New research published on April 26, 2026, by security firm LayerX has found that at least 82 browser extensions available on the Chrome Web Store explicitly reserve the right to sell user data to third parties - and every one of them does so with the full knowledge of the users who installed them. The catch: almost nobody reads the privacy policies where these disclosures appear.

The findings, authored by LayerX Security researchers Dar Kahllon and Guy Erez, are part of the firm's Enterprise Browser Extension Security Report 2026. The research covers two interlinked investigations: a privacy policy analysis of consumer-facing extensions in official stores, and a telemetry-based study of enterprise extension deployments drawn from over 1 million devices. Together, they document a browser ecosystem where both individual users and corporate IT teams have far less visibility into extension behavior than they typically assume.

What the privacy policy analysis found

The LayerX team started with approximately 9,000 extensions that had privacy policy URLs in its database, successfully fetching and parsing 6,666 of those policies. The pipeline ran in three stages. First, an AI classifier flagged policies disclosing the selling, licensing, or commercial transfer of user data. Then researchers manually reviewed every flagged result to remove false positives, excluding enterprise security tools, standard CCPA ad-retargeting disclosures involving platforms such as Google Ads, and opt-in data monetization platforms where users are compensated. What remained after that filtering was a dataset of 82 unique extensions across 94 store listings.

According to the report, 75 of those extensions are currently live in the Chrome Web Store. The remaining seven have been removed from the store - but removal does not mean uninstallation. An extension pulled from the store can remain active in browsers that already have it installed.

The headline number attached to those 82 extensions is at least 6.5 million users. However, the research is explicit that this figure is almost certainly an undercount. According to LayerX, 71% of all extensions in the Chrome Web Store do not publish a privacy policy at all. As a result, more than 73% of users have at least one extension installed with no privacy policy and therefore no transparency about data handling. The analysis could only examine the 29% of extensions that publish a policy. Those that publish no policy at all may also sell data; there is no way to know from the outside.

The QVI network: 24 extensions, 800,000 users, one anonymous publisher

The most structurally significant finding in the report concerns a network of 24 extensions operating under the prefix QVI - short for "Quality Viewership Initiative." All 24 are published by an entity called HideApp LLC, registered at 1021 East Lincolnway, Cheyenne, Wyoming, an address shared by hundreds of LLCs through a registered agent service. The brand name used across the network is "dogooodapp."

Twenty-one of the 24 extensions are currently live; three have been removed. Collectively, the live extensions reach nearly 800,000 users. Each extension targets a specific streaming platform: Netflix, Hulu, Disney+, Amazon Prime Video, HBO Max, Peacock, Paramount+, Tubi, Apple TV+, Crunchyroll, and others. The largest single extension in the network, Custom Profile Picture for Netflix, has 200,000 users. Hulu Ad Skipper and Netflix Picture in Picture each reach 100,000 users. Ad Skipper for Prime Video and Netflix Extended each have approximately 60,000.

According to the privacy policy that the network publishes - the one that store listings do not surface - these extensions collect viewing history, content preferences, platform subscriptions, downloaded content, and streaming behavior. They also collect age and gender. Where users do not provide demographic information directly, the policy states that the extensions match email addresses against third-party demographic databases to fill in the gaps.

The policy describes selling compiled reports to content creators and studios, streaming platforms, media research firms, marketing agencies, and what the document calls "organizations that purchase anonymized viewing data." According to the research, this amounts to a distributed audience-measurement operation running inside users' browsers - pulling viewing behavior across nearly every major streaming service, building behavioral profiles for close to 800,000 people, and selling that intelligence commercially. None of those users signed up for that purpose. Legally, they agreed to it when they clicked "Add to Chrome."

Ad blockers with a data-selling side business

Eight confirmed ad blockers in the research reserve the right to sell or share user information with third parties. Their combined install base exceeds 5.5 million users.

Stands AdBlocker, with 3 million users, sells browsing data to third parties for what its policy describes as market analytics purposes. Poper Blocker, with 2 million users, discloses selling identifiers, browsing activity, behavioral profiles, and inferred sensitive data - including health conditions, religious beliefs, and sexual orientation, all inferred from URLs visited. All Block, a YouTube ad blocker with 500,000 users published by an entity called Curly Doggo Limited in London, sells anonymized data for analytical and commercial purposes. TwiBlocker, with 80,000 users, discloses transferring browsing data to third parties who process or sell it for analytical purposes. Urban AdBlocker, with 10,000 users, routes browsing data and AI conversations through the BiScience data broker.

