Browser Extensions Found Secretly Running Web Scraping Operations
A recent investigation by cybersecurity researcher John Tacner of SecurityAnnex has revealed a troubling trend: hundreds of browser extensions for Chrome, Firefox, and Edge are covertly turning users’ browsers into automated scraping tools for paid data services. These extensions have been downloaded nearly 909,000 times, putting countless users at risk without their knowledge.
MellowTel-js: The Hidden Enabler
At the core of the controversy is MellowTel-js, an open-source JavaScript library embedded in all 245 identified extensions. While it claims to offer monetization opportunities for developers by “sharing bandwidth,” Tacner warns that it effectively turns browsers into parsing bots. According to his findings, the library enables data harvesting by rerouting user traffic to Olostep, a commercial scraping API marketed as “the most reliable and cost-effective scraper on the planet.”
How It Works: Silent, Sophisticated, and Hard to Detect
These extensions don’t just assist users with productivity tools like bookmarks or clipboard managers—they silently activate a WebSocket, connecting to AWS-hosted servers that gather data on the user’s IP address, location, bandwidth, and browser activity. In the background, a hidden iframe is injected into the websites being visited, allowing the scraper network to collect content invisibly and without permission.
The extensions bypass even standard web security protections. Thanks to elevated extension permissions, security headers like Content-Security-Policy and X-Frame-Options are stripped out of server responses. This weakens browser security and opens doors for cross-site scripting (XSS) and other web-based attacks.
Developers Are Paid—But At What Cost to Users?
The founder of MellowTel insists that the service is legitimate and transparent, claiming that developers receive 55% of the profits for participating in the network. They argue that the goal is to access public data without harmful advertising or personal data collection. However, Tacner’s research paints a more alarming picture, especially for corporate environments, where even minor browser exploits can lead to data breaches and regulatory violations.
Some Extensions Already Deactivated—But Most Remain Active
Out of the 45 Chrome extensions involved, 12 have been removed, possibly for malware. Edge had 129 affected extensions, 8 of which are now inactive. Firefox saw 71 impacted add-ons, with only two taken down to date. This shows that the vast majority remain accessible, still functioning as silent web crawlers in the background of users’ daily internet usage.
Not the First Time: A Troubling Pattern
This isn’t a new issue. Back in 2019, over 4 million users had extensions that sent their entire browsing histories, documents, and even security camera feeds to Nacho Analytics, a company that eventually shut down after public outcry and investigative pressure. Sensitive data from major firms like Tesla, Pfizer, and Blue Origin was among the leaked content.
Conclusion: Stay Vigilant—Your Browser Might Be Working for Someone Else
This new wave of web-scraping browser extensions reveals how even trusted platforms can be hijacked by monetization schemes cloaked as productivity tools. With browser permissions often misunderstood or ignored, users must become more proactive about digital hygiene. Regularly auditing installed extensions, revoking unnecessary permissions, and favoring open-source, community-reviewed tools are small steps that can prevent invisible exploitation of your bandwidth and data.
For organizations, this serves as yet another warning: even seemingly harmless extensions can pose enterprise-level risks. The line between convenience and compromise has never been thinner.
