A massive data exfiltration operation involving 287 Chrome extensions that secretly steal browsing history from approximately 37.4 million users worldwide.<\/p>\n
According to research with alias qcontinuum1, the discovery represents roughly one percent of the global Chrome user base, highlighting a significant privacy breach affecting<\/a> millions of internet users.\u200b<\/p>\n An automated scanning system using Docker containers and a man-in-the-middle proxy to detect<\/a> suspicious network activity.<\/p>\n The system monitors outbound traffic from extensions and determines whether data transmission correlates with URL length, a key indicator of exfiltrated browsing history.\u200b<\/p>\n The malicious extensions employ various obfuscation techniques to hide their activities.<\/p>\n Some use ROT47 encoding, while others implement AES-256<\/a> encryption with RSA key pairs<\/a> to encrypt browsing data before sending it to remote servers.<\/p>\n Popular extensions like \u201cPoper Blocker,\u201d \u201cStylish,\u201d and \u201cBlockSite\u201d were identified among the offenders.\u200b The investigation revealed several data brokers collecting user information.<\/p>\n Similarweb, a prominent web analytics company, operates multiple extensions, including its official \u201cWebsite Traffic & SEO Checker,\u201d which has one million users.<\/p>\n The research also identified \u201cBig Star Labs,\u201d believed to be affiliated with Similarweb, controlling extensions affecting 3.7 million users.\u200b<\/p>\n Other actors include Curly Doggo with 1.2 million affected users, Offidocs with 1.7 million users, and various Chinese entities. Even legitimate security tools like Avast Online Security, with six million installations, were flagged for data collection.\u200b<\/p>\n The exfiltrated browsing data poses serious risks beyond targeted advertising.<\/p>\n Corporate espionage becomes possible when employees install seemingly innocent productivity extensions that capture internal URLs, intranet addresses, and SaaS dashboard links<\/a>.<\/p>\n URLs often contain personal identifiers, enabling malicious actors to target specific individuals.\u200b Researchers set up honeypot traps and detected third-party scrapers actively collecting the stolen data.<\/p>\n Multiple IP addresses associated with companies like Kontera repeatedly accessed these honeypots<\/a>, suggesting a broader ecosystem monetizing user browsing histories.\u200b<\/p>\n Users should immediately review installed Chrome extensions<\/a> and remove those listed in the research report. The Chrome Web Store hosts approximately 240,000 extensions, making manual verification challenging.<\/p>\n Based on qcontinuum1 advisory guidance, security experts recommend<\/a> installing only open-source extensions that can be reviewed and carefully checking permission requests before installing them.<\/p>\n The research team deliberately withheld specific technical details to prevent attackers from adapting their methods more quickly.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 287 Chrome Extensions Exfiltrate Browsing History From 37.4\u202fMillion Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"MITM](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhw0jHY-XhyphenhyphenbbwexVFvlCkmfUBa1dnR-hzqN6_AyXgTFgSQfyZvaMSFX9DW0F1rMBI_Amk__C_0DSzXvTpgZH9dc5J_7xFp6FEQ03LUMZa6qWpye2cMgHb-9sY6mkogMxEwFVvn55kGRuhyphenhyphenADUTiY9EGnYRK4cgCGi1Z82bcjUIJiYXhRXSbp-ny8b8JLA\/s1600\/Screenshot%25202026-02-12%2520182714%2520%25281%2529.webp?ssl=1\")
Privacy Implications<\/strong><\/h2>\n
![\"Extension](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpz5Wy3bv_Zs4iZRhBF2mkcInxZc-fNN9PxRyqO22JdJ7onDl5ZXXsohXdQX59Qu4eepQg7QiIxhg4pOuIRPoNFgEaOA4jeVHL3MCf523KsUfsB3twSN7hOk9GJLPNVHWtQWfidvbg8gP-i5Trfp04iBsE4rxXHsLJXlB-3c4sw9bHEJaxOOfSX1CKDb0\/s1600\/Screenshot%25202026-02-12%2520182725%2520%25281%2529.webp?ssl=1\")