Chrome extensions spying on users' browsing data

2/11/2026 at 12:38:06 PM

Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.

It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.

by deanc

2/11/2026 at 3:59:02 PM

For over 10 years that I maintain a reasonably popular cross-browser extension, I've been collecting various monetization offers. They simply don't stop coming: https://github.com/extesy/hoverzoom/discussions/670

by extesy

2/11/2026 at 7:57:53 PM

It's worth reminding people that Firefox extensions that are part of Mozilla's "recommended extensions" program have been manually vetted.

> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

Updates must also be vetted before being made available.

by GeekyBear

2/11/2026 at 1:02:53 PM

It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.

You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.

If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.

by RupertSalt

2/11/2026 at 1:21:35 PM

Pardon the ignorance but what's being exploited by someone buying a video game character?

by dalmo3

2/11/2026 at 3:06:42 PM

If you buy someone's old gaming account (Steam for example) with many years of activity, you can appear more legitimate when trading, therefore making it easier for people to trust you and fall victim to your scam(s)

by asimovDev

2/11/2026 at 1:31:21 PM

I think he was just saying that it is similar business to that. Just drawing comparison that there are a market like selling video games accounts. Also usually people who cheats in games will buy high level accounts because they will be banned much faster if they start playing with new accounts for cheats. This happens in some of the games I play all the time.

by elashri

2/11/2026 at 6:23:40 PM

Companies spend a fortune on endpoint security and then let employees install random Chrome extensions with full page access. I've seen AWS console sessions running in browsers with a dozen extensions nobody's ever audited. The extension store is basically a supply chain attack marketplace at this point

by kevincloudsec

2/11/2026 at 2:23:42 PM

15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.

by qcontinuum1

2/11/2026 at 2:33:08 PM

It's a moronic industry, waiting for the catastrophic data-theft disaster to happen before they do anything... Google is doing it, Apple did it, Zuck did it (the only hindrance Cambridge Analytica had to go over seemed to be the apps developer agreement that devs had to click to promise you won't do anything bad with the personal information of all those Facebook users...).

Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"...

by netsharc

2/11/2026 at 1:05:14 PM

[flagged]

by gilrain

2/11/2026 at 2:14:08 PM

He sold a piece of software he wrote. It's something totally legit that happens all the time.

And we don't know if the new owner changed anything or if anybody at all got hurt by that. We do know you rudely insulted the parent, however.

by coldtea

2/11/2026 at 1:38:07 PM

This is what I'd say about someone who sold their extension today, but I don't think this business model was nearly as well-known 15 years ago.

by benregenspan

2/11/2026 at 1:21:42 PM

How were they supposed to know that was going to happen? You think they walked up and said, “Hi. I’m here to buy your software and hurt people with it”?

by Forgeties79

2/11/2026 at 2:02:55 PM

If a stranger walks up to the chef in a restaurant and offers to pay them to put some mystery stuff in the food, or someone walks up in during a surgery and asks if they can make some incisions and inject some mystery stuff, would you (as a customer of the restaurant or hospital) expect this to be allowed?

by ptx

2/11/2026 at 2:05:22 PM

If someone walks up to the owner in a restaurant and offers to pay them money to buy the restaurant, it's not considered suspicious.

by pocksuppet

2/11/2026 at 3:12:56 PM

Assuming the someone is private equity buying out, I expect the quality to drop like a stone and the place to go to hell.

So. It's not suspicious. But you can rest assured as a customer it isn't good news

(that doesn't make it wrong to sell ofc)

by Ntrails

2/11/2026 at 2:48:13 PM

That isn’t remotely comparable. You’re asking someone to quietly alter someone else’s product, not selling the product to them. They didn’t pay him to change the extension, they bought it.

by Forgeties79

2/11/2026 at 3:32:52 PM

They bought the permission to make changes to customer machines that had been granted to the seller by the customer. If it's just a sale of the source code, there's no problem. But what is bought is usually the pre-existing update channel (the installed base), precisely to be able to alter the product for existing users without explicitly informing them or asking for consent.

by ptx

2/11/2026 at 5:17:00 PM

I get what you’re trying to say but comparing selling your tool to pocketing money on the job to commit a crime is not the same thing.

by Forgeties79

2/11/2026 at 4:27:09 PM

While assuming absolutely zero bad will on your part, I would nevertheless find it fair if you were legally on the hook for whatever happened after the sale, unless you could prove that you provided reasonable means for the users of your extension to perform their due diligence on the new owner of the extension.

This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.

by Rygian

2/11/2026 at 7:20:49 PM

No, how it should work is each extension is associated with a private key that is registered with a specific individual or legal entity and implies some kind of liability for anything signed with that key - and if/when the key changes (or the associated credentials), users will be explicitely alerted and need to re-authenticate the plugin.

If the old owner gives their key to the new owner, then they should be on the hook for it. I was thinking of this yesterday, as I think this is also how domains should work.

by Chris2048

2/12/2026 at 5:19:01 AM

How does this safe guards against having the extension under a company and selling that company off. Still the same entity, different owners, different "incentives".

by dragonmost

2/12/2026 at 6:50:30 AM

Assuming the new owner is a director of the new company, they are now liable. Or possibly the previous owner, if they handed over the key as an asset.

by Chris2048

2/11/2026 at 6:53:11 PM

I wouldn't find that fair at all. Bad actors should be legally responsible for their bad action. If I sell you a taxi business, and then all of a sudden you decide to start robbing the customers - it's not my fault is it? And just to be clear, I had no idea if my extension was used for nefarious purposes, but in hindsight it probably was.

by deanc

2/11/2026 at 8:48:58 PM

Customers were sold[1] a lifetime subscription to Honest Guy's taxis, and then Honest Guy does a secret deed to sell his taxi joint to Bad Guy[2] without telling any customer about it. Then customers start getting ripped of in all manner of ways, that some of them would have known to avoid if they knew their taxis were being run by Bad Guy.

