An extensive security analysis of browser add-ons has identified 287 Google Chrome extensions that silently collect and transmit users’ complete browsing history to external companies. According to the researcher’s estimates, these extensions account for more than 37.4 million installations, making the privacy impact global in scope.
How the browser history tracking in Chrome extensions was uncovered
The investigation used an automated Docker-based test environment running Chromium with a built‑in man‑in‑the‑middle (MITM) proxy. A MITM proxy intercepts encrypted HTTPS traffic between the browser and remote servers, allowing analysts to inspect what data extensions actually send over the network.
The pipeline generated synthetic browsing activity: it automatically visited a predefined set of websites, then correlated outgoing network requests with the exact URLs opened in the browser. By matching visited pages with transmitted data, the researcher could see which extensions were exfiltrating precise web addresses, including query parameters.
In total, approximately 32,000 Chrome extensions from the official Chrome Web Store were tested. The results linked more than 30 companies and affiliated entities to systematic collection of detailed browser history data.
Companies and Chrome extensions linked to large‑scale data collection
The analysis names several well‑known organizations as recipients or processors of browsing data, including Similarweb, Semrush, Alibaba Group, and ByteDance, as well as Big Star Labs, an entity affiliated with Similarweb. Many extensions are published under small or obscure developer names that, in practice, appear to function as fronts for large analytics and data‑broker networks.
Among the extensions flagged are popular tools such as:
• Stylish — for website theming and interface customization;
• Ad Blocker: Stands AdBlocker and Poper Blocker — ad and pop‑up blockers;
• CrxMouse — a mouse gestures extension;
• SimilarWeb: Website Traffic & SEO Checker — Similarweb’s own traffic and SEO analytics extension.
The researcher notes that about 20 million installations could not be reliably attributed to a specific ultimate data recipient. This suggests that a portion of the traffic may be routed through shell companies, intermediaries, or “partner analytics networks” designed to obscure the end destination of collected data.
How Chrome extensions exfiltrate browsing data and hide tracking
Most of the identified extensions present themselves as harmless utilities for shopping assistance, interface customization, productivity, or ad blocking. During installation, many request access to browser history (history) and sometimes to tabs or webRequest permissions. These capabilities allow an extension to read which URLs a user visits and, in some cases, to intercept and modify network requests.
Some add-ons further obfuscate or encrypt the data they send. Techniques include encoding payloads in Base64 or encrypting them with AES‑256. For regular users this traffic looks indistinguishable from legitimate encrypted communication. Even for security monitoring, such encryption makes it difficult to see that raw URLs and search queries are being transmitted, unless a full MITM inspection setup is in place.
Privacy policies, “consent,” and the business model of browsing data
The study highlights that data collection is, in many cases, formally disclosed in the extensions’ privacy policies. However, these documents are typically written in dense legal language and rely on broad formulations such as “usage statistics” or “interaction data,” which do not clearly convey that full browser history may be harvested and monetized.
According to the analysis, Similarweb states that data is anonymized on the client side, but its own policy acknowledges that collected information can include personal and sensitive data inferred from search queries and viewed content. In financial disclosures, Similarweb also notes that its platform partly relies on data collected via browser extensions and mobile applications. This reflects a broader industry model where free tools double as data exfiltration channels feeding commercial analytics and market‑intelligence products.
Security and privacy risks of large‑scale browser history tracking
Collecting browser history is not just a theoretical privacy issue. From a large dataset of visited URLs, analytics companies — or, in a worst case, malicious actors — can:
• Build a detailed user profile, including interests, profession, and likely income level;
• Infer health, financial, and personal issues based on visits to medical, banking, or legal websites;
• Track behavior of employees in corporations or public agencies, creating corporate security risks by mapping internal portals, partners, and technology stacks.
Such information can enhance targeted advertising, but it can also support open‑source intelligence (OSINT) efforts, social engineering, or competitive intelligence. For journalists, activists, and high‑risk professionals, persistent browser history tracking can expose sources, research topics, or confidential projects.
How to protect against risky Chrome extensions
Recommendations for individual users
To reduce exposure to invasive data collection by Chrome extensions, users should:
• Regularly audit installed extensions and remove anything unnecessary or unused;
• Carefully review requested permissions, especially history, tabs, and webRequest access;
• Prefer open‑source extensions whose code can be reviewed by the community;
• Use separate browser profiles — or even a separate browser — for “risky” add‑ons and casual browsing;
• Avoid installing extensions that offer marginal utility in exchange for broad data access.
Recommendations for organizations
For businesses and public sector entities, browser extensions should be treated as part of the attack surface:
• Implement extension allowlists via enterprise policies, blocking unapproved add‑ons;
• Restrict sensitive systems to hardened browser profiles with no third‑party extensions allowed;
• Monitor outbound traffic for anomalous patterns originating from browsers;
• Include browser extension security in user awareness training and internal policies.
The discovery of hundreds of Chrome extensions quietly collecting browser history illustrates how quickly a “useful tool” can become a powerful tracking mechanism. Protecting privacy and corporate data in today’s web environment requires treating every extension as software with access to critical information, installing only what is truly necessary, and maintaining disciplined security hygiene around browser use.
