Browser Extensions Turn Nearly 1 Million Browsers Into Website-Scraping Bots

Over 240 browser extensions with nearly a million total installs have been covertly turning users' browsers into web-scraping bots. "The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers," reports Ars Technica. "The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions." Ars Technica reports: Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.

Tuckner said in an email Wednesday that the most recent status of the affected extensions is:

- Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.
- Of 129 Edge extensions incorporating the library, eight are now inactive.
- Of 71 affected Firefox extensions, two are now inactive.

Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is here.

...again.

[Narcocide]

JavaScript was a mistake.

Re:...again.

[TuballoyThunder]

Compounded by dynamically including libraries downloaded from random website.

Re:

[dfghjk]

it's not the language or that there is scripting, it's what the scripting has access to. Modern web browser architecture is a joke because developers have become incompetent.

Can't wait for version 3!

Re:

[drinkypoo]

It's not the language, but it is that there is scripting.

What's in the browser should be limited to the kinds of dynamic features which wound up in CSS. Even those could be implemented poorly and used to harm the user, but it would be a lot more difficult.

Re:

[Tony Isaac]

Javascript alone can't do this, only browser extensions can. It's the extensions, not the language.

Re:...again.

[znrt]

this was the issue here:

"They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions."

"developers" rushing to monetize their crap extension that they're not savy or caring enough to actually develop. wether they had bad intentions or not, these guys are simply not to be trusted anymore. something similar could be said about users installing that crap but then users are users.

bottom line is that extensions are powerful tools but with their power comes at a risk. installing an extension is similar to running any random executable. no extension or library should ever be trusted without fully understanding what it does, or for end-users, at least being sure that the source is serious, legitimate and trustable.

and at the bottom of it is lack of education and basic hygiene habits. just look at one of the extensions in question:

"Idle forest".
"Transform your everyday browsing into real trees! Idleforest converts your shared internet bandwidth into tree plantings, helping combat climate change while you browse normally. Works great in addition to Ecosia!"

i mean ... if you fall for this kind of nonsense in the first place you might aswell deserve having your computer and/or privacy raped.

Re:

[Tony Isaac]

I agree with you fully that extensions should not be trusted, unless you completely trust the company that made it. My point is that it's the extension that's evil, not the language. Without the extension, the language alone would not be able to inject the scraper into every single website you visit.

Re:

[sirber]

no U! T_T

Re:

[etash]

are you stupid or just a luddite?

Vetting?

[zkiwi34]

I guess that isn't much of a thing anymore.

Re:

[Anonymous Coward]

Vetting? They listed "Cat Facts Unleashed" and "Dog Facts Unleashed" in the extensions.

Re:

[Tony Isaac]

Browser extensions have always been a wasteland of crappy useless widgets from noname companies.

I once tried an extension that let me send and receive texts from my browser, and it was cool, until I realized what I was giving that company in the process. Since then, I've kept a bare minimum of extensions: uBlock Origin (Lite), Chrome Remote Desktop, Microsoft SSO, and Google Docs Offline. That's it. If I don't know the company that made an extension, I'm not allowing it into my browser.

Re:

[martin-boundary]

I like to use ghostery in addition to uBlock Origin. I miss the non-lite version.

Re:

[markdavis]

>"I like to use ghostery in addition to uBlock Origin. I miss the non-lite version."

https://addons.mozilla.org/en-... [mozilla.org]
https://addons.mozilla.org/en-... [mozilla.org]

Perfectly non-"lite"

As for malicious add-ons, there is the "Recommended" badge (that can be set as a filter as well) which helps a lot.

https://support.mozilla.org/en... [mozilla.org]
https://support.mozilla.org/en... [mozilla.org]

Not surprisingly, both UBO and Ghostery are listed as "Recommended", along with 99 others (out of 58,708 addons). I will admit that of the 7 I am using at ho

Re:

[mysidia]

Ironically the most useful extension for Chrome is hampered by Manifest updates "For security" and to prevent malicious extensions.

But for some shit reason or another Browser extensions are still allowed to submit HTTP(s) POST and GET requests to random websites and send data in those transmissions (Which could potentially include your private data).

