Back to Blog

Your Browser History Is For Sale: 287 Chrome Extensions Are Watching You

287 Chrome extensions with 37.4 million installs are quietly exfiltrating browsing history to data brokers. Here's what was found, who's behind it, and what you can do about it.

SecurityPrivacyChrome ExtensionsInfoSec
February 11, 2026
3 min read

It turns out that free browser extensions — the little tools we install without a second thought — might be costing us more than we realize. Our privacy.

Researchers recently built an automated scanning pipeline that runs Chrome inside Docker, routes all traffic through a man-in-the-middle proxy, and watches for outbound requests that correlate with the URLs being visited. Their finding? 287 Chrome extensions, collectively installed by around 37.4 million users, are actively shipping browsing history to remote servers. That's roughly the population of Poland having their every click silently exfiltrated.

How They Caught It

The method was straightforward. If an extension is just injecting CSS or reading a page title, its network footprint stays flat regardless of URL length. But if the outbound traffic grows linearly with the URL length, that extension is sending your URLs somewhere.

They defined a leakage ratio:

bytes_out = R × payload_size + b

If R ≥ 1.0, the extension is definitely leaking. If 0.1 ≤ R < 1.0, it's flagged for manual review. The whole scan took around 930 CPU-days across roughly 240,000 extensions in the Chrome Web Store.

Who's Behind It

The actors behind the leaks span a wide range: Similarweb, Curly Doggo, Offidocs, various Chinese actors, smaller obscure data brokers, and a mysterious "Big Star Labs" that appears to be an extended arm of Similarweb. The researchers set up honeypot URLs and watched five distinct IP ranges hit them repeatedly — including IPs associated with HashDit, Blocksi AI Web Filter, and a heavy scraper from Kontera (running on multiple AWS NAT IPs).

The connection map is interesting. Similarweb's "Similar Sites" extension links to the Kontera scraper, which links to Curly Doggo and Offidocs. The researchers believe Big Star Labs is actually Similarweb operating under a different name, based on similarities between the extensions.

Why This Matters

For individuals, your browsing habits, sensitive searches, and potentially identifying details are being logged and resold. URLs often contain personal identifiers — session tokens, search queries, account IDs. Bad actors who pay for the raw traffic can target individuals specifically.

For businesses, the risk is corporate data leaking through employee browsers. Even if "only" URLs are exfiltrated, internal tool URLs, dashboard paths, and API endpoints can reveal a lot about a company's infrastructure.

The old saying still holds: if a free service isn't selling you a product, you are the product.

Not All Extensions Are Malicious

The researchers are careful to note that not every extension with browsing history access has bad intent. Some, like "Avast Online Security & Privacy," may legitimately need that access for their core functionality. But the sheer scale of the problem — and the deliberate obfuscation by some actors — makes the landscape hard to trust.

What You Should Do

Take a few minutes today:

  1. Open chrome://extensions/ in your browser
  2. Review what's installed — if you don't actively use it, remove it
  3. Check permissions — does a theme extension really need access to "all URLs"?
  4. Stick to open-source extensions where possible, so the code can be audited
  5. Consider using a separate browser profile for sensitive work

The full research, including the list of flagged extensions and the methodology, is available on GitHub.

About the Author: Muhammad Khan is a Principal Full Stack Engineer with 9+ years of experience building scalable web and mobile applications. He currently architects systems serving millions of users and loves sharing knowledge with the developer community.