Your ad blocker is selling your browsing data

New research printed on April 26, 2026, by safety agency LayerX has discovered that not less than 82 browser extensions obtainable on the Chrome Net Retailer explicitly reserve the fitting to promote person knowledge to 3rd events – and each considered one of them does so with the total information of the customers who put in them. The catch: nearly no person reads the privateness insurance policies the place these disclosures seem.

The findings, authored by LayerX Safety researchers Dar Kahllon and Man Erez, are a part of the agency’s Enterprise Browser Extension Safety Report 2026. The analysis covers two interlinked investigations: a privateness coverage evaluation of consumer-facing extensions in official shops, and a telemetry-based research of enterprise extension deployments drawn from over 1 million gadgets. Collectively, they doc a browser ecosystem the place each particular person customers and company IT groups have far much less visibility into extension conduct than they sometimes assume.

What the privateness coverage evaluation discovered

The LayerX group began with roughly 9,000 extensions that had privateness coverage URLs in its database, efficiently fetching and parsing 6,666 of these insurance policies. The pipeline ran in three levels. First, an AI classifier flagged insurance policies disclosing the promoting, licensing, or industrial switch of person knowledge. Then researchers manually reviewed each flagged consequence to take away false positives, excluding enterprise safety instruments, customary CCPA ad-retargeting disclosures involving platforms reminiscent of Google Advertisements, and opt-in knowledge monetization platforms the place customers are compensated. What remained after that filtering was a dataset of 82 distinctive extensions throughout 94 retailer listings.

In keeping with the report, 75 of these extensions are presently reside within the Chrome Net Retailer. The remaining seven have been faraway from the shop – however removing doesn’t imply uninstallation. An extension pulled from the shop can stay energetic in browsers that have already got it put in.

The headline quantity hooked up to these 82 extensions is not less than 6.5 million customers. Nonetheless, the analysis is specific that this determine is sort of definitely an undercount. In keeping with LayerX, 71% of all extensions within the Chrome Net Retailer don’t publish a privateness coverage in any respect. In consequence, greater than 73% of customers have not less than one extension put in with no privateness coverage and due to this fact no transparency about knowledge dealing with. The evaluation might solely study the 29% of extensions that publish a coverage. People who publish no coverage in any respect can also promote knowledge; there isn’t any approach to know from the surface.

The QVI community: 24 extensions, 800,000 customers, one nameless writer

Essentially the most structurally vital discovering within the report considerations a community of 24 extensions working below the prefix QVI – brief for “High quality Viewership Initiative.” All 24 are printed by an entity referred to as HideApp LLC, registered at 1021 East Lincolnway, Cheyenne, Wyoming, an tackle shared by lots of of LLCs by means of a registered agent service. The model title used throughout the community is “dogooodapp.”

Twenty-one of the 24 extensions are presently reside; three have been eliminated. Collectively, the reside extensions attain practically 800,000 customers. Every extension targets a particular streaming platform: Netflix, Hulu, Disney+, Amazon Prime Video, HBO Max, Peacock, Paramount+, Tubi, Apple TV+, Crunchyroll, and others. The most important single extension within the community, Customized Profile Image for Netflix, has 200,000 customers. Hulu Advert Skipper and Netflix Image in Image every attain 100,000 customers. Advert Skipper for Prime Video and Netflix Prolonged every have roughly 60,000.

In keeping with the privateness coverage that the community publishes – the one which retailer listings don’t floor – these extensions accumulate viewing historical past, content material preferences, platform subscriptions, downloaded content material, and streaming conduct. Additionally they accumulate age and gender. The place customers don’t present demographic info immediately, the coverage states that the extensions match electronic mail addresses towards third-party demographic databases to fill within the gaps.

The coverage describes promoting compiled reviews to content material creators and studios, streaming platforms, media analysis companies, advertising and marketing companies, and what the doc calls “organizations that buy anonymized viewing knowledge.” In keeping with the analysis, this quantities to a distributed audience-measurement operation operating inside customers’ browsers – pulling viewing conduct throughout practically each main streaming service, constructing behavioral profiles for near 800,000 folks, and promoting that intelligence commercially. None of these customers signed up for that goal. Legally, they agreed to it once they clicked “Add to Chrome.”

Advert blockers with a data-selling facet enterprise

Eight confirmed advert blockers within the analysis reserve the fitting to promote or share person info with third events. Their mixed set up base exceeds 5.5 million customers.

Stands AdBlocker, with 3 million customers, sells searching knowledge to 3rd events for what its coverage describes as market analytics functions. Poper Blocker, with 2 million customers, discloses promoting identifiers, searching exercise, behavioral profiles, and inferred delicate knowledge – together with well being situations, non secular beliefs, and sexual orientation, all inferred from URLs visited. All Block, a YouTube advert blocker with 500,000 customers printed by an entity referred to as Curly Doggo Restricted in London, sells anonymized knowledge for analytical and industrial functions. TwiBlocker, with 80,000 customers, discloses transferring searching knowledge to 3rd events who course of or promote it for analytical functions. City AdBlocker, with 10,000 customers, routes searching knowledge and AI conversations by means of the BiScience knowledge dealer.

