Networks of Browser Extensions Are Spyware in Disguise
None
<p><span data-contrast="none">Browser extensions are collecting and reselling user data—perfectly legally—and opening up a slew of privacy and security issues.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">They’re not malicious extensions, and they’re upfront about what they’re doing, but their proliferation is a big problem for defenders. </span><a href="https://layerxsecurity.com/blog/your-extensions-sell-your-data-and-its-perfectly-legal/" target="_blank" rel="noopener"><span data-contrast="none">LayerX recently found</span></a><span data-contrast="none"> multiple networks of these extensions — more than 80, including 24 media extensions — installed on 800,000 browsers, collecting viewing data and demographic information</span><span data-contrast="none"> from Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and other streaming platforms.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">The company also discovered 12 ad blockers openly selling user data—combined, they had a base of 5.5 million users. And nearly 50 other extensions were found to be collecting and reselling the browser data of more than 100,000 users.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">For consumers, these extensions, which operate unregulated, represent potential exposure of private information, including viewing history, content preferences, platform subscriptions, downloaded content and streaming behavior. That’s in addition to the typical data collected around age and gender. Alarmingly, they do it without users ponying up any of that data—to fill any gaps in information, the extension developers simply match email addresses against third-party demographic databases.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“At a certain point in time, not too long ago, these types of extensions were properly being flagged for what they were – spyware,” says Mark Odom, senior solutions engineer at Black Duck. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“The problem is that the frequency and depth of this spyware has rebranded as ‘analytics’ in most cases,” and “as new generations grow up, many are being exposed to this level of tracking for nearly their entire lives and just grow used to it; however, that doesn’t decrease the threat level that this brings to the table,” he says. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Odom contends that collecting user data “has been getting out of hand for a long time,” with the larger problem that the bigger “databases already have tons of different data points on individual users.” </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">And the more data collected, Odom says, “the easier it is to identify a person at any given time.”</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">If businesses think they’re off the hook, they need to consider that of the 82 sellers LayerX discovered, 29 are B2B sales intelligence tools that reside on corporate machines. So, employees within organizations may be unwittingly giving up URLs, SaaS dashboards, and research activity that provide entrée into workflows that can then be sold to competitors. That kind of corporate data leakage is unlikely to have eyes on it internally.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“</span><span data-contrast="none">The risk isn’t about users being deceived. It’s about corporate data leaving through a channel nobody is watching,” LayerX wrote.</span><span data-ccp-props='{"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">The researchers noted that “most extension security evaluations focus on permissions or known malicious indicators – flagging extensions that request excessive access or match threat intelligence,” which might catch malware but “doesn’t catch an extension that openly reserves the right to sell your browsing data,” they said.</span><span data-ccp-props='{"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">And AI is only amplifying the issues. “As organizations rapidly adopt agentic AI, Model Context Protocol (MCP), and autonomous browsing capabilities, we’re seeing a pattern develop: AI-native browsers are introducing system-level behaviors that traditional browsers have intentionally restricted for decades,” says Randolph Barr, CISO at Cequence Security. “That shift breaks long-standing assumptions about how secure a browser environment is supposed to be.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">But, he notes, “the real exposure emerges when individuals install AI browsers on their personal devices,” with curiosity driving rapid experimentation. “Once users become comfortable with these tools at home, those behaviors inevitably bleed into the workplace through BYOD access, browser sync features, or personal devices used for remote work,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Barr is particularly concerned about AI browsers’ ability to detect and “how quickly adversaries can scale that detection,” explaining that “AI browsers introduce unique fingerprints in their APIs, extensions, DOM behavior, network patterns, and agentic actions. Attackers can identify them with a few lines of JavaScript or by probing for AI-specific behaviors that differ from traditional browsers.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">With AI-driven classification models in play, bad actors can now “fingerprint AI browsers across millions of sessions automatically. At scale, that enables targeted attacks against users running these higher-risk, agent-enabled environments,” says Barr, who stresses enterprises must remain cautious.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“AI browsers are evolving faster than the guardrails that traditionally protect end users and corporate environments,” making transparency around system-level capabilities, independent audits, and the ability to fully control or disable embedded extensions “table stakes if these browsers want to be considered for regulated or sensitive workflows,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">To better protect their organizations’ browser extensions, security teams should ask three questions, LayerX says:</span><span data-ccp-props='{"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></p><ol><li><span data-contrast="none">What extensions are installed across employee browsers? </span><span data-ccp-props='{"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></li><li><span data-contrast="none">What data do those publishers claim the right to collect or sell? </span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></li><li><span data-contrast="none">Could corporate browsing activity be flowing into commercial datasets?</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></li></ol><p><span data-contrast="none">“If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria. Permissions alone don’t tell you enough,” the researchers advise.</span><span data-ccp-props='{"134233118":true,"201341983":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">A good rule of thumb, Odom says, “is to always assume the worst-case scenario: that the data will not be properly secured” and a bad actor gets their hands on this data, “they have information about an employee, internal URLs, activity, and probably more; all of which can be used to target an individual employee and gain access to an important business system.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Remember that bad actors also can search email addresses in databases of breached passwords, says Odom, who recommends the use of MFA “first and foremost” and perhaps DNS filtering to block domains from receiving data.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“Defense</span><span data-contrast="none"> in depth is the key to protecting both your employees and organizations against this new age of spyware,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/05/networks-of-browser-extensions-are-spyware-in-disguise/" data-a2a-title="Networks of Browser Extensions Are Spyware in Disguise "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnetworks-of-browser-extensions-are-spyware-in-disguise%2F&linkname=Networks%20of%20Browser%20Extensions%20Are%20Spyware%20in%20Disguise%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnetworks-of-browser-extensions-are-spyware-in-disguise%2F&linkname=Networks%20of%20Browser%20Extensions%20Are%20Spyware%20in%20Disguise%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnetworks-of-browser-extensions-are-spyware-in-disguise%2F&linkname=Networks%20of%20Browser%20Extensions%20Are%20Spyware%20in%20Disguise%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnetworks-of-browser-extensions-are-spyware-in-disguise%2F&linkname=Networks%20of%20Browser%20Extensions%20Are%20Spyware%20in%20Disguise%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnetworks-of-browser-extensions-are-spyware-in-disguise%2F&linkname=Networks%20of%20Browser%20Extensions%20Are%20Spyware%20in%20Disguise%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>