A sweeping investigation into Google Chrome’s extension ecosystem has revealed that hundreds of seemingly harmless add-ons have been quietly harvesting browsing history and sensitive digital footprints from millions of users worldwide.

Hidden Data Streams Behind Popular Tools

Security researchers from Q Continuum uncovered 287 different Chrome extensions that systematically collected and transmitted private browsing histories to external servers without clear user consent. These “extensions,” often promoted as useful tools such as ad blockers or search assistants, had been installed by at least 37.4 million users before their covert behavior was revealed.

Remarkably, the true scale of data harvesting could be even larger, as analysis suggests that the reported 37.4 million figure might be a conservative estimate.

How Users Were Tricked

Most of the offending extensions appeared legitimate and performed the basic functions advertised — such as blocking ads, changing interface themes, or enhancing search results. Behind the scenes, however, they were logging full URLs visited, search engine queries, and other page interactions and sending this information, sometimes even in plain text, to third-party collectors.

Some developers obfuscated the data, encoding it in formats like Base64 or using encryption before transmission — a method that helped these extensions evade basic detection and scrutiny from automated vetting systems.

Who Gets the Data?

The investigation traced a significant portion of the collected information to large analytics and marketing companies, including Similarweb, Alibaba, ByteDance, and Semrush. Many extensions linked to these firms collectively accounted for tens of millions of installations.

However, nearly 20 million users’ data couldn’t be traced to any known company, meaning the identities of many data receivers remain unknown, hidden through shell entities or opaque partnerships.

A Broader Privacy Problem

The findings underscore a serious privacy gap within Chrome’s extension platform. Extensions are widely trusted by users to enhance browsing, but the current vetting processes and permission disclosures — though technically present — provide little meaningful transparency about how data is ultimately used or shared.

As cyber-security expert John Carberry commented on the report, this incident “reveals the extension ecosystem as a vast, legalized surveillance system,” where user history becomes a valuable product for data brokers, often without users even realizing it.

What Users Should Do

For Chrome users, this serves as a wake-up call:

• Review installed extensions and remove anything unfamiliar.
• Check permissions closely before installing new add-ons — especially those requesting access to browsing history or web page data.
• Use reputable extensions from trusted developers only.
• Consider using dedicated privacy tools or browsers with stronger extension sandboxing and review processes.

While Google regularly updates its policies and removes violations from the Chrome Web Store, user vigilance remains crucial to maintaining online privacy in the face of evolving tracking and data harvesting tactics.