This investigation surveyed the entire Chrome Web Store, filtering extensions that request sensitive permissions (history, tabs, webRequest, etc.) and we scanned with our method top 32,000 extensions ordered by user count. Using Docker with Chromium behind a man‑in‑the‑middle proxy, we simulated browsing sessions and recorded every outbound request. By correlating request size with URL length we derived a leakage metric (Redp); values ≥ 1.0 indicate definite history exfiltration, while 0.1 ≤ Redp < 1.0 suggest probable leakage.
The pipeline flagged 287 extensions that actively transmit users’ browsing histories. Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ‑String compression, and full AES‑256 encryption wrapped in RSA‑OAEP. Decoding these payloads showed raw Google search URLs, page referrers, user IDs and timestamps being sent to a network of proprietary domains and cloud‑provider endpoints.
We leveraged the leakage further and by browsing URLs of the honeypot in the sandboxed environment we allowed those data to be leaked. Honeypot URLs lured some actors and were accessed by known scraper IPs (Amazon Japan, Google LLC, Kontera), confirming active harvesting pipelines. We applied OSINT to the leaking extensions and managed uncover some actors.
Aggregating install counts gave an exposure of roughly 37.4 million users, representing roughly about 1 % of global Chrome users. The majority of the activity clusters around a handful of actors: SimilarWeb (≈ 10 M users), Alibaba‑related groups, Bytedance, and a cluster of Chinese data‑broker firms. Many extensions appear under reputable brand names (e.g., “SimilarWeb - Website Traffic & SEO Checker”) while others masquerade as utilities such as ad blockers (“Ad Blocker: Stands AdBlocker”) or AI assistants.
Limitations include the inability to see WebSocket or DNS‑tunneled traffic and the fact that some extensions only leak after a privacy‑policy popup is accepted, meaning the 37.4 M is a conservative lower bound.
Years later, Brave would get in trouble again for rerouting people’s traffic through referral links to make them money.