[1] Of course, the issue here is that no contracts were signed.

[2] In the specific case I was replying to, there was no malice or intent to hide from you as seller. Yet, a better outcome could have been achieved by advertising the sale to those impacted.

I don't think there is any legal support for what I describe above, but in principle whenever a user signs up for Good Thing, and then gets baitswitched to Evil Thing, the main victim is the user, and it is fair to hold responsible everyone involved in the bait-and-switch maneuver.

by Rygian

2/12/2026 at 9:31:27 PM

Replace Honest Guy with local hospital or care home and bad guy with vulture capital, and you will find that this happens all too often; any time there's an established and captive audience, you will find vultures circling all around it.

At least there's invididual states actually responding to this malpractice: https://pestakeholder.org/reports/2025-state-healthcare-poli...

by tremon

2/12/2026 at 8:37:53 AM

What is fair and what is legal are very different concepts. I agree in principle with what you're saying but there is no legal basis for it - as you recognise.

by deanc

2/11/2026 at 5:01:48 PM

How would that even work? What if the seemingly clean buyer sells it to someone else scammy?

by eli

2/11/2026 at 8:49:31 PM

Disclose the sale to the users of the thing being sold. Plain and simple.

by Rygian

2/11/2026 at 1:39:37 PM

Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:

- https://github.com/beaufortfrancois/extensions-update-notifi...

And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)

- brave://flags/#brave-extension-network-blocking

You can then create custom rules to filter extension traffic under brave://settings/shields/filters

e.g.:

  ! Obsidian Web
  *$domain=edoacekkjanmingkbkgjndndibhkegad
  @@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad

- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually

by gnl

2/12/2026 at 4:03:36 AM

> Clone the GitHub repo, … build from source, update manually

I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)

by no-name-here

2/12/2026 at 10:30:20 AM

Yeah that one's too much for me too, I used to do this years ago, but not anymore. Especially since I found out Brave supports network blocking for extensions, which is something you generally set up once and then forget about it. I'm just giving people tools and ideas I didn't see mentioned elsewhere in the comments, it's up to everyone to figure out their particular threat scenarios and tradeoffs individually.

This could probably be automated though if someone wanted to tackle it. git pull, agentic code review, auto-build from source, install.

by gnl

2/12/2026 at 12:39:21 AM

  > Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually

This is a great idea. Are there any deterministic tools to audit an extension codebase?

by dotancohen

2/12/2026 at 10:37:27 AM

I don't know, but if there were, I wouldn't expect them to do anywhere near as good a job or – perhaps somewhat counterintuitively – be anywhere near as reliable. Static rules only go so far when it comes to this stuff. And assuming that you're starting from a trustworthy base, and Claude Code (or similar) can focus its attention on recent changes to the repo in particular, I imagine sneaking actual malware in there would be pretty hard without throwing up a bunch of red flags.

See also:

- [0-Days \ red.anthropic.com]( https://red.anthropic.com/2026/zero-days/ )

EDIT: The main challenge here is more likely to be the noise, as the LLM is more likely to flag too much than too little, so I'd recommend putting together a prompt that has it group whatever it finds by severity and likelihood of malicious intent.

EDIT 2: Re Anthropic link above – worth pointing out that finding intentionally introduced malware when you have access to the source code and git history is a hell of a lot easier than finding a 0-day. The malware has to exfil data eventually or do ransomware stuff, good luck hiding that without raising the alarm, plus any attempt at aggressive obfuscation will raise the alarm on its own. I'm not saying it's impossible, I am saying that I think it's very very hard.

by gnl

2/11/2026 at 12:26:00 PM

This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.

by singularfutur

2/11/2026 at 12:40:37 PM

An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.

by mixedbit

2/11/2026 at 12:59:20 PM

Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified.

https://docs.npmjs.com/trusted-publishers#automatic-provenan...

by jakub_g

2/11/2026 at 1:32:55 PM

pypi also added this last year [1] and encouraging people to use trusted publishing as well.

[1] https://docs.pypi.org/trusted-publishers/

by elashri

2/12/2026 at 8:57:55 AM

If the build doesn't happen without network access, it doesn't really work.

by LtWorf

2/11/2026 at 5:58:54 PM

Unless the Chrome web store integrates with this, it puts the onus on users to continuously scan extension updates for hash mismatches with the public extension builds, which isn’t standardized. And even then this would be after an update is unpacked, which may not run in time to prevent initial execution. Nor does it prevent a supply chain attack on the code running in the GitHub Action for the build, especially if dependencies aren’t pinned. There’s no free lunch here.

by btown

2/11/2026 at 3:56:46 PM

key word "encourages"

when someone uses `npm install/add/whatever-verb` does it default to only using trusted publishing sources? and the dependency graph?

either 100% enforcement or it won't stick and these attack vulnerabilities are still there.

by smithza

2/11/2026 at 1:48:55 PM

If the RPM/deb comes from a Linux distribution then there is a good chance there is a separate maintainer and the binary package is always built from the source code by the distro.

Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.

by m4rtink

2/11/2026 at 3:39:35 PM

Browser extensions come from the Chrome/Firefox addon store, though and not through distros.

by pocksuppet

2/12/2026 at 2:49:22 AM

And maybe that's why we have the problem that is being discussed ? No third party that would audit and build extensions from source.

by m4rtink

2/12/2026 at 9:00:30 AM

Everybody seems to hate distributions though.

by LtWorf

2/11/2026 at 12:33:29 PM

How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

by randunel

2/11/2026 at 12:44:36 PM

I agree but let me play the devil's advocate. I'll channel Stallman:

Same argument can be applied to all closed source software.

In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.

So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.

by endsandmeans

2/11/2026 at 1:43:07 PM

Don't forget to channel Ken Thompson ("Reflections on Trusting Trust") -- you can read the source code, but where did you get the compiler?

by anonymars

2/11/2026 at 2:54:46 PM

This can be mitigated by Bootstrappable builds: https://news.ycombinator.com/item?id=41368835

by fsflover

2/11/2026 at 12:56:42 PM

CRX Viewer is handy for quickly checking what's been published:

https://robwu.nl/crxviewer/

by insin

2/11/2026 at 12:51:46 PM

> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

Extensions are local files on disk. After installing it, you can audit it locally.

I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.

On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.

Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.

by nickjj

2/11/2026 at 3:09:12 PM

Extensions are trivial unless they have to run external software or services. Download the extension, extract the source, audit it with a good thinking model and either strip out all third party URLs/addresses or have the agent clone the functionality you want.

by AJ007

2/11/2026 at 5:22:13 PM

The open source one automatically publishes to the Chrome Store from GH actions so that there is no human involvement in the deployment process.

I'm currently in the process of setting that up for the one I'm building, because this transparency is very important to me) and it is a pain in the butt to do so. You have to go through a few verification processes at Google to get the keys approved.

by oj-hn-dot-com

2/11/2026 at 1:14:22 PM

I'm running Uniget on Win11 and this is my worry there. Provenance of installs vs the actually released files.

by pbhjpbhj

2/11/2026 at 1:18:24 PM

I wish we had something like "source hash" available in all repositories.

by pezgrande

2/11/2026 at 12:38:24 PM

This kind of nihilistic comment doesn’t do anything for me.

There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.

by fn-mote

2/11/2026 at 2:43:50 PM

> This kind of nihilistic comment doesn’t do anything for me.

Got to say, mischaracterising a neutral question as a nihilistic comment doesn't do anything for me.

by chrisjj

2/11/2026 at 9:21:56 PM

This is why it's so sad that Tampermonkey isn't open source. https://github.com/Tampermonkey/tampermonkey/discussions/173...

by cachius

2/11/2026 at 10:02:05 PM

TM is capable of doing most of what other extensions do, so it's too bad it's not open source because the ecosystem is inherently transparent.

by joquarky

2/11/2026 at 1:21:43 PM

Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?

"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.

by Rebuff5007

2/11/2026 at 2:18:28 PM

>Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?

Cars are under quite strict laws that software isn't. And there is only a small number of car vendors, while there are several orders of magnitude more extension vendors. Also a car vendor is a big company with many audits and controls, an extension "vendor" could just be some guy in his garage office, who just sold it to scammers, even for popular extensions.

And I still wouldn't trust a modern car using subscriptions and code updated.

by coldtea

2/11/2026 at 3:54:54 PM

Also, car companies have a lot at stake and are a clear target. The scammer is hard to even identify, and has no reputation to worry about. Of course in case of a sold extension, the original author of the extension may have a reputation they care about, but only if they're still making other extensions.

by sjamaan

2/11/2026 at 2:36:46 PM

“Don’t trust Google” is table stakes for being on the Internet over the past couple decades.

by acheron

2/11/2026 at 2:36:09 PM

There are no established institutions for checking add-ons. The stores claim doing some checks, but seems enough is slipping through their net. It's also common sense to not buy something critical from a random anonymous source on the internet.

by PurpleRamen

2/11/2026 at 1:29:56 PM

My car can't login to my bank account.

by __alexs

2/11/2026 at 1:39:47 PM

Give it a few years. After all how will Tesla get that $99 every month for your self driving susbscription?

by haritha-j

2/11/2026 at 1:39:36 PM

Your car and fellow road users' cars generally have your life, your passengers' lives, and other road users' lives in its hands while in use.

by abenga

2/11/2026 at 2:53:05 PM

Well, I see how, especially for people who are close to death and want to provide for their loved ones, the answer to "Your money or your life" might lean in the other direction.

by falcor84

2/12/2026 at 9:02:31 AM

My car probably could be hacked to murder me in secret but frankly I'm not worth expending that kind of access on.

The threat model is really very different.

by __alexs

2/11/2026 at 8:42:33 PM

> "Dont trust google" imo is the wrong response here.

Straw man. The argument is that by installing random extensions you trust anonymous developers *because* Google doesn't audit. I'll cite the parent to spare you the effort of reading it again:

> The Chrome Web Store is basically unregulated and Google doesn't care.

Yes, I trust the contents of the medicine I buy at the drug store more than I trust the drug dealer on the corner. That's why they hand out test kits for free at raves.

by worksonmine

2/11/2026 at 1:08:22 PM

> This is why I only run open source extensions that I can actually audit.

