Browser extensions turn nearly 1 million browsers into website-scraping bots

[Parkinsond]

Content source

https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/

Extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service, a researcher said.

The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads, John Tuckner of SecurityAnnex reported. The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions.

Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include advertisers. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep, a company that bills itself as "the world's most reliable and cost-effective Web scraping API." Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request.

Despite the assurances, Tuckner said the extensions that incorporate MellowTel pose a risk to users who install them. One reason for this is that MellowTel causes extensions to activate a websocket that connects to an AWS server that collects the location, available bandwidth, heartbeats, and status of extension users. Besides the privacy erosions, the websocket also injects a hidden iframe into the page the user is currently viewing that connects to a list of websites specified by the Amazon Web Services server. There’s no way ordinary end users can determine what sites are being opened in the invisible iframe.