The sample is notable for what it means in follow. Customers set up advert blockers partly to restrict monitoring. A number of of these advert blockers are themselves promoting the behavioral knowledge they accumulate.

Of the 82 confirmed data-selling extensions, 29 are B2B gross sales intelligence instruments. In keeping with the analysis, their disclosure of knowledge practices just isn’t itself stunning – knowledge is their core enterprise. However the researchers flag them for a unique motive. These extensions sit on company gadgets. Worker searching conduct – inside URLs, SaaS dashboards, analysis exercise – flows by means of them into industrial databases. Opponents can doubtlessly buy that knowledge.

The chance for enterprises just isn’t that staff are being deceived. It’s that company info is leaving by means of a channel that the majority safety groups are usually not watching. In keeping with the report, most extension safety evaluations deal with permissions or recognized malicious indicators, catching malware however not extensions that brazenly reserve the fitting to promote searching knowledge.

The analysis additionally factors to a class of seemingly innocuous extensions with data-selling practices buried of their insurance policies. Profession.io Job Auto Apply, with 10,000 customers, states that it could use private knowledge collected from resumes to promote to 3rd events together with knowledge brokers. EmailOnDeck, a short lived electronic mail service with 10,000 customers, explicitly designed for conditions the place customers don’t need to share actual info, discloses that it could promote, hire, or share its mailing listing. Canine Cuties, a wallpaper new-tab extension with 6,000 customers, is a confirmed knowledge vendor by means of the Apex Media community.

Enterprise extension danger: the broader image

The companion enterprise report, drawing on telemetry from over 1 million gadgets in enterprise environments, places the patron findings in a wider context. In keeping with the info, 99% of enterprise customers have not less than one browser extension put in. The determine is almost uniform throughout group sizes: 99.18% in small enterprises with fewer than 1,000 staff, 97.36% in mid-sized organizations, and 99.66% in bigger enterprises. A couple of in 4 customers in small organizations has greater than 10 extensions put in.

Practically 75% of all browser extensions request excessive or vital permission ranges – 40.83% excessive and 34.56% vital – whereas solely 2.9% function with low permissions. In keeping with the report, extensions with elevated permissions can entry delicate browser knowledge and person exercise, that means a compromised extension might expose delicate info or take over person classes.

The AI extension subset reveals a very elevated danger profile. In keeping with the info, about 15% of enterprise customers have not less than one AI extension put in, with small and mid-size organizations exhibiting the very best adoption charges: 14.55% for small enterprises and 17.70% for mid-size. Adoption is decrease in bigger enterprises at 9.53%, which the researchers attribute to stricter safety insurance policies.

AI extensions are 60% extra prone to have a recognized CVE than the typical browser extension – 16.31% versus 10.8% throughout all extensions. They’re thrice extra prone to request cookie entry, which might expose session tokens and authentication knowledge. They’re 2.5 occasions extra prone to have scripting permissions; 41.91% of AI extensions request scripting entry, in comparison with 15.4% throughout all extensions. Scripting permissions enable extensions to inject code into internet pages, enabling seize of inputs, content material manipulation, and extraction of delicate knowledge. AI extensions are additionally practically twice as prone to request tab entry, which permits managing browser tabs together with monitoring navigation and redirecting customers.

Permissions are usually not fastened at set up. In keeping with the enterprise report, 4.33% of all extensions put in in enterprise environments modified their permissions over the previous 12 months. For AI extensions, that determine rises to 25%. Sixty-four p.c of customers have not less than one AI extension that modified its permissions previously 12 months, in comparison with 34% of customers throughout all extensions. An extension that appeared secure on the time of set up could subsequently acquire entry to delicate knowledge with out customers being conscious of it.

Belief alerts are weak throughout the ecosystem

Even in enterprise environments, greater than 10% of all extensions have fewer than 1,000 customers. 1 / 4 have fewer than 5,000 customers, and a 3rd have fewer than 10,000 installations. For AI extensions particularly, the scenario is extra pronounced: nearly 15% have fewer than 1,000 installations, a 3rd have fewer than 5,000 deployments, and practically half – 46.5% – have fewer than 10,000 customers. A whopping 95% of enterprise customers have put in a browser extension with fewer than 1,000 customers. In keeping with the analysis, a low set up rely can sign that an extension is deserted, unvetted, or created by an unknown or doubtlessly malicious writer.

Extension age issues too. Round 40% of all extensions are unmaintained, outlined as not having been up to date in over a 12 months. Seventy-two p.c of all customers have not less than one unmaintained extension put in. Unmaintained extensions could comprise unresolved vulnerabilities or outdated code that attackers can exploit.

The implications for advertising and marketing professionals are particular and substantive. Advert tech firms, companies, and advertising and marketing platforms deal with giant volumes of delicate marketing campaign knowledge, proprietary viewers info, SaaS credentials, and shopper communications – all accessed by means of browsers on company gadgets. An extension put in by a single analyst on a single machine can, if its privateness coverage permits knowledge gross sales, route inside URL patterns, behavioral alerts, and searching exercise to industrial knowledge brokers.

The analysis touches on territory that PPC Land has lined in adjoining contexts. The LinkedIn BrowserGate investigation uncovered how LinkedIn’s scanning system probed for six,222 browser extensions per session, together with safety instruments, advert blockers, and accessibility utilities, constructing company-level intelligence profiles. A class action complaint filed on April 6, 2026 alleges that LinkedIn covertly assembled machine fingerprints from Chrome customers and routed encrypted knowledge to undisclosed third events. Each instances level to the identical underlying drawback: the browser extension ecosystem lacks the governance infrastructure to match the scope of its deployment.

The Perplexity Comet browser safety disclosures, which LayerX itself helped surface in 2025, confirmed that agentic browsers introduce immediate injection dangers that may allow exfiltration of electronic mail, calendar knowledge, and related service info. The development line is constant: browser-based instruments are increasing their entry to delicate knowledge quicker than governance frameworks are catching up.

For enterprise safety groups, the LayerX report is direct concerning the hole in standard analysis strategies. Checking extension permissions catches malware. It doesn’t catch an extension whose privateness coverage explicitly reserves the fitting to promote searching knowledge. That data-selling disclosure is a said enterprise follow, sitting in a doc that staff accepted with out studying.

In keeping with the analysis, most browsers already help centralized extension administration by means of enterprise insurance policies – Chrome’s ExtensionSettings, Edge’s group insurance policies, Firefox’s enterprise configurations. The report notes that LayerX has added a filter to its platform to detect and optionally block extensions that both lack a privateness coverage or reserve the fitting to promote private knowledge.

The broader authorized framing can be vital. Not one of the 82 extensions recognized within the analysis are working illegally. They disclosed their knowledge practices. The hole just isn’t between what’s authorized and what occurs. The hole is between what’s disclosed and what’s learn.

Timeline

• July 2021 – UK regulator ICO opens investigation into real-time bidding under GDPR, discovering that searching profiles are shared amongst lots of of organisations per bid request with out people’ information
• August – October 2025 – A number of safety companies together with LayerX disclose critical vulnerabilities in Perplexity’s Comet browser, demonstrating how browser-based AI instruments can expose emails, calendar knowledge, and credentials by means of immediate injection
• April 6, 2026 – Class motion criticism filed in US District Courtroom for the Northern District of California; Ganan v. LinkedIn Corporation alleges LinkedIn secretly scanned Chrome customers for six,000 extensions and routed machine fingerprints to undisclosed third events
• April 2026 – Technical investigation by Fairlinked e.V. publishes full anatomy of LinkedIn’s BrowserGate system, revealing assortment of 48 {hardware} and software program traits per session routed by means of third-party cybersecurity companies
• April 26, 2026 – LayerX Safety researchers Dar Kahllon and Man Erez publish the findings lined on this article: not less than 82 Chrome extensions legally promoting person knowledge, protecting 6.5 million customers, plus the Enterprise Browser Extension Safety Report 2026 primarily based on telemetry from over 1 million enterprise gadgets

Abstract

Who: LayerX Safety researchers Dar Kahllon and Man Erez, together with the publishers of 82 recognized Chrome extensions, together with HideApp LLC (QVI community), Stands AdBlocker, Poper Blocker, All Block, and 29 B2B gross sales intelligence instruments. Enterprise customers throughout organizations of each measurement are additionally affected.

What: A two-part analysis publication documenting that not less than 82 browser extensions with a mixed person base of not less than 6.5 million explicitly reserve the fitting to promote person knowledge to 3rd events, all inside the phrases of their privateness insurance policies. A parallel enterprise telemetry report discovered that 99% of enterprise customers have not less than one extension put in, that 75% of extensions request excessive or vital permissions, and that AI extensions carry a danger profile considerably above the baseline.

When: The analysis was printed on April 26, 2026. The info underlying the enterprise report was collected from over 1 million enterprise gadgets over an ongoing interval. The privateness coverage evaluation examined 6,666 insurance policies sourced from a database of roughly 9,000 extensions with recognized coverage URLs.

The place: The Chrome Net Retailer is the first distribution channel for the recognized extensions. The info-selling disclosures seem in privateness insurance policies linked from retailer listings – paperwork that 71% of extensions within the retailer don’t publish in any respect.

Why: The analysis addresses a niche in how extension safety is conventionally assessed. Permission-based auditing catches malicious extensions however doesn’t determine extensions whose data-selling practices are totally disclosed and legally compliant. Browser extensions have develop into the biggest unmanaged assault floor in enterprise environments based on LayerX, and the expansion of AI extensions – that are 60% extra prone to carry recognized vulnerabilities and 6 occasions extra prone to develop permissions after set up – has added a brand new layer of publicity that the majority enterprise governance frameworks don’t but tackle.