- Researchers find 245 extensions installed on nearly one million units
- The extensions could transform devices into web -scraping bots into a commercial service
- Researchers warned of major security consequences
A new study has revealed 245 browser extensions installed on nearly one million units has led a double life as they were designed in addition to the operations for which they were designed, also they deactivated the most important security protections in the browsers to enable paid web scraping operations.
This, according to security researcher John Tuckner of Security Annex, who found several extensions that did different things from managing bookmarks, to increasing speaker volume. All of them integrate a JavaScript library called Mellowtel-JS, which connects to an external AWS server and collects data on the user’s location, bandwidth and browser status.
It also injects hidden iFrames on web pages that users visit, and then loading other sites, selected by Mellowtel’s infrastructure. In addition, it stripes the web security headlines, bypasses bot detection and ultimately – shares bandwidth to profit.
Utilizing unused bandwidth
JavaScript is tied to a company named Olostep, which promotes itself as a high-performance web-scraping API that bypasses bot detection and can send up to 100,000 parallel requests.
When you pay clients submitting a target site, Olostep uses the devices that run affected extensions to scrape the site effectively transform the browsers into distributed scraping bots without end users’ knowledge or consent.
Ars Technica Found Mellowtel’s founder said the library was designed to share user bandwidth without filling associated links, non -related ads or collecting personal data.
“The primary reason for companies paying for traffic is to access publicly available data from websites in a reliable and cost -effective way,” he was quoted and added that expansion developers receive 55%of revenue while the rest went to Mellowtel.
Despite allegations of a privacy -friendly way of making money on unused bandwidth, critics claim that it exposes users to serious privacy and security risks, especially in corporate environments. In his writing, Cyberinsides Says the scope and architecture of the system make it “mature for abuse” of threat actors.
“Using real browsing sessions, potentially behind the company’s VPNs or within private networks, introducing deep risks. These include the potential of unauthorized internal resource access, imitation of legitimate traffic and breakdown of browser security due to removal of enforced headlines.”
Some extensions have been removed or disabled after being marked for malware, while others cleaned the controversial code in the latest updates. Many remain active and users are advised to review the full list of extensions found here.