How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.

by lapcat

2/11/2026 at 1:18:30 PM

On HN of all places it's not that implausible that someone might be running Linux and Chromium or Firefox, surely?

by nemomarx

2/11/2026 at 1:31:37 PM

I didn't claim that it's implausible. I asked a question.

On the other hand, it's not that implausible either that someone might be running Google Chrome, Windows, Mac, etc. We know that many HN commenters do. Thus, while the OP may be 100% consistent, "I only run open source extensions that I can actually audit" would not be a consistent principle for those who also use closed source software.

by lapcat

2/11/2026 at 2:43:32 PM

Why do you think it’s not consistent? You don’t have to apply the same policies to everything you use.

by notpushkin

2/11/2026 at 3:04:11 PM

> You don’t have to apply the same policies to everything you use.

What's the reasoning behind it, though?

You can arbitrarily apply different policies to different things, but there's no rhyme or reason to that.

If the difference ultimately comes down to trusting certain developers to an extent that you don't need to audit their source, then I'm not sure why that couldn't also be true of certain extension developers.

by lapcat

2/11/2026 at 4:52:04 PM

Linux distros have a good reputation, browser extensions don’t. Might be simple as that.

by mixmastamyk

2/11/2026 at 5:21:55 PM

It appears that you may have misunderstood the preceding discussion. Linux is open source and thus can be audited.

by lapcat

2/12/2026 at 2:55:25 AM

One might choose not to however, yet still audit their extensions.

by mixmastamyk

2/11/2026 at 1:20:12 PM

If they live in California, they're most assuredly borrowing prestige through licenced usage of apple hardware.

Because let's get real, no one ever gets a job in tech if they're not an iPhone user right?

by NamlchakKhandro

2/11/2026 at 1:18:32 PM

This is the safest way. You also want to disable auto update to version lock, which means using Firefox or Safari or loading unpacked if you use Chrome.

by bennydog224

2/11/2026 at 3:58:29 PM

consider how the xz supply-chain attack occurred 2 years ago [0]. the malware isn't auditable with a `git clone` as easily as you might want.

[0] https://research.swtch.com/xz-timeline

by smithza

2/11/2026 at 1:24:24 PM

It’s one of the reasons I run Safari, which strictly limits what extensions can do for these reasons

by Angostura

2/11/2026 at 1:40:04 PM

No, Safari is really no different here from Chrome, and indeed there's broad compatibility between the extension API, such that in many cases you can use a Chrome extension unmodified in Safari.

by lapcat

2/11/2026 at 4:36:33 PM

Ah, thanks interesting. I remember the kerfuffle when Safari introduced its new model and I didn’t realise Chrome had followed suit

by Angostura

2/11/2026 at 2:20:44 PM

And you audit every update? Ahem.

by lofaszvanitt

2/11/2026 at 2:50:08 PM

Annoyed with how the AWS console sometimes changes regions on its own, I recently decided that I need an extension to make the current region displayed prominently. After a bit of research, I found the AWS Colorful Navbar [0] extension, which does pretty much exactly what I wanted, but (understandably) requires granting it "This extension can read and change your data on sites" on `://.console.aws.amazon.com/*`, which I'm not willing to give to an external extension. So my solution was forking the repo [1], carefully auditing the code, and then installing it from a local clone (which they actually have a nice explanation for). Going forward, I think I'll try using this approach for all sensitive extensions.

[0] https://chromewebstore.google.com/detail/aws-colorful-navbar...

[1] https://github.com/nalbam/aws-navbar-extension

by falcor84

2/11/2026 at 1:14:04 PM

The code is usually minified and heavily obfuscated but you CAN view the source code for any extension:

https://kaveh.page/snippets/chrome-extensions-source-code

Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...

by kwar13

2/11/2026 at 2:12:37 PM

My daughter, in grade school, uses a Chromebook at school and access Google Classroom through Chrome. The school has very few restrictions on extensions and when I log into her account, Chrome is littered with extensions. They all innocuous (ex. change cursor into cat, pets play around on your screen etc). However, without fail, each time I log in and go to the extension page, Chrome notifies me that one or more of the extensions was removed due to malicious activity or whatever.

by giarc

2/11/2026 at 2:39:16 PM

I don't think that your daughter might know if say any web cam might take photos and see what she's searching if the extensions are indeed malicious.

I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.

Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.

by Imustaskforhelp

2/13/2026 at 4:58:28 PM

I still use the Little Rat extension, it shows a little notification when an extension does a network request, and lets you see quickly what type and where. It can also block requests (doesn't seem to work all the time in Brave now, even with the flag on), activate and deactivate extensions:

https://github.com/dnakov/little-rat

There's also this site that I've used from time to time to audit extensions quickly:

https://chrome-stats.com/

by mickelsen

2/11/2026 at 4:02:13 PM

This is why I disable automatic updates. Not just for browser extensions but everything. This whole "you gotta update immediately or you're gonna get hacked" thing is a charade. If anything, if you update you'll be hacked at this point.

by ravenstine

2/11/2026 at 5:35:38 PM

Damned if you do, damned if you don't.

by leptons

2/11/2026 at 12:11:58 PM

And the ones that are not will probably get bought out at some point and become malware as well.

The only extension I trust enough to install on any browser is uBlock Origin.

by matheusmoreira

2/11/2026 at 12:19:10 PM

I have published an extension [1] that has 100k+ users and I've probably received hundreds of emails over the years asking me to sell out in one way or another. It's honestly relentless. For that reason I also only trust uBlock Origin, Bitwarden and my own extensions.

