Q Continuum’s investigation found a vast surveillance network of 287 malicious Chrome extensions exfiltrating browsing history from an estimated 37.4 million users—about 1% of the global Chrome user base. Researchers used a behavior-based automated pipeline (Chrome in Docker with a MITM proxy) to catch extensions hiding stolen URLs in Google Analytics and linked activity to actors including Similarweb and other data brokers. #Similarweb #SuperPiP
Keypoints
- 287 Chrome extensions were found actively exfiltrating browsing history to remote servers.
- Approximately 37.4 million users—roughly 1% of global Chrome users—are affected.
- Q Continuum built an automated scanning pipeline running Chrome in Docker with a MITM proxy to observe outbound URL leaks.
- Some extensions encoded stolen URLs into Google Analytics parameters to hide exfiltration within legitimate traffic.
- Actors tied to the network include Similarweb, Curly Doggo, Offidocs, “Big Star Labs,” Chinese actors, and various data brokers, highlighting gaps in Web Store vetting.
Read More: https://securityonline.info/the-1-breach-287-chrome-extensions-caught-spying-on-37m-users/