Experts have found that some browser extensions also leak private and sensitive data -- and could even put them up for sale.

While many have come to know the dangers of letting cookies have their way and steal sensitive user data, not as many people know that another culprit is busy doing the same thing and more. This culprit is not often viewed as a threat to privacy because they are packaged as helpful tools offered by legitimate sources. These are browser extensions.

The Washington Post, working with an independent security researcher named Sam Jadali, found that browser extensions have been busy keeping track of netizens activities on the internet, stealing sensitive information that belongs to them, and keeps them stored on the internet. What’s more, these companies behind these extensions can sell these information to whoever they want.


According to their research, sensitive and non-sensitive information belonging to more than 4 million people have been acquired by browser extensions and have made these available online. These extensions work on either Google’s Chrome browser or Mozilla’s Firefox browser.

Jadali found the user data on a website called Nacho Analytics. This website sells itself as a marketing intelligence service, offering data revealing what netizens click on at almost any website to any client who would want to know what’s best for their businesses.

Nacho claims that the data it shares to its clients come from netizens to allow themselves to be tracked. It adds that it removes information that could be used to reveal a person’s identity. Jadali, however, found that Nacho shared more than just “marketing data” to its clients.

  • The researcher found usernames, passwords and GPS coordinates giving away a person’s location. He also found more information enough for him to consider the leak as “catastrophic.” For example:
  • He found names of doctors and patients from a medical records service. The information also included medications. A quick look at another medical records service yielded patient names as well.
  • He also found the first names, last names and confirmation numbers of people checking into their flights at Southwest. He also saw last names and passenger record numbers at United.
  • He also saw a hundred documents with the word “tax” in their filenames on Microsoft’s cloud storage service, OneDrive.


What’s more worrying is that the extensions stealing info aren’t really shady or suspicious looking. One of them allowed Chrome users to zoom in on a photo without having to click anything. Another one converts text into speech for any website.

The North Carolina State University conducted its own research and found that out of 180,000 extensions for Chrome, 3,800 of them leak sensitive data. Ten of these extensions are being used by over 60 million users, indicating that Jadali’s words are true: it’s a leak on a catastrophic scale.

Google chrome browser
Google removed a Chrome extension called Interface Online that was stealing banking credentials. Simon/Pixabay