6 Ways Browser Extensions Stole Your Data Over the Years

And what we learned from each

From last week’s bombshell of a report about browser extensions leaking data from Fortune 100 organizations to news of data brokers buying extensions, we take a small trip through the articles that have been warning us for years about the dangers of browser extensions. After reading this, let’s be honest, you’ll probably do nothing. But, if you’re alarmed by any of this (and you should be), let us help your organization get a handle on which browser extensions are running in your environment.

Web of mistrust

Back in 2016, an extension called Web of Trust was found to not only be selling the browsing histories of its users, but also taking no steps to ensure the anonymity of that data. Doubly infuriating to its users, the extension was meant to evaluate the trust and reputation of other parties on the web.

Security researchers were able to identify over 50 individuals from their browsing histories, showing us that “oh crap, URLs carry a lot of private information!” But if you took a look at their privacy policy, you’d find that they told you what they were doing.


  • Browsing history is not anonymous
  • Always verify the privacy policy

Selling out

An independent Chrome extension developer had built a useful extension to augment YouTube. The extension grew in popularity and served it’s users well until someone came knocking to buy the extension. The original developer sold the extension and on short order, it was updated with malicious code that sent browsing history back to its new overlords.

Because the extension had an existing install base and brand, the new owners were able to simply push an update to start collecting data. From the users’ perspective, the extension simply asked to be granted more permissions, a warning which most users likely ignored as they clicked “OK.”


  • Extensions can be sold, and it turns out there’s a market for them
  • We can’t trust an extension from one version to the next. It could have changed owners, or the original developer could have been co-opted by the dark side.

What’s in a name

If you wanted to publish a malicious, data-collecting, privacy-violating extension, why put in all the hard work of engineering a useful product and marketing it. Instead, just copy an open-source extension, add your malicious code, and republish it with a name that closely resembles extensions that people already trust. People already trust Adblock, so why not call it Adblock Pro. Boom. Pro, because it’s better, of course.

That’s precisely what the developers of several ad blocking extensions did garnering over 20m users in the process.


  • Confusion is the name of the game. Be careful to select the reputable extension among a minefield of copycats
  • Ad blocking extensions, often open-source, are both popular and easy to modify, leading to huge install bases with little effort

Fool me once, shame on you

When Robert Heaton last year discovered that Stylish, an extension he had installed, was making suspicious network requests, he uncovered a data collection operation. Google was quick to take down the extension 2 days after the research was published. However, two weeks later, the extension reappeared on both the Chrome Webstore and Mozilla Add-on store.

Yea, we’ll pass on the new version.


  • Google gives privacy offenders a second chance. This means we need to take note of the reputation of the firms behind our extensions and tread lightly when it comes to past offenders
  • There are alternatives. Simple extensions often have friendly, non-data-stealing alternatives to install instead

All your privacy are belong to us

Last month, the Washington Post’s technology columnist Geoff Fowler gave readers some tips on avoiding getting tracked online. Worth echoing from his suggestions are that VPNs do not help! The threat is already on your machine.

What he missed, though, is that it’s not just the Facebook’s and Google’s tracking your browsing history. The extensions on Chrome, Mozilla and other browsers let any independent developer or organization do the same.


  • Private browsing, VPNs, and other security measures don’t help when you’ve got someone already in your drawers
  • Articles about browser security still don’t address the biggest vulnerability: that some organizations exfiltrate and access your browsing history to view your documents, customer information, and worse

Size doesn’t matter

In the latest major announcement of data collection and abuse by browser extensions, researcher Sam Jadali outs 8 extensions and an analytics firm for collecting and reselling extremely sensitive information that provides access to everything from tax returns to health records. The breach impacted some of the biggest public companies, regulated industries and even major security software vendors, showing us that this security vulnerability slips past established security organizations.

The extensions in question laid in wait for 3-4 weeks after they were installed before getting the directive to start exfiltrating data. They were discovered only by the happenstance that an independent researcher got suspicious, started monitoring his extensions and left the sandbox running.


  • Even the biggest companies with full-fledged IT security teams, endpoint security, and compliance requirements are susceptible
  • Exfiltration methods have gotten more sophisticated trying to evade detection
  • Detection is happening ad-hoc from independent researchers
  • There’s a need for continuous monitoring, better tooling, and more sophisticated threat intelligence to detect malicious extensions sooner

What now?

If you’ve gotten to the end, let us help. Sign up for Extension Monitor and start getting visibility into the extensions running in your environment and their threats. Join us on the right side of this cat and mouse game as we build ever-evolving methods to detect data exfiltration and other security risks that browser extensions pose.

Keep extension threats top of mind. Sign up to get notified when new posts become available.