Similarweb and obscure data brokers exploit Chrome extensions to harvest 37.4 million users' browsing histories, according to a 2025 investigation. Researchers deployed a Docker-based MITM proxy system to detect extensions transmitting URL length-correlated traffic, identifying 287 malicious add-ons. The scale rivals Poland's population, with Similarweb-linked extensions like Curly Doggo and Offidocs forming a shadowy network of data collection.

The team’s automated scanner used synthetic browsing workloads to flag extensions whose traffic patterns spiked with URL length. Honeypot IPs, including Kontera’s AWS infrastructure, captured exfiltrated data, revealing links between Similarweb’s Big Star Labs and smaller data brokers. While some extensions (e.g., Avast’s security tool) may have benign use cases, most lack transparency, violating user trust.

Exfiltrated data enables corporate espionage, ad-tech profiling, and credential harvesting. For example, Poper Blocker sent obfuscated Google search data to api2.poperblocker.com, decrypted via ROT47 encoding. The study highlights systemic risks: 1% of Chrome users unknowingly fuel a surveillance economy, with data resold to unknown third parties.

This exposes critical vulnerabilities in Chrome’s extension ecosystem. Users face real-world threats—from targeted ads to leaked intranet URLs—while regulators grapple with opaque data practices. The findings underscore a urgent need for stricter vetting of browser extensions and transparency mandates for data collection.