Dozens of extensions are openly extracting data from over 6.5 million users and selling it for profit, “and it’s all completely legal,” security researchers from LayerX have found. These extensions disclose the practice in their privacy policies – something that two-thirds of extensions don’t have at all.
Malicious extensions masquerade as legitimate tools and steal users' data in the background. But if extension creators explicitly state in the Privacy Policy that user data will be collected and (might be) sold, then it’s legal.
LayerX Security found over 80 browser extensions with 6.5 million users that openly sell user data.
“While browser extensions may seem innocent, these findings highlight the privacy exposure that can arise from unregulated usage of extensions,” the LayerX Security report reads.
The researchers downloaded and used AI to analyze 6,666 privacy policies of browser extensions on various official stores.
“Seventy-one percent of all extensions in the Chrome Web Store don’t even publish a privacy policy,” the researchers noted.
“The true number is almost certainly higher.”
They identified a single anonymous publisher that released 24 extensions targeting users on Netflix, Hulu, Disney+, and other major streaming services. The extensions allow users to set custom profile pictures for Netflix (200,000 users), skip ads on Hulu (100,000) or Prime Video (60,000), view Netflix streams in picture-in-picture (100,000), etc.
Combined, the network reaches nearly 800,000 users. The company behind them is registered at an address shared by hundreds of companies through a registered agent service.
Curious what others think about this story? Contribute your thoughts to the debate below.
The web store listings have no indications that the extensions are collecting viewing history, content preferences, platform subscriptions, downloaded content, or streaming behavior, as listed in the privacy policies.
“They also collect age and gender – and if you don’t provide demographics, they match your email against third-party demographic databases to fill in the gaps,” the LayerX Security report reads.
“The policy describes selling reports to content creators and studios, streaming platforms, media research firms, and marketing agencies – along with “organizations that purchase anonymized viewing data.”
Tracker blockers tracking 5 million users
Security researchers, privacy enthusiasts, and even government agencies recommend adblockers as a privacy measure to reduce the risk of data collection. This won’t help if adblockers themselves track and sell user data.
The report identified at least twelve ad-blocking extensions that openly reserve the right to sell user data. For example, “Stands AdBlocker“ with 3 million users sells browsing data to third parties for “market analytics purposes.”
Poper Blocker, an adblocker with 2 million users, discloses selling identifiers, browsing activity, behavioral profiles, and inferred sensitive data – including health conditions, religious beliefs, and sexual orientation, all inferred from the URLs users visit, according to the report.
“If your ad blocker has a privacy policy longer than two paragraphs, read it,” the researchers suggest.
Other finds include a job application tool that sells resumes to third parties, a data-selling dog wallpaper extension, a temporary email service, and more.
“Dashy New Tab (10K users) has its Chrome Web Store listing marked ‘does not sell your data.’ Its actual privacy policy marks data as ‘Sold or Shared: Yes,’” the researchers said.
Nearly 30 of the 82 extensions that sell data are targeted for B2B sales intelligence tools used on corporate machines.
“This means that employee browsing behavior, such as internal URLs, SaaS dashboards, and research activity, flows into commercial databases that your competitors can purchase,” the researchers warn.
“The risk isn’t about users being deceived. It’s about corporate data leaving through a channel nobody is watching.”
The researchers urge companies to introduce policies and deploy automated tools to restrict suspicious or unwanted extensions.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked