Millions of people around the world use Chrome extensions to boost productivity, browse securely, or find deals. But recent research has uncovered a troubling privacy risk. Some widely used extensions are secretly sending users’ browsing histories to external servers. This can happen without users even realizing it.

How the Data Leaks Were Discovered

An independent security researcher, working under the pseudonym “Q Continuum,” analyzed over 280 Chrome extensions. They built an automated tool that launched Chrome, installed extensions, visited specific websites, and watched what data was sent out. The goal was to see if any extensions were leaking sensitive information.

The researcher found that 287 extensions were transmitting data that closely matched the URLs visited during testing. This included full web addresses, referrers, user IDs, and timestamps. The data was sent to external servers, often encrypted or encoded to hide its true nature. This kind of activity raises serious privacy concerns, especially given how many users rely on these extensions daily.

Categories and Popular Extensions Involved

The risky extensions spanned various categories, from VPNs and productivity tools to shopping helpers and security add-ons. Many of these have hundreds of thousands or even millions of users, making the scope of the problem even bigger. Some well-known examples include a pop-up blocker, style customizers, website traffic analyzers, and ad blockers.

Extensions such as “SimilarWeb,” “WOT: Website Security,” “Stay Focused,” and “CrxMouse: Mouse Gestures” were among those flagged. The researcher noted that many requested broad permissions across multiple websites. This allowed them to observe user navigation and page activity across domains, increasing the risk of leaking sensitive browsing data.

How the Data Was Hidden and Why It Matters

The researcher explained that some extensions tried to hide what data they were sending. Outbound payloads were often encrypted or encoded, making it hard for automated tools to detect leaks. Manual inspection revealed schemes like base64 encoding, ROT47, compression algorithms, and even full AES-256 encryption wrapped in RSA.

Decoding these payloads showed that sensitive information such as Google search URLs, page referrers, user IDs, and timestamps were being sent to proprietary domains and cloud servers. This data could potentially be used for corporate espionage or credential theft, especially if the extensions also had access to cookies and active sessions.

The findings highlight how some extensions, meant to improve browsing, can become privacy risks if they leak data or are maliciously designed. Users should be cautious when installing extensions, especially those requesting broad permissions or showing suspicious activity.

Overall, this research sheds light on the importance of scrutinizing browser extensions and understanding what data they collect and share. It also emphasizes the need for developers to follow strict privacy practices to protect users’ information from being exploited without their knowledge.

Inspired by

• https://www.computerworld.com/article/4132716/leaky-chrome-extensions-with-37m-installs-caught-shipping-your-browsing-history-2.html

Sources

• csoonline.com
• substack.com
• github.com