287 Chrome Extensions Are Spying on 37 Million Users — Here’s the Technical Deep Dive

Security researchers built an automated detection pipeline and uncovered a massive browser surveillance network. The findings are worse than you’d expect.

The Core Insight

A team of security researchers just published devastating findings: 287 Chrome extensions are actively exfiltrating browsing history from approximately 37.4 million users — roughly 1% of the global Chrome user base.

That’s not a typo. Thirty-seven million people have installed extensions that silently report every URL they visit to remote servers.

The actors behind this surveillance span from well-known data brokers like Similarweb to obscure entities like “Big Star Labs” and “Curly Doggo.” The researchers didn’t just find the leak — they built an automated pipeline to detect it at scale and reverse-engineered the obfuscation techniques these extensions use.

Why This Matters

The implications cut across multiple threat vectors:

For individuals: Your browsing history reveals intimate details about your life — health concerns, financial situation, political views, personal relationships. This data is being collected and sold to data brokers who aggregate it with other sources.

For enterprises: Employees using seemingly innocent “productivity” extensions could be leaking internal URLs, intranet paths, and SaaS dashboard addresses. Corporate espionage doesn’t require hacking when your employees voluntarily install it.

For security teams: The detection methodology described in this research — using traffic correlation with URL length — is elegant and reproducible. It should become standard practice for extension vetting.

The Technical Breakdown

The researchers built a detection pipeline that’s brilliantly simple in concept:

1. Isolated Environment: Chrome running in Docker, all traffic routed through a MITM proxy
2. Synthetic Workload: Visit URLs of varying lengths (the URL content is random, only length matters)
3. Correlation Analysis: If outbound traffic volume correlates linearly with URL length, the extension is leaking

The key insight: legitimate extensions have flat network footprints regardless of URL length. If an extension is shipping the URL to a remote server, the traffic grows proportionally.

bytes_out = R * payload_size + b

If R ≥ 1.0, the extension is definitely leaking. If 0.1 ≤ R < 1.0, it’s flagged for manual review.

Obfuscation Techniques Uncovered

What makes this research particularly valuable is the deep dive into how these extensions hide their data exfiltration:

ROT47 Encoding: Simple character rotation (Poper Blocker)

LZ-String Compression: URL-encoded compressed payloads (BlockSite extensions)

Multi-layer URL Encoding: Decode until it stops changing (Similarweb)

XOR + Base64 + Reverse: Custom encoding chains (WOT)

RSA + AES Encryption: The nuclear option — one-time AES keys encrypted with RSA public keys, making interception extremely difficult (Stylus variants)

The most sophisticated extensions use hybrid encryption that’s essentially impossible to decrypt without modifying the extension code itself to capture the ephemeral AES key.

Key Takeaways

• 37M users affected = population of Poland. This isn’t a small-scale operation — it’s industrial data harvesting.

• Similarweb appears to be the hub. Multiple seemingly unrelated extensions funnel data to infrastructure linked to Similarweb, including through intermediaries like “Big Star Labs” and “Kontera.”

• “Free” extensions are the product. If you’re not paying for it and it’s not open source, assume your data is the revenue model.

• Detection is automatable. The correlation-based approach works and should be implemented by security-conscious organizations.

• Encryption doesn’t mean privacy. Just because data is encrypted in transit doesn’t mean it’s not being exfiltrated — it just means you can’t easily see what’s being sent.

What You Should Do

For individuals:
– Audit your Chrome extensions immediately
– Remove anything you don’t actively need
– Check the published list of flagged extensions
– Consider using extensions only from known, reputable sources

For security teams:
– Block known leaking extensions at the enterprise level
– Implement extension allow-lists
– Consider the detection methodology for internal auditing
– Remember that “productivity” extensions are a major attack vector

For extension developers:
– If you need browsing data for functionality, be explicit and transparent
– Consider privacy-preserving alternatives to full URL collection
– Understand that security researchers are watching

Looking Ahead

This research represents a significant contribution to browser security. The methodology is reproducible, the findings are comprehensive, and the implications are serious.

But it’s also a reminder that the browser is a trust boundary, and we’ve been far too casual about what we install inside it. Extensions have access to everything you do online — and some of them are using that access to build detailed profiles of your behavior.

The researchers estimate their scanning took 930 CPU-days. That’s a substantial investment, but the result is a public good: a list of extensions that 37 million people should probably uninstall.

The question now is whether Chrome’s Web Store will take action, or whether users will continue to install surveillance tools disguised as ad blockers and productivity enhancers.

Based on analysis of “Spying Chrome Extensions: 287 Extensions spying on 37M users” by Q Continuum Research