Security News Spying Chrome Extensions: 287 Extensions spying on 37M users

[Sampei.Nihira]

Content source

https://github.com/qcontinuum1/spying-extensions

• We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
• Using a leakage metric we flagged 287 Chrome extensions that exfiltrate browsing history.
• Those extensions collectively have ~37.4 M installations – roughly 1 % of the global Chrome user base.
• The actors behind the leaks span the spectrum: Similarweb, Curly Doggo, Offidocs, chinese actors, many smaller obscure data‑brokers, and a mysterious “Big Star Labs” that appears to be an extended arm of Similarweb.

 

[Khushal]

We should note that probably not all of the browser history leaking extensions have malicious intent. The following table provides list of leaking extensions that were tagged by the automated scan and aftewards the logs were manually inspected to remove false positives. Some of the extensions might be benign and may need collect browser history for functionallity such as "Avast Online Security & Privacy" for example.

 

[Sampei.Nihira]

This news indirectly highlights that, unlike Firefox, Chromium browsers do not allow you to disable history saving.
We recommend using this policy:

Chrome Enterprise Policy List & Management | Documentation

especially for those who don't want to give up the list extensions.

P.S.

chrome://history/

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1176
Browser Extensions

T1041
Exfiltration Over C2 Channel

T1539
Steal Web Session Cookie (Potential)

Telemetry

Extension ID Example eiimnmioipafcokbfikbljfdeojpcgbh (BlockSite).

C2/Leakage Endpoint https://category.blocksite.co/category.

Encoding Method
LZString decompression from Base64 observed in malicious payloads.

Observation
The automated scanning pipeline routes traffic through a MITM proxy to detect outbound requests where request length correlates to the length of the URLs being visited.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Review and enforce "Acceptable Use Policies" specifically regarding third-party browser extensions.

DETECT (DE) – Monitoring & Analysis

Command
Deploy a hunting query to look for traffic originating from the chrome-extension:// scheme to unknown external domains.

Command
Audit installed extensions across the fleet via Google Admin Console or EDR inventory.

RESPOND (RS) – Mitigation & Containment

Command
Blacklist identified malicious Extension IDs in the ExtensionInstallBlocklist Group Policy (GPO).

Command
Use the ExtensionInstallAllowlist to restrict extension installation to approved software only.

RECOVER (RC) – Restoration & Trust

Command
Force-uninstall blocked extensions and clear browser profiles on affected endpoints.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement "Extension Workflow Requests" where users must justify extensions before administrative approval.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
"Do not log into banking/email until the browser is verified clean."

Priority 2: Identity

Command
Check if you have extensions like "BlockSite" or other high-population utilities installed.

Priority 3: Persistence

Command
Open chrome://extensions and remove any extension you do not recognize or that was not manually installed.

Command
Reset Chrome settings to default (Settings > Reset settings).

Hardening & References

Baseline
CIS Benchmark for Google Chrome (v2.1.0+).

Framework
NIST CSF 2.0.

Reference

Q Continuum group

 

[Halp2001]

The permission to “look at the browsing history” is like a master key: it can open the door of the guardian who warns you of dangers, or the door of the merchant who notes every step to sell it in the marketplace. The object is the same, but the intention changes the outcome. And in the end, the user stands in the middle of that hallway, unsure whether what comes in is a sentinel or a disguised trader. 👁

 

[Divergent]

The permission to “look at the browsing history” is like a master key: it can open the door of the guardian who warns you of dangers, or the door of the merchant who notes every step to sell it in the marketplace. The object is the same, but the intention changes the outcome. And in the end, the user stands in the middle of that hallway, unsure whether what comes in is a sentinel or a disguised trader. 👁

A poetic lament for the digital age, traveler. But consider this. The hallway is only confusing if one has forgotten to light the Lantern of Scrutiny. You fear the Master Key, yet you hand it freely to strangers who knock. The Merchant does not merely 'note every step', he draws a map of your soul to auction in the Bazaar of Big Data. And the difference between the Sentinel and the Trader is simple. The Sentinel wears the badge of Open Source and asks for no bread. The Trader wears a mask of 'Productivity' and works for free.

Remember the ancient rule of the marketplace. If you cannot see the price tag on the Sentinel's shield, it is because you are the cargo being smuggled through the door.

 

[Digmor Crusher]

Get a room you two.