Nearly a million browsers affected by more malicious browser extensions – here’s what we know
- Researchers find 245 extensions installed on nearly a million devices
- The extensions could turn devices into web scraping bots for a commercial service
- Researchers warned about major security implications
A new investigation has revealed 245 browser extensions, installed on almost a million devices, have been leading a double life, as besides the operations they were designed for, they were also silently disabling key security protections in the browsers to enable paid web scraping operations.
This is according to security researcher John Tuckner from Security Annex, who found numerous extensions doing different things, from managing bookmarks, to boosting speaker volume. All of them embed a JavaScript library called MellowTel-js, which connects to an external AWS server and collects data about the user’s location, bandwidth, and browser status.
It also injects hidden iframes into the web pages users are visiting, and then loads other websites, chosen by MellowTel’s infrastructure. Furthermore, it strips web security headers, bypasses bot detection, and ultimately – shares bandwidth for profit.
Leveraging unused bandwidth
The JavaScript is tied to a company named Olostep, which promotes itself as a high-performance web scraping API that bypasses bot detection and can send out up to 100,000 parallel requests.
When paying clients submit a target website, Olostep uses the devices running affected extensions to scrape the site, effectively turning the browsers into distributed scraping bots, without the end users’ knowledge, or consent.
Ars Technica found MellowTel’s founder said the library was designed to share user bandwidth without stuffing affiliate links, unrelated ads, or collecting personal data.
“The primary reason why companies are paying for the traffic is to access publicly available data from websites in a reliable and cost-effective way,” he was cited saying, adding that extension developers receive 55%of the revenue, while the rest went to MellowTel.
Despite claims of a privacy-friendly way to monetize unused bandwidth, critics argue it exposes users to serious privacy and security risks, especially in enterprise environments. In its writeup, CyberInsider says the scale and architecture of the system makes it “ripe for abuse” by threat actors.
“The use of real browser sessions, potentially behind corporate VPNs or inside private networks, introduces profound risks. These include the potential for unauthorized internal resource access, impersonation of legitimate traffic, and degradation of browser security due to the removal of enforced headers.”
Some extensions have been removed or deactivated after being flagged for malware, while others cleaned up the controversial code in recent updates. Many remain active, and users are advised to review the full list of extensions found here.
You might also like
Researchers find 245 extensions installed on nearly a million devices The extensions could turn devices into web scraping bots for a commercial service Researchers warned about major security implications A new investigation has revealed 245 browser extensions, installed on almost a million devices, have been leading a double life, as…
