Devilish devs spawn 287 Chrome extensions to flog your browser history to data brokers
Summary
A security researcher known as “Q Continuum” found 287 Chrome extensions that appear to exfiltrate users’ browsing history. Combined installations are estimated at about 37.4 million. The researcher used an automated test pipeline (Chromium in Docker behind a MITM proxy) to run synthetic browsing workloads and correlate outbound network requests with visited URLs to detect history leakage.
Author style: Punchy — this matters. Read the details if you value privacy.
Key Points
- 287 Chrome extensions detected leaking browsing-history data; roughly 37.4 million installs in total.
- Outgoing data flows were observed to more than 30 recipients; the report names firms including Similarweb, Big Star Labs, Semrush, Alibaba and ByteDance.
- About 20 million installs were tied to unknown collectors; remaining installs mapped to known analytics/data-broker companies.
- Many extensions request history access without a clear justification and may bury harvesting in privacy policies, leaving users unaware they’ve consented.
- Research built on Ex-Ray methodology: automated, instrumented browsing plus correlation of visited URLs with network requests to spot leaks.
- Similarweb discloses extension data collection and claims client-side scrubbing, but such claims don’t eliminate re-identification risks.
- Google’s Chrome Web Store Limited Use policy exists but contains exceptions that can be abused by data collectors.
Content summary
Q Continuum published a report and accompanying repository documenting the discovery. The testing pipeline replayed browsing behaviour and logged outbound requests to identify history leakage. The researcher found a common pattern: apparently harmless utility extensions requesting sensitive permissions and forwarding visited URLs to analytics and data-broker endpoints. Prior academic work and recent incidents show this is a recurring privacy problem for browser extensions.
Context and relevance
Browsing history can be highly revealing and — even if anonymised — may be deanonymised by correlating with public profiles. Data brokers rely on contributor networks (extensions, apps) for raw telemetry; financial filings from some firms confirm dependence on such data. This story sits at the intersection of privacy, ad-tech economics and platform policy enforcement, and highlights how store policies can be sidestepped.
Why should I read this?
Short answer: because your browser extensions might be selling out your browsing habits and you probably don’t even know it. This write-up saves you poking through pages of tech-speak — Q Continuum’s tests show the scale (tens of millions of installs) and point to familiar names in the analytics business. If you use extensions, it’s worth a minute to check permissions and publishers.
Practical takeaway
Consider removing or replacing extensions that request full history access unless absolutely necessary; audit permissions; prefer well-known, actively maintained extensions; run separate browser profiles for sensitive work; and keep an eye on publisher reputation and changelogs for ownership changes that can introduce data collection.