Extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service, a researcher said.
The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads, John Tuckner of SecurityAnnex reported. The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions.
Intentional weakening of browsing protections
Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include advertisers. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep, a company that bills itself as "the world's most reliable and cost-effective Web scraping API." Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request.
“This seems very similar to the scraping instructions we saw while watching the MellowTel library in action,” Tuckner wrote after analyzing the MellowTel code. “I believe we have good reason to think that scraping requests from Olostep are distributed to any of the active extensions which are running the MellowTel library.”
MellowTel’s founder, for his part, has said the purpose of the library is “sharing [users’] bandwidth (without stuffing affiliate links, unrelated ads, or having to collect personal data).” He went on to say that the “primary reason why companies are paying for the traffic is to access publicly available data from websites in a reliable and cost-effective way.” The founder said extension developers receive 55 percent of the revenue, and MellowTel pockets the rest.
Despite the assurances, Tuckner said the extensions that incorporate MellowTel pose a risk to users who install them. One reason for this is that MellowTel causes extensions to activate a websocket that connects to an AWS server that collects the location, available bandwidth, heartbeats, and status of extension users. Besides the privacy erosions, the websocket also injects a hidden iframe into the page the user is currently viewing that connects to a list of websites specified by the Amazon Web Services server. There’s no way ordinary end users can determine what sites are being opened in the invisible iframe.
Tuckner wrote:
Shouldn't there be some protections to stop this from happening? How can you so easily load unintended content inside of any website?
Well, normally there are protections to prevent this. Common web server security headers like Content-Security-Policy and X-Frame-Options should stop this from happening. However, remember that the library requested declarativeNetRequest and access be added to the manifest if it isn't already? Those permissions allow for modification of web requests and responses as they are being made. The library dynamically modifies rules that will remove security headers from web server responses and then claims to add them back after the web page has loaded.
“This weakening of all web browsing can open users up to attacks like cross-site scripting that would generally be prevented under normal conditions,” Tuckner went on to write. “Not only are your users unintentionally becoming bots, but their actual web browsing is more vulnerable as well.”
MellowTel is also problematic because the sites it opens are unknown to end users. That means they must trust MellowTel to vet the security and trustworthiness of each site being accessed. And, of course, that security and trustworthiness can change with a single compromise of a site. MellowTel also poses a risk to enterprise networks that closely restrict the types of code users are permitted to run and the sites they visit.
Attempts to reach MellowTel representatives were unsuccessful.
Tuckner’s discovery is reminiscent of a 2019 analysis that found browser extensions installed on 4 million browsers collected users’ every movement on the web and shared them with customers of Nacho Analytics, which went defunct shortly after Ars exposed the operation.
Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.
Tuckner said in an email Wednesday that the most recent status of the affected extensions is:
- Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.
- Of 129 Edge extensions incorporating the library, eight are now inactive.
- Of 71 affected Firefox extensions, two are now inactive.
Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is here.
