operation rather than independent rogue developers[2]

🛠️ Technical Deep Dive

• Researcher Q Continuum built an automated testing pipeline that launched Chrome instances, installed extensions, visited predefined websites, and captured outbound communications to identify data exfiltration patterns • Encrypted payloads were decoded to reveal raw Google search URLs, page referrers, user IDs, and timestamps being transmitted to proprietary domains and cloud-provider endpoints[4] • Extensions requested broad host permissions (cross-website access) enabling comprehensive browsing history collection[3] • Data collection infrastructure includes companies such as Similarweb, Big Star Labs (identified as a Similarweb subsidiary), Semrush, Alibaba Group, and ByteDance[1] • Similarweb's February 27, 2025 financial filing confirmed the company's reliance on data gathered from browser extensions and apps distributed through Chrome Web Store, Google Play, and Apple App Store[1] • A related cluster of 30 malicious extensions with over 260,000 installs employed advanced manipulation techniques including hidden iframe injection, real-time browser UI manipulation, tracking pixels, session data exfiltration, webpage content replacement, phishing overlays, and silent user redirection[2]

🔮 Future ImplicationsAI analysis grounded in cited sources

This discovery underscores critical vulnerabilities in the browser extension ecosystem and highlights the urgent need for enhanced security governance within app stores. The coordinated nature of the operation—involving 32 publishing entities and centralized data broker infrastructure—suggests that extension-based surveillance has become a systematic, profitable business model. Organizations face elevated risks of corporate espionage through employee browsing data exposure, while individual users confront privacy erosion and credential harvesting threats. The incident may accelerate regulatory scrutiny of extension permissions, data collection practices, and app store vetting procedures. Additionally, the sophisticated obfuscation techniques employed (AES-256 encryption, RSA-OAEP wrapping) indicate that malicious actors are investing in advanced evasion methods, potentially outpacing detection capabilities.

⏳ Timeline

2025-06
Ox Security researchers began attempting to disclose vulnerabilities in popular VSCode extensions, with no maintainer response received
2025-02
Similarweb filed financial disclosure attesting to reliance on data from browser extensions and third-party app stores
2026-02
Security researcher Q Continuum published findings identifying 287 Chrome extensions leaking browsing data to 30+ companies across 37.4 million installations

📎 Sources (6)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. theregister.com
  2. techmonk.economictimes.indiatimes.com
  3. computerworld.com
  4. csoonline.com
  5. securityweek.com
  6. bleepingcomputer.com

287 Chrome extensions with 37M installs transmit browsing histories to external servers, including VPNs and productivity tools like Knowee AI. Researcher Q Continuum detected URL leaks via automated analysis. Data exfiltration uses encryption like AES-256, risking corporate espionage.

Key Points

  • 1.37M installs across 287 extensions leak URLs to data brokers
  • 2.Includes Knowee AI, Similarweb, and productivity tools
  • 3.Obfuscation via base64, ROT47, AES-256 encryption
  • 4.Risks corporate espionage and credential harvesting

Technical Details

Extensions request broad host permissions to monitor cross-domain activity. Traffic analysis flags linear growth with URL length indicating leaks. Manual decoding reveals search URLs, referrers sent to proprietary domains.

#browser-security#data-leak#extensionschrome-extensions
🖥️Read original article on Computerworld
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Read Next

Same topic

Explore #browser-security

Same product

More on chrome-extensions

Same source

Latest from Computerworld

Apple Partners Evolve Enterprise Channel

Apple Partners Evolve Enterprise Channel

ComputerworldFeb 20

AI-curated news aggregator. All content rights belong to original publishers.
Original source: Computerworld