The pattern is notable for what it means in practice. Users install ad blockers partly to limit tracking. Several of those ad blockers are themselves selling the behavioral data they collect.

B2B sales tools and the corporate data problem

Of the 82 confirmed data-selling extensions, 29 are B2B sales intelligence tools. According to the research, their disclosure of data practices is not itself surprising - data is their core business. But the researchers flag them for a different reason. These extensions sit on corporate devices. Employee browsing behavior - internal URLs, SaaS dashboards, research activity - flows through them into commercial databases. Competitors can potentially purchase that data.

The risk for enterprises is not that employees are being deceived. It is that corporate information is leaving through a channel that most security teams are not watching. According to the report, most extension security evaluations focus on permissions or known malicious indicators, catching malware but not extensions that openly reserve the right to sell browsing data.

The research also points to a category of seemingly innocuous extensions with data-selling practices buried in their policies. Career.io Job Auto Apply, with 10,000 users, states that it may use personal data collected from resumes to sell to third parties including data brokers. EmailOnDeck, a temporary email service with 10,000 users, explicitly designed for situations where users do not want to share real information, discloses that it may sell, rent, or share its mailing list. Dog Cuties, a wallpaper new-tab extension with 6,000 users, is a confirmed data seller through the Apex Media network.

Enterprise extension risk: the broader picture

The companion enterprise report, drawing on telemetry from over 1 million devices in enterprise environments, puts the consumer findings in a wider context. According to the data, 99% of enterprise users have at least one browser extension installed. The figure is nearly uniform across organization sizes: 99.18% in small enterprises with fewer than 1,000 employees, 97.36% in mid-sized organizations, and 99.66% in larger enterprises. More than one in four users in small organizations has more than 10 extensions installed.

Nearly 75% of all browser extensions request high or critical permission levels - 40.83% high and 34.56% critical - while only 2.9% operate with low permissions. According to the report, extensions with elevated permissions can access sensitive browser data and user activity, meaning a compromised extension could expose sensitive information or take over user sessions.

The AI extension subset shows a particularly elevated risk profile. According to the data, about 15% of enterprise users have at least one AI extension installed, with small and mid-size organizations showing the highest adoption rates: 14.55% for small enterprises and 17.70% for mid-size. Adoption is lower in larger enterprises at 9.53%, which the researchers attribute to stricter security policies.

AI extensions are 60% more likely to have a known CVE than the average browser extension - 16.31% versus 10.8% across all extensions. They are three times more likely to request cookie access, which can expose session tokens and authentication data. They are 2.5 times more likely to have scripting permissions; 41.91% of AI extensions request scripting access, compared to 15.4% across all extensions. Scripting permissions allow extensions to inject code into web pages, enabling capture of inputs, content manipulation, and extraction of sensitive data. AI extensions are also nearly twice as likely to request tab access, which allows managing browser tabs including monitoring navigation and redirecting users.

Permissions are not fixed at installation. According to the enterprise report, 4.33% of all extensions installed in enterprise environments changed their permissions over the past 12 months. For AI extensions, that figure rises to 25%. Sixty-four percent of users have at least one AI extension that changed its permissions in the past year, compared to 34% of users across all extensions. An extension that appeared safe at the time of installation may subsequently gain access to sensitive data without users being aware of it.

Trust signals are weak across the ecosystem

Even in enterprise environments, more than 10% of all extensions have fewer than 1,000 users. A quarter have fewer than 5,000 users, and a third have fewer than 10,000 installations. For AI extensions specifically, the situation is more pronounced: almost 15% have fewer than 1,000 installations, a third have fewer than 5,000 deployments, and nearly half - 46.5% - have fewer than 10,000 users. A whopping 95% of enterprise users have installed a browser extension with fewer than 1,000 users. According to the research, a low install count can signal that an extension is abandoned, unvetted, or created by an unknown or potentially malicious publisher.

Extension age matters too. Around 40% of all extensions are unmaintained, defined as not having been updated in over a year. Seventy-two percent of all users have at least one unmaintained extension installed. Unmaintained extensions may contain unresolved vulnerabilities or outdated code that attackers can exploit.

Why this matters for the marketing community

The implications for marketing professionals are specific and substantive. Ad tech companies, agencies, and marketing platforms handle large volumes of sensitive campaign data, proprietary audience information, SaaS credentials, and client communications - all accessed through browsers on corporate devices. An extension installed by a single analyst on a single machine can, if its privacy policy permits data sales, route internal URL patterns, behavioral signals, and browsing activity to commercial data brokers.

