Skip to main content

Browser Extensions Sell User Data With Explicit Disclosure

Laptop on a desk with a browser window and extensions open, alongside a notepad and pen.
"Unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it," LayerX Security wrote.

LayerX Security's core findings

Browser-security firm LayerX Security examined roughly 9,000 extensions and analyzed 6,666 privacy policies. The researchers identified more than 80 extensions that explicitly reserve the right to sell user data, and after manual review confirmed 82 extensions engage in commercial data sharing. LayerX also reported that 71% of Chrome Web Store extensions do not publish a privacy policy — a gap that the firm says leaves over 73% of users with at least one installed extension that offers no visibility into how their data is handled.

A distributed data-collection network of 24 streaming extensions

LayerX identified a network of 24 media-focused extensions tied to major streaming services — including Netflix, Hulu, Disney+, Amazon Prime Video and HBO Max — that together reach about 800,000 users. These tools operate as a distributed data-collection system, harvesting viewing behavior and packaging it for third parties.

  • Tracking viewing history and engagement across streaming platforms
  • Building user profiles using preferences and inferred demographics
  • Packaging and selling aggregated insights to advertisers and analytics firms

Ad blockers, enterprise extensions, and scale of exposure

LayerX found at least 12 ad-blocker extensions that sell or share browsing data; those ad blockers have a combined user base exceeding 5.5 million. The firm also flagged 29 business-focused extensions that collect browsing data from enterprise systems, noting the commercial datasets created by these tools could expose internal activity. LayerX warned that traditional extension security checks can miss these privacy risks and that, "even when disclosed, data-selling practices can operate at scale with limited oversight."

How privacy policies enable monetization

Rather than surreptitious behavior, many of the extensions rely on broad legal language inside published privacy policies to permit data sales. Phrases such as "may sell or share your personal information" are cited by LayerX as allowing publishers to commercialize user data at their discretion. The firm contrasts this explicit disclosure with the practical reality that most users do not read privacy policies, shortening the path from disclosure to large-scale data monetization.

How technologists, procurement teams, and end users should respond

LayerX points to enterprise controls as a practical first step: "Most browsers already support centralized extension management through enterprise policies – Chrome's ExtensionSettings, Edge's group policies, Firefox's enterprise configurations," the firm wrote. It advised, "If you don't have an extension governance policy, that's the first step. If you do, add privacy policy review to the evaluation criteria."

  • Technologists and security teams: Implement centralized extension governance and add privacy-policy review to extension evaluation, since standard security checks can miss disclosed data-selling behavior.
  • Affected enterprises and procurement leaders: Treat browser extensions as potential data exfiltration points — review any business-focused extension that collects browsing data, and consider enterprise policy controls to limit installations.
  • End users and the general public: Be aware that some widely used extensions explicitly reserve the right to sell data and that many Chrome Web Store listings lack any published privacy policy; where possible, review policies or limit extension installations.

LayerX’s study reframes a familiar privacy conversation: the risk is not only hidden malware but open, contractually permitted commerce that most users never see. With networks of media extensions reaching hundreds of thousands of users and ad blockers and business extensions exposing millions more, the question is no longer whether extensions can be invasive — it is how organizations and individuals will govern the extensions they allow. Absent stronger oversight or consistent governance, disclosed data sales can scale into datasets that include both consumer viewing behavior and potentially sensitive enterprise browsing activity.

Source: https://www.infosecurity-magazine.com/news/browser-extensions-sell-user-data/