News: 0178322342

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Browser Extensions Turn Nearly 1 Million Browsers Into Website-Scraping Bots (arstechnica.com)

(Wednesday July 09, 2025 @11:30PM (BeauHD) from the PSA dept.)


Over 240 browser extensions with nearly a million total installs have been covertly [1]turning users' browsers into web-scraping bots . "The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers," reports Ars Technica. "The common thread among all of them: They incorporate [2]MellowTel-js , an open source JavaScript library that allows developers to monetize their extensions." Ars Technica reports:

> Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.

>

> Tuckner [3]said in an email Wednesday that the most recent status of the affected extensions is:

>

> - Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.

> - Of 129 Edge extensions incorporating the library, eight are now inactive.

> - Of 71 affected Firefox extensions, two are now inactive.

>

> Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is [4]here .



[1] https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/

[2] https://github.com/mellowtel-inc/mellowtel-js

[3] https://secureannex.com/blog/mellow-drama/

[4] https://docs.google.com/spreadsheets/d/e/2PACX-1vT1XgBs25gRlg5e3nYCAff967WMtZZTO-TB3rR9zszaJpTpCVFg8j7FkBxnHb3tw3aHGjKBGSxYyLgV/pubhtml


...again. (Score:2)

by Narcocide ( 102829 )

JavaScript was a mistake.

Re: (Score:2)

by TuballoyThunder ( 534063 )

Compounded by dynamically including libraries downloaded from random website.

Re: (Score:2)

by dfghjk ( 711126 )

it's not the language or that there is scripting, it's what the scripting has access to. Modern web browser architecture is a joke because developers have become incompetent.

Can't wait for version 3!

Re: (Score:2)

by Tony Isaac ( 1301187 )

Javascript alone can't do this, only browser extensions can. It's the extensions, not the language.

Re: (Score:2)

by znrt ( 2424692 )

this was the issue here:

> "They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions."

"developers" rushing to monetize their crap extension that they're not savy or caring enough to actually develop. wether they had bad intentions or not, these guys are simply not to be trusted anymore. something similar could be said about users installing that crap but then users are users.

bottom line is that extensions are powerful tools but with their power comes at a risk. installing an extension is similar to running any random executable. no extension or library should ever be

Re: (Score:2)

by Tony Isaac ( 1301187 )

I agree with you fully that extensions should not be trusted, unless you completely trust the company that made it. My point is that it's the extension that's evil, not the language. Without the extension, the language alone would not be able to inject the scraper into every single website you visit.

Vetting? (Score:3)

by zkiwi34 ( 974563 )

I guess that isn't much of a thing anymore.

Re: (Score:2)

by Tony Isaac ( 1301187 )

Browser extensions have always been a wasteland of crappy useless widgets from noname companies.

I once tried an extension that let me send and receive texts from my browser, and it was cool, until I realized what I was giving that company in the process. Since then, I've kept a bare minimum of extensions: uBlock Origin (Lite), Chrome Remote Desktop, Microsoft SSO, and Google Docs Offline. That's it. If I don't know the company that made an extension, I'm not allowing it into my browser.

Re: (Score:2)

by martin-boundary ( 547041 )

I like to use ghostery in addition to uBlock Origin. I miss the non-lite version.

Re: (Score:2)

by markdavis ( 642305 )

> "I like to use ghostery in addition to uBlock Origin. I miss the non-lite version."

[1]https://addons.mozilla.org/en-... [mozilla.org]

[2]https://addons.mozilla.org/en-... [mozilla.org]

Perfectly non-"lite"

As for malicious add-ons, there is the "Recommended" badge (that can be set as a filter as well) which helps a lot.

[3]https://support.mozilla.org/en... [mozilla.org]

[4]https://support.mozilla.org/en... [mozilla.org]

Not surprisingly, both UBO and Ghostery are listed as "Recommended", along with 99 others (out of 58,708 addons). I will admit that of the 7 I am using at ho

[1] https://addons.mozilla.org/en-US/firefox/addon/ghostery

[2] https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

[3] https://support.mozilla.org/en-US/kb/tips-assessing-safety-extension

[4] https://support.mozilla.org/en-US/kb/recommended-extensions-program

Harrison's Postulate:
For every action, there is an equal and opposite criticism.