The research touches on territory that PPC Land has covered in adjacent contexts. The LinkedIn BrowserGate investigation uncovered how LinkedIn's scanning system probed for 6,222 browser extensions per session, including security tools, ad blockers, and accessibility utilities, building company-level intelligence profiles. A class action complaint filed on April 6, 2026 alleges that LinkedIn covertly assembled device fingerprints from Chrome users and routed encrypted data to undisclosed third parties. Both cases point to the same underlying problem: the browser extension ecosystem lacks the governance infrastructure to match the scope of its deployment.

The Perplexity Comet browser security disclosures, which LayerX itself helped surface in 2025, showed that agentic browsers introduce prompt injection risks that can enable exfiltration of email, calendar data, and connected service information. The trend line is consistent: browser-based tools are expanding their access to sensitive data faster than governance frameworks are catching up.

For enterprise security teams, the LayerX report is direct about the gap in conventional evaluation methods. Checking extension permissions catches malware. It does not catch an extension whose privacy policy explicitly reserves the right to sell browsing data. That data-selling disclosure is a stated business practice, sitting in a document that employees accepted without reading.

According to the research, most browsers already support centralized extension management through enterprise policies - Chrome's ExtensionSettings, Edge's group policies, Firefox's enterprise configurations. The report notes that LayerX has added a filter to its platform to detect and optionally block extensions that either lack a privacy policy or reserve the right to sell personal data.

The broader legal framing is also important. None of the 82 extensions identified in the research are operating illegally. They disclosed their data practices. The gap is not between what is legal and what happens. The gap is between what is disclosed and what is read.

Timeline

  • July 2021 - UK regulator ICO opens investigation into real-time bidding under GDPR, finding that browsing profiles are shared among hundreds of organisations per bid request without individuals' knowledge
  • August - October 2025 - Multiple security firms including LayerX disclose critical vulnerabilities in Perplexity's Comet browser, demonstrating how browser-based AI tools can expose emails, calendar data, and credentials through prompt injection
  • April 6, 2026 - Class action complaint filed in US District Court for the Northern District of California; Ganan v. LinkedIn Corporation alleges LinkedIn secretly scanned Chrome users for 6,000 extensions and routed device fingerprints to undisclosed third parties
  • April 2026 - Technical investigation by Fairlinked e.V. publishes full anatomy of LinkedIn's BrowserGate system, revealing collection of 48 hardware and software characteristics per session routed through third-party cybersecurity firms
  • April 26, 2026 - LayerX Security researchers Dar Kahllon and Guy Erez publish the findings covered in this article: at least 82 Chrome extensions legally selling user data, covering 6.5 million users, plus the Enterprise Browser Extension Security Report 2026 based on telemetry from over 1 million enterprise devices

Summary

Who: LayerX Security researchers Dar Kahllon and Guy Erez, along with the publishers of 82 identified Chrome extensions, including HideApp LLC (QVI network), Stands AdBlocker, Poper Blocker, All Block, and 29 B2B sales intelligence tools. Enterprise users across organizations of every size are also affected.

What: A two-part research publication documenting that at least 82 browser extensions with a combined user base of at least 6.5 million explicitly reserve the right to sell user data to third parties, all within the terms of their privacy policies. A parallel enterprise telemetry report found that 99% of enterprise users have at least one extension installed, that 75% of extensions request high or critical permissions, and that AI extensions carry a risk profile significantly above the baseline.

When: The research was published on April 26, 2026. The data underlying the enterprise report was collected from over 1 million enterprise devices over an ongoing period. The privacy policy analysis examined 6,666 policies sourced from a database of approximately 9,000 extensions with known policy URLs.

Where: The Chrome Web Store is the primary distribution channel for the identified extensions. The data-selling disclosures appear in privacy policies linked from store listings - documents that 71% of extensions in the store do not publish at all.

Why: The research addresses a gap in how extension security is conventionally assessed. Permission-based auditing catches malicious extensions but does not identify extensions whose data-selling practices are fully disclosed and legally compliant. Browser extensions have become the largest unmanaged attack surface in enterprise environments according to LayerX, and the growth of AI extensions - which are 60% more likely to carry known vulnerabilities and six times more likely to expand permissions after installation - has added a new layer of exposure that most enterprise governance frameworks do not yet address.

Share this article
The link has been copied!