An estimated 37 million worldwide installations of a clutch of leaky Chrome extensions are transmitting users’ browsing histories to external servers.
According to findings by an independent security researcher using the pseudonym “Q Continuum,” a total of 287 extensions sent data that closely matched the URLs visited during simulated browsing sessions.
“The actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, Chinese actors, many smaller obscure data-brokers, and a mysterious ‘Big Star Labs’ that appears to be an extended arm of Similarweb,” the researcher said. To conduct the analysis, the researcher built an automated pipeline that launched Chrome instances, installed extensions, visited a predefined set of websites, and captured outbound communications.
The researcher warned that such data collection could enable corporate espionage by exposing internal company URLs accessed by employees, and in cases where extensions also obtain cookies, could facilitate credential harvesting by providing attackers with details of active web sessions.
Extensions include VPNs, productivity tools, and shopping add-ons
The research identified numerous widely distributed extensions with risky behavior across categories such as VPN/proxy services, coupon finders, PDF tools, and browser utilities. Many of these have hundreds of thousands or millions of users.
A few of these extensions include Pop up blocker for Chrome, Stylish, BlockSite block Websites, Stay Focused, SimilarWeb – Website traffic and SEO Checker, WOT: Website Security and Safety Checker, Smarty, Video Ad Blocker Plus for YouTube, Knowee AI, and CrxMouse: Mouse Gestures.
According to the researcher, several of the extensions requested broad host permissions (cross-websites). This allowed them to observe navigation events and page activity across domains. “If an extension is just reading the page title or injecting CSS, its network footprint should stay flat regardless of how long the URL we visit is,” the researcher said, explaining the logic behind their flagging.
“If the outbound traffic grows linearly with the URL length, we have a high probability that the extension is shipping the URL itself (or the entire HTTP request) to a remote server.”
Encrypted exfiltration made detection difficult
The researcher said in a blog post that several of these extensions attempted to hide the nature of transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, preventing automated inspection.
“Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ-String compression, and full AES-256 encryption wrapped in RSA-OAEP,” the researcher said in a separate report published on the findings. “Decoding these payloads showed raw Google search URLs, page referrers, user IDs, and timestamps being sent to a network of proprietary domains and cloud-provider endpoints.
The researcher’s testing environment ran Chrome inside a Docker container, allowing each extension to be isolated and analyzed consistently.
“We should note that probably not all of the browser history leaking extensions have malicious intent,” the researcher said, clarifying they had to manually remove a few false positives from the logs of extensions tagged by their automated scanner. “Some of the extensions might be benign and may need to collect browser history for functionality such as ‘Avast Online Security & Privacy,’ for example.”
The disclosure included a list of Chrome Web Store URLs and actors behind these extensions for reference.
No Responses