A massive data exfiltration operation involving 287 Chrome extensions that secretly steal browsing history from approximately 37.4 million users worldwide has been uncovered by security researcher Q Continuum (alias qcontinuum1). The discovery represents roughly one percent of the global Chrome user base, highlighting a significant privacy breach affecting millions of internet users.
How the Extensions Operate
The researcher developed an automated scanning system using Docker containers and a man-in-the-middle proxy to detect suspicious network activity. The system monitors outbound traffic from extensions and determines whether data transmission correlates with URL length—a key indicator of exfiltrated browsing history.
The malicious extensions employ various obfuscation techniques to hide their activities:
- ROT47 encoding — Simple substitution cipher to disguise transmitted data
- AES-256 encryption with RSA key pairs — Advanced encryption to prevent interception and analysis
High-Profile Extensions Identified
Popular extensions like “Poper Blocker,” “Stylish,” and “BlockSite” were identified among the offenders. Even security tools marketed as privacy-enhancing were flagged—Avast Online Security, with six million installations, was included in the list.
Data Brokers Behind the Collection
The investigation revealed several data brokers collecting user information:
- Similarweb — Web analytics company operating multiple extensions including its official “Website Traffic & SEO Checker” (1 million users)
- Big Star Labs — Believed to be affiliated with Similarweb, controlling extensions affecting 3.7 million users
- Curly Doggo — 1.2 million affected users
- Offidocs — 1.7 million affected users
- Various Chinese entities also identified
Corporate Espionage Risks
The exfiltrated browsing data poses risks beyond targeted advertising. Corporate espionage becomes possible when employees install seemingly innocent productivity extensions that capture:
- Internal URLs and intranet addresses
- SaaS dashboard links
- Personal identifiers embedded in URLs
Researchers set up honeypot traps and detected third-party scrapers actively collecting the stolen data. Multiple IP addresses associated with companies like Kontera repeatedly accessed these honeypots, suggesting a broader ecosystem monetizing user browsing histories.
Recommended Actions
Users and organizations should immediately:
- Review installed Chrome extensions and remove those flagged in the research report
- Install only open-source extensions that can be independently reviewed
- Carefully check permission requests before installing any extension
- Audit corporate browser policies for extension whitelisting
With the Chrome Web Store hosting approximately 240,000 extensions, manual verification is challenging. Organizations should consider implementing browser management policies that restrict extension installations to approved lists only.
Source: Cybersecurity News | Full technical report: GitHub – qcontinuum1/spying-extensions
