Back to articles

Browsing history exfiltration explained: what 287 Chrome extensions were really doing

A researcher found 287 Chrome extensions allegedly leaking browsing history to third-party companies. Here's how it works and how to check yours.

Maxim Kosterin
7 min read

Your browsing history is worth money. Not to you — to data brokers, analytics companies, and anyone willing to pay for behavioral data at scale. And 287 Chrome extensions were caught selling it behind your back.

A security researcher going by "Q Continuum" built an automated testing system — Docker containers, MITM proxies, the works — and uncovered 287 Chrome extensions quietly exfiltrating browsing data from 37.4 million users. According to the researcher's findings, the data was allegedly flowing to entities including Similarweb, Semrush, ByteDance, Alibaba Group, and over 30 other companies.

I want to break down exactly how this works, why it's so hard to spot, and what you can do about it.

What "browsing history access" actually means

When a Chrome extension requests the history permission or the broader <all_urls> host permission, it gets access to your browsing data. That sounds straightforward. But the technical reality is wider than most people realize.

With the history API, an extension can read your full browsing history — every URL, every visit timestamp, the number of times you visited each page. It can also search and delete entries. That's the obvious one.

But here's the part people miss: an extension doesn't need the history permission to track where you browse. With <all_urls> or even a broad host pattern like *://*/*, an extension can inject content scripts into every page you visit. Those scripts can phone home with the current URL, page title, referrer, and anything else on the page. No history permission required.

The 287 extensions caught in Q Continuum's research used a mix of these techniques. Some requested history access directly. Others used broad host permissions to silently observe and report back.

How the exfiltration pipeline works

These extensions don't just grab your URLs and dump them to a server. That would be too easy to catch. The pipeline is more sophisticated.

First, the extension collects browsing events — page visits, search queries, clicked links, sometimes even form inputs. It batches these events locally, often with a delay so the network traffic doesn't look suspicious in real time.

Then it sends the data to a collection endpoint. Sometimes this is a direct API call to the data broker. More often, it's routed through an intermediary domain that's hard to connect back to the actual recipient. Q Continuum had to use MITM proxy analysis to trace the data flows to their final destinations.

According to Q Continuum's research, the entities identified as data recipients allegedly use this data for market intelligence. The researcher suggests that when companies like Similarweb show website traffic estimates or when Semrush provides keyword analytics, some of that data may originate from real users' browsing sessions — captured through extensions that looked like ad blockers, shopping assistants, and productivity tools.

As Q Continuum put it: "Imagine that you build your business model on data exfiltration via innocent looking extensions and using that data to sell them to big corporates. Well, that's how Similarweb is getting part of the data." This is the researcher's characterization — neither Similarweb nor Semrush have publicly responded to these specific allegations as of February 2026. ByteDance, Alibaba Group, and the other entities identified in the research have also not publicly addressed the researcher's claims as of this writing.

The extensions that got caught

The 287 flagged extensions shared common disguises. They presented themselves as useful utilities — the kind of things you'd install without thinking twice:

  • Ad blockers — ironic, since they were monetizing your data while promising to protect your privacy
  • Shopping assistants — coupon finders and price comparison tools that tracked every store you visited
  • Productivity tools — tab managers, note-taking helpers, and similar small utilities

Together, these extensions had 37.4 million installations. That's not a niche problem. For roughly 20 million of those installations, the researcher couldn't even identify who was receiving the collected data. The data recipients remain unknown.

This matters because you probably have extensions like these installed right now. They look legitimate. They have decent ratings. They do what they promise. They just also do something else on the side.

What downstream data recipients actually do with the data

Aggregated browsing data has a real market because it answers questions paid analytics tools cannot. Internal Google Search and Bing Search query traffic isn't observable from outside; SaaS tools' authenticated dashboards are off-limits to crawlers; competitive intelligence on B2B web traffic is otherwise expensive and slow to assemble. A panel of millions of "consenting" users (most of whom never knowingly consented to anything beyond installing a coupon extension) collapses all of that into a queryable dataset.

Specifically, the kind of data recipient Q Continuum's research surfaces tends to use the feed for one of three things. Market intelligence: how much traffic does a competitor's product page get, where does that traffic come from, and how does it trend week over week. Keyword and SERP monitoring: which queries are real users typing into search engines, which results are they clicking, and how does that map to organic position. Product validation: how often do users open a particular SaaS dashboard, how long do they spend inside it, what do they navigate to next.

None of those use cases require knowing who you are individually — but they all require seeing what you browsed, in volume. Which is why "we anonymize the data" is true and largely beside the point. The product is the panel, and the panel is your URL stream.

When history access is fine vs. when it's a red flag

Not every extension that touches your browsing data is stealing it. Context matters.

Legitimate uses:

  • A bookmark manager that needs to read your history to suggest organizing pages you visit often
  • A productivity tracker that shows you how you spend time online (with data staying local)
  • A session manager that needs to restore your previous browsing sessions

Red flags:

  • An ad blocker requesting history permission — it doesn't need your browsing history to block ads
  • A coupon extension with <all_urls> access — it only needs access to shopping sites, not every page
  • Any extension that sends network requests to domains unrelated to its stated functionality
  • Extensions from publishers with minimal web presence or no clear business model

The key question: does the extension need this access to do what it claims to do? If you can't connect the permission to the feature, something is off.

How to check your extensions

Here's what I'd actually do right now:

1. Audit your installed extensions. Open chrome://extensions/ and look at each one. If you can't remember why you installed it, remove it. Seriously — the fewer extensions you run, the smaller your attack surface.

2. Check permissions for each extension. Click "Details" on any extension and scroll to "Permissions." If a simple utility has <all_urls> or "Read your browsing history" access, question why.

3. Use Extenshi to scan for risky permissions. You can run your installed extensions through Extenshi's permission scanner to see which ones have broad data access and whether they're flagged for suspicious behavior.

4. Watch for extensions that phone home excessively. Open DevTools (F12) → Network tab, and browse normally with your extensions enabled. If you see requests going to unfamiliar analytics or tracking domains, investigate.

5. Prefer extensions with transparent privacy policies. If an extension's privacy policy is vague about data collection or doesn't have one at all, that's a signal. Check the Extenshi catalog for privacy breakdowns before installing.

The 287 extensions uncovered by Q Continuum are just the ones that got caught with an automated system. The real number is almost certainly higher. Your browsing history is a product — and right now, the extensions you trust might be the ones selling it.

Check your extensions for data exfiltration risks →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Sources: The Register — Security researcher finds 287 Chrome extensions leaking browsing data; Q Continuum research

Related Articles