I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.

[1] https://chromewebstore.google.com/detail/old-reddit-redirect...

by mcjiggerlog

2/11/2026 at 12:25:00 PM

Just to say thanks for this extension, and keeping Reddit usable (at least for me).

by Hard_Space

2/11/2026 at 2:22:15 PM

Respect for not selling out. I have to admit though... If I had a browser extension and someone suddenly offered me a million dollars for it, I think I would take it.

This realization made me distrust any system where it is even possible to sell out. In order for a system to be trustworthy, it must be impossible for this sort of exploitation to ever occur, no matter how much money they put on the table.

by matheusmoreira

2/11/2026 at 3:51:48 PM

Can confirm this, also get a lot of sell-requests for my 10k+ user extension via the public mail that I have to add on the Chrome Web Store.

by sunaookami

2/12/2026 at 8:53:00 AM

Thank you so much for making and maintaining this extension.

Know that you are truly appreciated by many.

by Cipater

2/11/2026 at 12:33:05 PM

Just curious how much does it sell? It gives an idea about how much my personal data is worth

by rat9988

2/11/2026 at 12:45:13 PM

I was just having a quick search and the only email I can find that offered a price range up front was for $0.1-0.4 per user, and that was from 2023. So I assume up to a dollar per user these days?

by mcjiggerlog

2/11/2026 at 12:49:01 PM

I imagine it must be very tempting to take that bag while old reddit is still usable.

Thank you for not doing so.

by xnorswap

2/11/2026 at 12:54:56 PM

No, fortunately in my case it's not tempting at all.

It's easy to see how many people in less advantaged positions would end up selling out, though.

by mcjiggerlog

2/11/2026 at 1:58:30 PM

> The only extension I trust enough to install on any browser is uBlock Origin.

Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.

by lapcat

2/11/2026 at 6:51:26 PM

I never transferred the extension in the Chrome store. The Chrome store extension has always been the one from the repository I control, and I've had full control of it since when I created it back in June 2014.

by gorhill

2/11/2026 at 8:29:10 PM

Thank you for your work!

by matheusmoreira

2/11/2026 at 9:55:22 PM

Dude man, great respect for your work.

by weird_tentacles

2/11/2026 at 1:47:15 PM

That's the only extension I have installed too!

I used to have tree-style tab, but now firefox has got native support for vertical tabs so I don't need to install anything extra.

Installing new extensions is sometimes appealing, but the risk is just too high.

by stevekemp

2/11/2026 at 2:13:38 PM

I often make the argument that uBlock Origin is so essential that it should be built into the browsers instead of being a separate extension. The restrictions imposed by manifest v3 are good, it's just that uBlock Origin is special enough that it should be able to bypass them.

Unfortunately, the huge conflicts of interest make this unrealistic. Can't trust developers funded by ad money to develop an ad blocker.

by matheusmoreira

2/11/2026 at 12:54:49 PM

The fact that most of these are capturing query parameters:

  "u": "https://www.google.com/search?q=target",

indicates that are capturing tons of authentication tokens. So this goes way beyond just spying on your browser history.

by l72

2/11/2026 at 1:30:40 PM

If a service is sending auth tokens as URL parameters, stop using it. Those are always public.

by cess11

2/11/2026 at 2:38:57 PM

I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url.

by dangets

2/11/2026 at 7:35:07 PM

huh? https encrypts URL parameters?

by karel-3d

2/11/2026 at 12:58:49 PM

And why didn't one of the wealthiest companies of the world capture this themselves?

Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.

by GuestFAUniverse

2/11/2026 at 1:20:42 PM

> And why didn't one of the wealthiest companies of the world capture this themselves?

Assume they did.

And the question becomes "Why didn't they come clean?" ... and much easier to answer.

by chrisjj

2/11/2026 at 5:02:46 PM

Genuinely not sure what you're suggesting

by eli

2/11/2026 at 5:29:38 PM

I am suggesting Google did catch this.

by chrisjj

2/11/2026 at 6:43:43 PM

Without vague handwaving, why do you think they would do that?

by eli

2/11/2026 at 9:17:55 PM

Because I can envisage no answer to the question ("why didn't one of the wealthiest companies of the world capture this themselves?").

by chrisjj

2/11/2026 at 12:56:53 PM

> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.

The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.

by lapcat

2/11/2026 at 1:14:36 PM

GOOG didn't get to be one of the most profitable corporations in the world by spending big on cost centers.

by bell-cot

2/11/2026 at 1:32:18 PM

It can't cost that much if some random blogger can do it.

by lapcat

2/11/2026 at 1:38:54 PM

At this point, someone should make a site to check whether installed extensions are malicious or not.

by georgehill

2/11/2026 at 2:43:40 PM

So this would require a list of decided malicious extensions or not and someone can go ahead and check through that.

To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.

Thoughts?

Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.

Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo

https://github.com/qcontinuum1/spying-extensions

So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

by Imustaskforhelp

2/11/2026 at 3:37:51 PM

> So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

We might to it once. That requires non-trivial engineering effort and resources and we are at the moment short on both of those.

by qcontinuum1

2/11/2026 at 3:51:44 PM

My point was to have a community effort around it as well if possible and people could say, upload suspicion and people could then confirm it?

I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.

I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?

(Tangent if you actually do this: This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)

by Imustaskforhelp

2/11/2026 at 5:02:05 PM

It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.

Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.

by qcontinuum1

2/11/2026 at 5:14:56 PM

Oh I understand. I don't have any expertise in such field but reading this, I can understand why open source approach might not work out which is a little sad being honest.

But I feel like then the (bottleneck?) [which I don't mean in a bad way] would be the team where the attackers might still be infinitely more which can exhaust your resources which you mention as such.

Also,Are there any other teams working in this? Thoughts on collaborating with anyone in the security field?

Maybe if a direct detailed discussion can't happen then just as how you released the list of these extensions, you can release extensions in future too as you detect them

Do you feel as if LLM generated vibe-coded (with some basic reading of code to just get idea and see if there's any bad issues) would be more safer than a random extension in firefox/chrome in general? Given one is a black box (closed source) generated by human and the other is an open code generated by a black box.

by Imustaskforhelp

2/11/2026 at 8:26:50 PM

This website promises to do just that: https://webextension.org/ (formerly add0n.com)

by precompute

2/11/2026 at 7:30:01 PM

Why not do the opposite - a whitelist of extensions that don't appear malicious.

by Chris2048

2/11/2026 at 8:28:55 PM

You've just reinvented curation, but giving Google a pass for not them doing it themselves and shifting the work onto others.

Multiple regulators should sue Google for putting users at risk by failing to protect users from malicious code before publishing Chrome extensions and Android apps.

by burnt-resistor

2/11/2026 at 8:41:00 PM

A blacklist is also curation isn't it? Suing google is also 'work'.

by Chris2048

2/11/2026 at 2:03:34 PM

And then an extension to alert you to bad extensions.

by baggachipz

2/11/2026 at 2:14:18 PM

Great idea! Someone please do this.

by james-bcn

2/11/2026 at 12:17:21 PM

Hopefully people will start learning that you want to install as few browser extensions as possible.

by cebert

2/11/2026 at 1:24:52 PM

In principle I agree with you, there is just so much crap online that it's tempting to just add this one more extension to fix something.

Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.

The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.

Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.

by mrweasel

2/11/2026 at 3:04:44 PM

> one for removing sign in with Google

You could use an adblocker rule instead:

  ||accounts.google.com/gsi/client$script

(I’m not sure if it’s possible to do that with Privacy Badger though)

by notpushkin

2/11/2026 at 3:31:41 PM

Moving the toggle for "accounts.google.com" to full blocking in Privacy Badger ought to do it.

Heads up, full blocking of "accounts.google.com" will break some login pages entirely. But it is a good domain to fully block as long as you're comfortable using the "Disable for this site" button when something goes wrong.

by ghostwords

2/11/2026 at 3:42:28 PM

Hey, that seems to work, very nice, that's one less extension.

by mrweasel

2/11/2026 at 12:52:19 PM

My honest reaction to your comment is "What? No!".

I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.

[1] https://xkcd.com/1288/

by probably_wrong

2/11/2026 at 5:36:56 PM

And apps, and software dependencies in general.

by pphysch

2/11/2026 at 6:39:44 PM

If you're on a mac, you can list all the IDs of your installed browser extensions across all your profiles like this...

  find "$HOME/Library/Application Support/Google/Chrome" \
    -type d -path "*/Extensions/*" -not -path "*/Extensions/*/*" \
    -print 2>/dev/null | sed 's#.*/Extensions/##' | sort -u

Compare to the list of bad extensions. I stuck a stripped down list here...

  https://www.sfbaylabs.org/files2/2026-02-11/chrome_extensions_exfiltrating_history.txt

by revicon

2/11/2026 at 7:03:11 PM

Here's a one-shot script that does the compare for you, in case it's helpful...

  https://www.sfbaylabs.org/files2/2026-02-11/bad_browser_extension_check_osx.sh

You can run it directly if you cut/paste this in your mac terminal...

  curl -fsSL https://www.sfbaylabs.org/files2/2026-02-11/bad_browser_extension_check_osx.sh | bash

by revicon

2/11/2026 at 8:42:30 PM

Is there any irony in a thread on browser malware that includes a "please run this bash script blind"?

Not that I don't trust you, but between now and when someone stumbles on this thread, your domain could expire and I could publish something crazy at that url.

by amalter

2/11/2026 at 9:34:36 PM

This is why I put the raw url to the script first in my comment. Downloading the script file, doing a chmod +x and then a ./script.sh to execute it is daunting for some.

But I'll add a caveat to my original comment as well.

edit: Looks like I can't edit my original comment anymore.

by revicon

2/11/2026 at 12:03:48 PM

Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !

by mentalgear

2/11/2026 at 12:10:35 PM

It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.

by sebzim4500

2/11/2026 at 12:25:44 PM

Browsers break backwards compatibility for security all the time. Most recently Chrome made accessing devices on a local network require a permission. They completely changed the behavior of cookies. They break loads of things for cross origin isolation.

by throwaway0665

2/11/2026 at 12:30:38 PM

Sure, but this would break a significant portion of sign in UIs.

by sebzim4500

2/11/2026 at 1:41:39 PM

Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.

by drdec

2/11/2026 at 1:56:57 PM

...uhh, yes they can? Are you talking about input type=password fields, i.e. the ones 99% of passwords are entered in?

by Valodim

2/11/2026 at 12:20:57 PM

I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.

by Pacers31Colts18

2/11/2026 at 1:43:56 PM

Absolutely. I have not installed useful browser extensions because Mozilla isn't the maintainer. E.g. the Google container.

