Seriously good work Q. As you stated it appears that SimilarWeb are much bigger than just one company. Permitting installation of these unsafe extensions which permit the gathering of all this browsing data is crummy Opsec for companies. Data leakage by mistake. :-(
So that is where the SimiliarWeb is getting their data. I always thought their data is nonse to be honest. After a Alexa traffic rank shut down from Amazon, there was never reliable source that tells you how trustable is the website. I was looking to add API to plug into https://automatio.ai agents, that will do some website analysis on traffic, the SimiliarWeb was screaming to use it, but never trusted their data.
I know its bit offopic, but only reliable alternative on website score and traffic is Ahrefs data.
What's wild is the exfiltration volume: 287 extensions, 37M installs. That's 1% of Chrome users unknowingly broadcasting their entire browsing history.
The threat model that keeps me up at night: internal URLs leaking to third parties. Every employee using a "productivity booster" extension is potentially exposing intranet dashboards, admin panels, and staging environments. That's not just privacy - that's corporate OPSEC failure at scale.
The encoding tricks (ROT47, AES-256, LZ-string) show these aren't accidental leaks. This is deliberate obfuscation to avoid detection. When extensions encrypt the data they're exfiltrating, that's not a bug. That's a business model.
Side question: did your automated scanner check for selective exfiltration? I'd bet some of these extensions don't leak all browsing data- they cherry-pick high-value patterns (banking, admin panels, SaaS logins) to reduce noise and avoid detection. Would love to see a breakdown of what URL patterns get prioritized.
Great forensic work. Sharing this with anyone who installs browser extensions without reading permissions.
Seriously good work Q. As you stated it appears that SimilarWeb are much bigger than just one company. Permitting installation of these unsafe extensions which permit the gathering of all this browsing data is crummy Opsec for companies. Data leakage by mistake. :-(
So that is where the SimiliarWeb is getting their data. I always thought their data is nonse to be honest. After a Alexa traffic rank shut down from Amazon, there was never reliable source that tells you how trustable is the website. I was looking to add API to plug into https://automatio.ai agents, that will do some website analysis on traffic, the SimiliarWeb was screaming to use it, but never trusted their data.
I know its bit offopic, but only reliable alternative on website score and traffic is Ahrefs data.
What's wild is the exfiltration volume: 287 extensions, 37M installs. That's 1% of Chrome users unknowingly broadcasting their entire browsing history.
The threat model that keeps me up at night: internal URLs leaking to third parties. Every employee using a "productivity booster" extension is potentially exposing intranet dashboards, admin panels, and staging environments. That's not just privacy - that's corporate OPSEC failure at scale.
The encoding tricks (ROT47, AES-256, LZ-string) show these aren't accidental leaks. This is deliberate obfuscation to avoid detection. When extensions encrypt the data they're exfiltrating, that's not a bug. That's a business model.
Side question: did your automated scanner check for selective exfiltration? I'd bet some of these extensions don't leak all browsing data- they cherry-pick high-value patterns (banking, admin panels, SaaS logins) to reduce noise and avoid detection. Would love to see a breakdown of what URL patterns get prioritized.
Great forensic work. Sharing this with anyone who installs browser extensions without reading permissions.