Browser extensions can pose risks similar to those of regular applications. Their seamless integration with widely used tools can create a false sense of security. A notable example involves over 200 extensions for browsers like Chrome and others that are being exploited to “scrape” content from websites. This practice essentially turns regular browser users into free data sources, with the extracted information sold for profit.
The process begins when a developer of a legitimate extension receives a tool that incorporates a software library into their extension. This library cleverly utilizes the “unused bandwidth” of the user’s browser in ways that are not immediately apparent. The extension can unobtrusively scan and scrape website content in a manner similar to search engines like Google, but it cleverly bypasses essential protections such as security headers and robots.txt directives. As a result, these extensions operate under the radar, consuming the processing power, bandwidth, and electricity of the user who unknowingly downloaded the free extension.
In effect, the user’s browser is transformed into a “bot.” The extension’s developer, who may or may not be fully aware of this exploitation, gets compensated, along with the creator of the software library. Numerous extensions across Chrome, Edge, and Firefox have been linked to the MellowTel software library. While some have been removed for malware issues or updated to eliminate the library, many still remain active.
Interestingly, while this behavior resembles that of a botnet or other malicious software, it does not necessarily constitute criminal activity. Users generally install these extensions without reading the terms of service, and the libraries used are often open-source. Nevertheless, using “unused bandwidth” raises ethical concerns. This bandwidth, which users pay for regardless of its use, may impact bills, especially on metered mobile connections.
Moreover, the scraping extensions pose security risks by collecting sensitive user data and establishing potentially unsafe connections to transmit this information.