by drdec

2/11/2026 at 2:18:59 PM

Capital One just offered me $45 to install a Firefox extension. I declined, though I'm sort of tempted to get paid for getting spied on which I assume is happening anyway. And who knows, maybe I could get a couple more bucks later in the class action.

https://addons.mozilla.org/en-US/firefox/addon/wikibuy-for-f...

by ghtbircshotbe

2/11/2026 at 2:24:45 PM

Their offers are very hard to claim - only eligible to be used in their store, only given after making a purchase in their store, among other random strings. I tried to claim the same offer but could never actually get it.

by soared

2/11/2026 at 2:51:52 PM

That sounds right. I looked through the terms of the offer and it looked pretty onerous. I almost get the feeling they're trying to use my own hatred of the banks and desire to screw them out of $45 to trick me

by ghtbircshotbe

2/11/2026 at 4:27:52 PM

Remember when google removed extension APIs so that things like uBlock origin stopped working in Chrome, in the name of "security"?

Pepperidge farm remembers.

by the_gipsy

2/11/2026 at 4:24:13 PM

Made a quick tool so you can check if your extensions are on the list: https://extensioncheck.val.run

1. Go to chrome://extensions and toggle Developer mode on (so IDs are visible)

2. Select all text on the page with your mouse and copy

3. Paste it into the tool

It parses the IDs and warns you if any are among the 287 spyware extensions.

by welanes

2/11/2026 at 4:32:05 PM

Nothing happens when I click `Scan`.

by ianhawes

2/11/2026 at 4:39:44 PM

Whoops, developer mode needs to be toggled on. Just updated the instructions

by welanes

2/11/2026 at 8:37:15 PM

Still nothing seems to happen when I click "Scan". Does that mean that none of the extension IDs provided are on the list?

by JadeNB

2/11/2026 at 2:04:28 PM

I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs

by baby

2/11/2026 at 2:11:44 PM

Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.

There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.

Without infrastructure this doesn't scale.

The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.

by qcontinuum1

2/11/2026 at 5:12:46 PM

@qcontinuum1 appreciate this kind of research. saw your other comments and you mentioned that the team's engineering resources are scarce + saw that at the bottom of the github repo that there are links to BTC address.

curious to know: 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research 2- if this kind of research is your primary focus? 3- if there are other ways that financial support can be provided other than through xrp or btc?

i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)

by heavenlyfather

2/11/2026 at 11:37:45 PM

Thank you. We are very glad to see the discussion that the report has sparked and and also glad to see the feedback on it. It means a lot to us.

> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research

The group is not very large and it took a few months of non-continuous work.

> 2- if this kind of research is your primary focus?

At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.

> 3- if there are other ways that financial support can be provided other than through xrp or btc?

No, at the moment. We would like to remain anonymous, at least for now.

by qcontinuum1

2/11/2026 at 2:52:47 PM

Using the below page you can check your extensions, select all your extensions on chrome://extensions/ (everything on the page, it will filter it out IDs) and it will check if any IDs match.

https://output.jsbin.com/gihukasezo/

https://jsfiddle.net/9kLsv3xm/latest/

https://pastebin.com/Sa8RmzcE

by molticrystal

2/11/2026 at 3:12:19 PM

The whole browser is spying on you, so don't worry about extensions

by singularity2001

2/11/2026 at 3:14:58 PM

It is, but the particular ways Google will harm you are very different from how small/medium criminals will harm you.

by bittercynic

2/11/2026 at 12:32:46 PM

It's interesting to see this surface again. As someone currently looking into building extensions, the permission granularity has always felt like a double-edged sword. Even with Manifest V3 limiting some capabilities, the 'read and change all your data on the websites you visit' permission is still necessary for many legitimate tools, but it requires so much trust from the user. I wonder if a more granular, per-domain permission model (like mobile apps) would be feasible for the Chrome team to implement without breaking UX.

by PaperBanana

2/11/2026 at 1:00:20 PM

The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.

We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.

by nanobuilds

2/11/2026 at 1:07:35 PM

It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website, and then the installed extension autoupdates without an option to turn it off.

I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.

by Grom_PE

2/11/2026 at 2:11:17 PM

Can extensions:

be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?

be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?

If not, I wouldn't touch them with a 10000ft pole.

by coldtea

2/11/2026 at 2:59:57 PM

> be scoped

Yes. Not usually user-controllable though.

> be forced to have a clear non-obfuscated feed

Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).

You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.

by notpushkin

2/11/2026 at 10:08:35 PM

Stylus is a good alternative to Stylish. I keep my extensions to a minimum, and I turn off the ones I don't need until I need to use them. The only extensions I have turned on all the time are uBlock, Humble New Tab Page, and Stylus.

by nipperkinfeet

2/11/2026 at 2:38:11 PM

That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.

So it's completely impossible that such malicious extensions still exist.

(may contain sarcasm)

by hannob

2/11/2026 at 1:13:48 PM

If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.

by captn3m0

2/11/2026 at 12:23:17 PM

Load extensions in developer mode so they can't silently install malware on you

by hackinthebochs

2/11/2026 at 2:51:31 PM

Extensions have too many security risks for me. At this point I'd rather just vibe code my own extension than trust something with so much access and unpredictable ownership.

by ArcaneMoose

2/11/2026 at 5:03:57 PM

You know, LLMs could do automated code reviews for each update to avoid things like this. It would be much better than unexamined updates.

by herf

2/11/2026 at 12:37:47 PM

Most of them jump out as immediately dodgy -- except Stylsh. That is the only one I've ever used on the list but it's been several years.

by endsandmeans

2/11/2026 at 1:05:57 PM

HN story about what Stylish was up to 7 and a bit years ago:

https://news.ycombinator.com/item?id=17447816

I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.

