Security researchers have discovered more than 300 Chrome extensions that leak browser data, spy on their users, or outright steal users’ data.
Research focused on the analysis of network traffic generated by Chrome extensions has uncovered 287 applications transmitting the user’s browsing history or search engine results pages (SERP).
Some of them, security researcher Q Continuum explains, would essentially expose the data to unsecured networks, while others would send it to collection servers, either due to intended functionality, for monetization purposes, or with malicious intent.
The extensions have over 37.4 million users, the researcher says. Of these, roughly 27.2 million users installed 153 extensions that were confirmed to leak browser history upon installation.
Q Continuum, who also flagged over 200 additional extensions as suspicious due to shared author details with the data-leaking ones, observed four scrapers connecting to the honeypot set up for the research.
Based on the observations, the researcher believes that a data broker rather than extension developers might be directly involved in the monetization of these applications.
The researcher has linked the extensions to 32 entities and has uncovered connections to known distributors of spyware extensions.
In a separate report, LayerX has detailed the malicious behavior of 30 Chrome extensions with over 260,000 downloads that were seen injecting iframes to manipulate content and steal users’ browser data.
Posing as AI assistance tools, all extensions had “the same internal structure, JavaScript logic, permissions, and backend infrastructure”, suggesting they are part of a single, coordinated operation.
One extension would render a full screen iframe pointing to a remote domain and allowing the attacker to load remote content to manipulate the UI directly.
The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.
According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.
Related: Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
Related: Chrome, Edge Extensions Caught Stealing ChatGPT Sessions
Related: GhostPoster Firefox Extensions Hide Malware in Icons
Related: Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors
