New research by LayerX Security uncovers multiple networks of browser extensions that collect user data and resell it for profit – and it’s all completely legal. For, unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it.
LayerX analyzed the privacy policies of thousands of extensions and uncovered over 80 different extensions that collect and sell customer data. Some of these extensions include:
While browser extensions may seem innocent, these findings highlight the privacy exposure that can arise from unregulated usage of extensions.
Privacy policies. Reading them is like watching paint dry. For most users, it’s worse than reading the fine print in their mortgage agreements; and that’s saying something.
Except we did.
LayerX Security researchers Dar Kahllon and Guy Erez analyzed the privacy policies of thousands of browser extensions available in official stores. They were looking for one thing: whether the publisher explicitly reserved the right to sell user data.
And we found them. Our analysis showed at least 80 such extensions, some of them working in collusion, and developed by the same developer across all extensions. They range from ad blockers and streaming tools to job application helpers, new-tab extensions, and B2B sales intelligence platforms.
Most of these policies don’t say “we sell your data.” They say “we may sell.” It’s a legal hedge – but it means your data can be sold at any time, and you already agreed to it. Here’s what that looks like in practice:
“We may sell or share your personal information with third parties.”
“This information may be sold to or shared with business partners.”
Well, to be fair, most don’t.
Figure 1. Privacy Policy Transparency
According to LayerX’s Enterprise Browser Extension Security Report 2026, 71% of all extensions in the Chrome Web Store don’t even publish a privacy policy.
As a result, more than 73% of users have at least one extension installed without a privacy policy, with no transparency into how their data is handled. This means our analysis could only rely on the 29% that do have a privacy policy.
And if we assume that some of those extensions with no privacy policy at all will also resell your data – and there’s no reason to assume they’re better – the real number of extensions that may sell your data across the Chrome Web Store is in the tens of thousands.
We built a pipeline to analyze privacy policies associated with browser extensions in official stores, combining automated classification with manual verification.
Starting from roughly 9,000 extensions with privacy policy URLs in our database, we successfully fetched and parsed 6,666 policies.
The pipeline ran in three stages:
Final dataset includes only extensions whose privacy policies indicate genuine commercial sale of user data to third parties
While these figures may seem low, bear in mind that these figures are only for extensions with privacy policies to begin with (less than one-third of all extensions), and those extensions that actually tell you what they’re doing with your data. The true number is almost certainly higher.
Here are a few of our key findings:
While reviewing confirmed sellers, a pattern kept surfacing. Different extensions, different streaming platforms, but the same three-letter prefix: QVI – short for “Quality Viewership Initiative.”
What looked like unrelated tools turned out to be a single operation: 24 browser extensions – 21 currently live, 3 removed – covering nearly every major streaming service.
All published by HideApp LLC, registered at 1021 East Lincolnway, Cheyenne, Wyoming – an address shared by hundreds of other LLCs through a registered agent service – and operating under the brand “dogooodapp.”
The largest extensions in the network:
Across all 21 live extensions, the network reaches nearly 800,000 users.
Figure 2. Extension Page in Chrome Store for the “Custom profile picture for Netflix [QVI]” extension
But their privacy policy says something the store listings don’t. These extensions collect extensive information, including:
They also collect age and gender – and if you don’t provide demographics, they match your email against third-party demographic databases to fill in the gaps.
Figure 3. Data declared as collected by the privacy policy of the “Custom profile picture for Netflix [QVI]” extension
The policy describes selling reports to content creators and studios, streaming platforms, media research firms, and marketing agencies – along with “organizations that purchase anonymized viewing data.”
Put it all together and you’re looking at a distributed audience-measurement system running inside users’ browsers. One anonymous publisher pulling viewing behavior across every major streaming platform, building intelligence about what nearly 800,000 people watch, when, and how they engage with content. None of those users signed up for that. Legally, they accepted the terms when they clicked “Add to Chrome.” Practically, nobody read them.
We confirmed eight ad blockers that reserve the right to sell or share user information with third parties. Tools people install to stop tracking – selling tracking data instead. Combined, they reach over 5.5 million users.
If your ad blocker has a privacy policy longer than two paragraphs, read it.
Figure 4. Featured Ad Blocker in Chrome Store
These aren’t the biggest extensions on the list, but they show how far the data-selling model reaches.
Of the 82 confirmed sellers, 29 of them are B2B sales intelligence tools. Their business is data, so the disclosure itself isn’t a surprise. We’re not counting them alongside the consumer-facing extensions.
But they belong in this conversation. These extensions sit on corporate machines. This means that employee browsing behavior, such as internal URLs, SaaS dashboards, and research activity, flows into commercial databases that your competitors can purchase. The risk isn’t about users being deceived. It’s about corporate data leaving through a channel nobody is watching.
Most extension security evaluations focus on permissions or known malicious indicators – flagging extensions that request excessive access or match threat intelligence. That catches malware. It doesn’t catch an extension that openly reserves the right to sell your browsing data.
An extension with a data-selling disclosure isn’t a hypothetical risk. It’s a stated business practice, sitting in a document your employees accepted without reading.
Three questions worth asking:
Most browsers already support centralized extension management through enterprise policies – Chrome’s ExtensionSettings, Edge’s group policies, Firefox’s enterprise configurations. If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria. Permissions alone don’t tell you enough.
To that end, LayerX added a new filter to detect and filter (and block, if so desired) extensions that either don’t have a privacy policy at all, or reserve the right to sell personal data.
Consider blocking extensions that either disclose selling user data or don’t publish a privacy policy at all.
Figure 5. LayerX Extension Data Privacy Filter
Browser extensions are among the web’s most powerful and least scrutinized tools. While much of the focus is on malicious that actively steal user and corporate data, privacy violations may sound mundane, but can also be risky.
Going through and reading the Privacy Policy of every extension that every user has in your organization can lead to hundreds or thousands of individual extensions; clearly, that’s not feasible.
Instead, organizations need to start deploying automated tools that can restrict suspicious extensions and account for privacy settings.
This isn’t a story about malware. Nobody hacked you. Nobody stole anything. The extensions you’re running right now may be selling your browsing data — and they told you they would. It’s right there in the privacy policy. Page 4. Paragraph 7. The one nobody reads.
