February 11, 2026

Clickbait? Nope—your clicks are the bait

Article URL →HN comments →

Chrome extensions spying on 37M users' browsing data

Internet freakout: 'Extensions read passwords', trust only uBlock Origin

TLDR: A report flags 287 Chrome extensions allegedly sending your browsing history to data firms, affecting 37M users. Commenters erupt: some vow to install fewer add‑ons and trust only uBlock Origin, others demand tougher reviews and enterprise controls—reminding everyone that “free” tools can monetize your clicks.

A new scan claims 287 Chrome add‑ons have been quietly siphoning browsing histories from 37 million people, naming data firms like Similarweb and a mysterious “Big Star Labs.” The researchers spun up a browser trap with a “man‑in‑the‑middle” (a tool that watches what leaves your computer) and say their report and repository show the leaks—though they’re keeping full code private to avoid tipping off bad actors.

The comments? Pure soap opera. One user raged that extensions can even see password boxes: “ludicrous!” Another swore they’ll only install uBlock Origin now, while a chorus shouted “install fewer add‑ons, period.” A weary voice dropped a meme-y “Yo dawg…” and the thread exploded with jokes about “free” tools that treat your clicks like snacks.

Then the debate got spicy. Some blamed Google’s lax review of the extension store; others said users are the problem for trusting shiny freebies. Enterprise folks chimed in that companies barely manage extensions at work and it’s a ticking compliance bomb. The mood? Suspicious, snarky, and a little terrified—like realizing your browser’s cute accessories might be the ones spilling the tea. Read receipts included via the HTML report.

Key Points

  • An automated scanning pipeline using Chrome in Docker and a MITM proxy was built to detect data exfiltration by extensions.
  • A leakage metric correlating outbound requests with input URL lengths flagged 287 Chrome extensions.
  • The flagged extensions account for about 37.4 million installs, roughly 1% of the global Chrome user base.
  • Named actors linked to the leaks include Similarweb, Curly Doggo, Offidocs, and “Big Star Labs.”
  • The authors released reports and archives but withheld the internal scanning code; prior research from 2017–2018 is cited.

Hottest takes

"can see your input type=password fields - it's ludicrous that access to those does not need its own permission !" — mentalgear
"The only extension I trust enough to install on any browser is uBlock Origin." — matheusmoreira
"I think the industry needs to rethink extensions in general." — Pacers31Colts18

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.