[1] https://chromewebstore.google.com/detail/stylus/clngdbkpkpee...

by insin

2/11/2026 at 3:51:17 PM

I like stylus, it doesn't have an intuitive ui though. Wish they'd improve it.

by notenlish

2/11/2026 at 1:02:32 PM

"zoom", "LibreOffice Editor", "Enhanced Image Viewer", "Video Downloader PLUS"

I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims

I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)

by fusslo

2/11/2026 at 1:02:31 PM

Stylish was sold in 2016, and has had spyware from at least 2018 on.

by Cyuonut

2/11/2026 at 12:27:24 PM

My initial solution was:

>Before installing, make each user click a checkbox what access the extension has

However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)

Here are the two solutions I have, neither are perfect:

>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.

>Let updates automatically happen, but leaves you open to remote, unapproved installs.

by PlatoIsADisease

2/11/2026 at 1:55:58 PM

Is there a way to use extensions from a private repository only, where I control the code and build pipeline?

by nkmnz

2/11/2026 at 1:17:40 PM

It’s obvious CWS has given up on oversight of these extensions. It’s a minefield.

by bennydog224

2/11/2026 at 2:01:11 PM

Here are 3 examples identified in their results.

Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.

Brave Web browser (runapps.org) https://chromewebstore.google.com/detail/mmfmakmndejojblgcee...

Handbrake Video Converter (runapps.org) https://chromewebstore.google.com/detail/gmdmkobghhnhmipbppl...

JustParty: Watch Netflix with Friends (JustParty.io) https://chromewebstore.google.com/detail/nhhchicejoohhbnhjpa...

My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?

by rkagerer

2/11/2026 at 1:38:47 PM

Only 37M? I'd have guessed a higher number than that.

by bittercucumber

2/11/2026 at 2:14:10 PM

We were hoping to see that as well. There might be v2 of this research ;)

by qcontinuum1

2/11/2026 at 2:22:19 PM

Nobody is going to even do anything about SimilarWeb for pulling this off? My understanding from the article is that they're actively behind this.

When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.

by neya

2/11/2026 at 1:52:45 PM

I legit do not understand the Chrome hegemony.

by ubermonkey

2/11/2026 at 12:23:03 PM

Yo dawg...

by kgwxd

2/11/2026 at 12:43:30 PM

I heard you wanted spyware in your spyware

by wormpilled

2/11/2026 at 2:27:58 PM

[dead]

by chenmx

2/11/2026 at 1:59:58 PM

[dead]

by felishiagreen12

2/12/2026 at 10:55:05 PM

[dead]

by adilblati3

2/11/2026 at 1:19:01 PM

Just create an AI service and users will voluntarily send you all their data.

No need for such complicated attacks /s

by croes

2/11/2026 at 2:47:23 PM

[flagged]

by jerrygoyal

2/11/2026 at 1:42:09 PM

Yes, and?

Chrome/Google/Alphabet is spying on 100% of their users.

Quit using Alphabet stuff, and your exploitation factor goes down a LOT.

by nekusar

2/11/2026 at 12:26:44 PM

I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.

And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?

by PurpleRamen

2/11/2026 at 12:58:21 PM

> And why does this site has no scrollbar

Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:

    scrollbar-width: thin;
    scrollbar-color: rgb(219,219,219) rgb(255,255,255);

by moebrowne

2/11/2026 at 2:54:47 PM

Oh, thanks! It's working when you just hit the right pixel somewhere around the left border.

by PurpleRamen

2/11/2026 at 2:18:03 PM

We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?

by qcontinuum1

2/11/2026 at 2:52:11 PM

If you look at the request made, then it seems to check the category of the site, for whatever reason. I don't know that extensions, so I don't know if this is a legit use, sloppy use or harmful. I'm also not saying they found nothing at all. But looking through what they found, they seem to have not even thought much about whether those cases are legit and in the excepted and necessary realm of actions the add-on is supposed to do, or if it's really harmful behaviour. I also don't see anything about how often the request was made. Was it on every url-change, or just once/occasionally?

This whole article is a bit too superficial for me.

by PurpleRamen

2/11/2026 at 3:49:33 PM

This other research points to this type of pattern (sending all URLs to a server to allegedly provide functionality) being used under false pretenses: https://palant.info/2025/01/13/biscience-collecting-browsing...

In particular, look for the diagram provided by a data vendor showing this in action.

As with safebrowsing and adblocking extensions, there is no need to send data to servers.

Many groups of smart people have developed client-side and/or privacy-preserving implementations that have worked with high effectiveness for decades.

Unfortunately, many other groups have also financial incentives to not care about user privacy, so they go the route shown in the research.

by useragent42

2/11/2026 at 5:01:16 PM

> being used under false pretenses

Yes, obviously is that possible, but the least that one should do then is looking up what's really happening. These are browser addons, the source code is available. But instead they are looking from the outside and calling alarm on something they don't understand. That's just poor behaviour and harmful in today's climate.

by PurpleRamen

2/11/2026 at 9:39:14 PM

If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.

Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.

What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.

It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.

by useragent42