Hundreds of Chrome extensions create a web-scraping botnet

Browser extensions can be just as dangerous as regular apps, and their integration with the tool everyone’s constantly using can make them seem erroneously innocuous. Case in point: a collection of more than 200 extensions for Chrome and other major browsers are being used to “scrape” website content. This essentially turns browser users into a free data center, with capacity sold off for profit.

The Secure Annex report (spotted by Ars Technica) is an interesting one, documenting the MellowTel system. Here’s how it works: Step one, a developer of a legitimate extension is offered a tool that integrates a software library into the extension. Step two, this software library utilizes the “unused bandwidth” for a browser in ways that aren’t obvious to the actual PC user.

What’s happening is that the extension is using some clever tricks to scan and “scrape” the website behind the scenes, in the same way search engines like Google do… but crucially bypassing some of the basic protections that are in place, like security headers and robots.txt.

So not only are the extensions slipping past some of the web’s basic guardrails, they’re doing so while parked on an unsuspecting PC, using up the processing power, bandwidth, and electricity of a user who downloaded a free browser extension. This essentially makes the end user’s browser a “bot,” in the researcher’s words.

Step three, that scraped data — extremely valuable in the age of AI training sets, among other useful things — is collected and sold. Step four, the developer of the extension, who may or may not be aware of all of this, gets paid… along with the creator of the software library, of course.

Hundreds of Chrome, Edge, and Firefox extensions have been documented using MellowTel, though some have been removed for malware (possibly unrelated to the report) or simply taken out the library in an update. An updated list from researcher John Tucker is available here, along with links to the relevant pages on the Chrome Web Store, Microsoft Edge add-ons repository, and Firefox add-ons repository.

Here’s the interesting thing. Though this behavior certainly mimics the processes of a botnet or other malware, it’s not actively malicious… at least in terms that would obviously hold up in court. The user downloaded and installed the browser extension (almost certainly without reading the fine print), the developer included the library. This isn’t too far removed from, say, the advertisements on this very page that are sharing a whole lot more data about you than you might feel comfortable with. The system that enables the scraping is even open source, available for anyone to inspect.

That said, this is definitely stepping over an ethical line, in my (totally independent, non-accusatory, and non-culpable) opinion. Gobbling up “unused bandwidth” is a red flag — that’s bandwidth that the user paid for, used or not, and will definitely show up in a bill if you happen to be on a metered connection while mobile. Using someone else’s bandwidth without explicit informed consent, to say nothing of computing power, smacks of the same kind of behavior that had extensions mining cryptocurrency with strangers’ computers.

And that’s without considering the security issues. Tucker notes that in addition to the scraping behavior, the extensions gather other data including the computer’s (and thus the user’s) location, and opens potentially unsafe connections to remote web servers to transmit the data. The potential for browser extensions to be malicious or unsafe isn’t new, but this kind of scraping and harvesting behavior is likely to become more common in the future.