Chromium has a permission system, but they have never ever done anything that actually prevented or made it difficult for extensions to do malicious things.

Google doc link, to give a tabular list.

[GM]

Why would somebody clicks on a g-doc list if he or she dislikes the leak of personal information ?

Curious about the list, I loosed. I clicked too fast without reading the link :-)

Dont forget the antivirus packages

[Wolfling1]

Our websites take more Ddos style hits from anti-virus scans than anything else on some days.

Private Browsing

[Misagon]

I always open sensitive web sites in "Private Browsing" / "Incognito" mode anyway, if only to make sure that the session is closed when I close the browser.

At least in Chrome/Chromium, browser extensions are disabled in that mode by default You'd have to enable them if you want them.

Assholes

[fluffernutter]

The thing that bothers me is that I have had million dollar ideas that I didn't capitalize on because I didn't want to be some asshole bogging down someone's site.

But it's becoming apparent that the assholes are the only people getting anywhere. Go ahead and make rentable party houses where people live. Go ahead and take the livelihood of taxi drivers away. Go ahead and spy on people who are socializing. Go cut millions of dollars people are using to survive. Be the biggest asshole you can and you will thrive.

Re:

[nightflameauto]

The thing that bothers me is that I have had million dollar ideas that I didn't capitalize on because I didn't want to be some asshole bogging down someone's site. But it's becoming apparent that the assholes are the only people getting anywhere. Go ahead and make rentable party houses where people live. Go ahead and take the livelihood of taxi drivers away. Go ahead and spy on people who are socializing. Go cut millions of dollars people are using to survive. Be the biggest asshole you can and you will thrive.

We're watching what happens when profit and greed become our only moral compass. "Survival of the fittest," becomes, "Be the biggest asshole and shove everyone else aside." And our culture has developed in such a way that this form of behavior isn't just rewarded, but it's admired by large swaths of people, even some of the people being swept aside.

Sometimes I wonder if we have it in us to defeat the greed in our nature, or if the greed will simply devour us slowly over time. Gotta say, right now it's not e

Re:

[The-Ixian]

It's getting to the point where "legitimate" commercial software behavior is indistinguishable from a virus.

For example, Read.AI meeting software. It only takes one entity to start using this software to create meetings and then every meeting it sends out directs users to pages with dark patterns that funnel them into allowing permissions for their entire organization. Then, when they create a meeting, the cycle repeats. The end effect is some company who you have no direct relationship with who now has per

Re:

[nightflameauto]

It's getting to the point where "legitimate" commercial software behavior is indistinguishable from a virus.

For example, Read.AI meeting software. It only takes one entity to start using this software to create meetings and then every meeting it sends out directs users to pages with dark patterns that funnel them into allowing permissions for their entire organization. Then, when they create a meeting, the cycle repeats. The end effect is some company who you have no direct relationship with who now has permission to exfiltrate data from you (and possibly your entire organization). At the same time you are propagating the software to others. It's insidious and it's wrong and it's business as usual.

The worst part is that it's almost become a religious thing for some folks to just let this shit slide, because if you point out any of this nefariousness you're told by coworkers that you're impeding progress, are being paranoid, or are refusing to use new tools out of irrational fear. We've really become a people determined to sabotage ourselves.

Manifest v3

[devslash0]

Shit like this makes you realise that Manifest v3 is perhaps not such a bad thing...

Re:

[tender-matser]

Have you actually read TFA? Those extensions were using the new (v3) declarativeNetRequest API, not the old webRequest API which is scrapped in v3.

And they don't even need to do that. By their very nature, the addon "permission" are so stupidly designed, that even without that, it's perfectly possible to extrude data (including but not limited to form content, telemetry, etc) from any website an extension is able to run in as a content stript to any other site in the universe.

And just clicking on the exten

product placement gone wrong...

[acroyear]

I love that the advertisement I'm seeing on this page right now is for a browser extension (from Microsoft)

Advertising is a blight

[euxneks]

Once again, and YET STILL, here is an example of "advertisers" absolutely gutting you for whatever data they can possibly get, and paying a pittance to developers. Online advertising needs to be banned full stop. They are gluttonously gorging themselves on your personal information, fuck em all.