Browser Extensions Disclose Personal Data


“The German duo found that huge datasets of anonymized private Internet histories were being sold by Web analysis companies and data brokers, with much of the material coming from browser extensions. Since these operate before information is sent over any VPN, they can access full details of your Internet activities, and send browser data anywhere. For VPN users, that’s disappointing. Less surprising, perhaps, is the fact that it was relatively easy to discover the identities of many users found in these supposedly anonymized datasets.”

“One browser extension in particular was responsible for creating a database of users’ URLs on a massive scale, and selling those datasets in what was claimed to be an “anonymized” form. It is called, rather ironically, Web of Trust, and alone contributed one billion data points about users’ browsing habits. Since Dewes and Eckert published their results, the company producing the browser extension has modified its privacy policy to make it more explicit that it sells user data in this way.”

Is the Brave Lion Shield an extension that would let something like this happen? Are the extensions in Brave protected from this? Is my data on Brave available to be sold?

VPN / Proxy Extensions better integrated in Brave
Discussion with Proxy / VPN providers that offer SPDY-HTTPS/2 Solutions

Hi @Bespoke I saw this topic presented on the day you pushed it but I was still coming to terms of the affects of such a problem and realized that the scale of the problem needs to be universally attended to. I was also surprised that this issue wasn’t reported on a wider scale considering the severity of it and why VPN services didn’t disclose and speak about the issue the their customers/users.

In relation to the articles, I’d be curious to know whether this affects both types of VPN services such as full force VPNs that are deployed as desktop solutions across the platforms or just browser based VPN solutions. I mention this because they wrote

and I can’t understand how that can be true considering encryption of the connection of most browser based solutions are incredibly fast from start-up and it doesn’t mention if the problem is persistent even when you’ve got extensions disabled and or when you’ve got ‘continue running apps in the background’ enabled.

I very briefly spoke to Alex about this issue and he sort of indicated these are actually the things that they’re trying avoid as developing or introducing built-in/proprietary solutions seems better rather deploying of the shelf versions from Chrome at users requests. It was mentioned that, ‘In enabling a particular extension, there is some checking to make sure it doesn’t compromise user security or privacy.
There’s some more details than this, but @sampson or @brian would be able to dive into specifics.’ So it would be brilliant to find out how the team can counteract this as they only have a few extensions available for the time being but may be a cause for concern when all users requests are made.

After you reply to Bespoke’s four question present at the bottom could you also answer whether think newer technologies would have to be implemented to fix this problem or just improving on obfuscation practices by both the browser and VPN providers?

Believe it or not, some of the issues pertaining to the article is the reason reason as to why I created the topic below a couple of months ago which has since gathered a significant amount of attention as it seems like such solution when it come to the internet is practically paramount and really a necessity.

I’ll post a link of this topic in the interest that any of the providers respond to the articles also respond here regarding this issue.

Thanks for reporting it here, otherwise it would have been overlooked.


Thanks for the response.

Personally I use VPN programs, not browser extensions, on every device I can.

In regards to browser based VPNs, some of them are just proxies. Look at TunnelBear’s browser extension. Anyone can use it even if they don’t purchase the VPN. Same goes for Opera’s browser VPN. It’s just a proxy.

From TunnelBear’s site;

“With VPN-like capabilities, this extension only encrypts your web browser data.”

The article never stated any difference in VPN terms.


I’ve sent an email to PIA since they posted the story. I asked them if their VPN would protect users data. I’ll post their response.

Here is an archive link to the article if it gets deleted or changed.


I received a reply from PIA. It reads;

"Hi, Removed

Good question. The data encryption doesn’t protect from info the browser extensions can collect on you, especially since you’d have consented to letting them see that data when installing the extension. Hope this helps in answering your question.

On Thu, Aug 10, 2017 at 9:53 AM, Private Internet Access wrote:

New contact from blog contact page

Name: Removed

Email: Removed

Subject: Recent Article

Message: In this article

Your team discussed the possibility of browser apps spying on our data. If a user is using PIA via the app for iOS or the desktop program for both Windows and Mac, is the data safe? Is the data encryption protecting users from the browser extensions?


I know it’s strange but what’s more strange due to this fact why don’t they recommend their native proprietary client.

Plus even though they do describe their one part of their service as ‘VPN-like capabilities’ doesn’t mean they don’t use strong cryptography because to my understanding they use SSL & TLS like some if not most of the other browser based VPN/Proxy extensions so it is protective and a bit more than just a proxy and I think this is what they mean by their ‘VPN-like capabilities’. Not necessarily using a better engineered OpenVPN but something closer in terms of security.

To be honest when these type of services were starting out several years ago because of Googles creation of SPDY (soon to be deprecated and ugraded to HTTPS/2), I always found it somewhat dubious because I couldn’t get my head round how data from the other extensions are also encrypted. So I began corresponding with one of them which was ZenMate and they were really friendly and honest and I used such services for sometime but not indefinitely because I just knew they lacked in some places. Don’t get me wrong, they’re better than using nothing as such services are brilliant at educating users of security and privacy because of their flexibility and efficiency.

Later on I come to realize that the reason their service and such services are very efficient and speedy is because they settle for a 128-BIT form of encryption that are optimize with SSL/TLS and just a tid-it of info. did you know that if you’re running an extension based torrent service it doesn’t encrypt that data? Not that I torrent via the browser but I think it’s a bit of interesting information for the @Brave team to have a look at and make changes once the suggestion from my VPN/Proxy topic is apprehended, possibly something @feross and the team can engineer in a different way to the other browsers so both extensions can function juxtaposed.


The email I sent was to PIA and not TunnelBear.

TunnelBear claims that they don’t know what you use your VPN for. However they block torenting and have from the beginning. They recently (past couple of years) went full 256 bit encryption. TunnelBear’s browser add on will appear on any ip check website first, not your actual VPN IP.

Now here is a interesting bit of info from PIA. Their iOS app is only 128 bit encryption. Their service on Windows, Mac, and Android lets you pic the level of encryption and handshaking taking place. Apparently Apple requires them to be the 128 bit.


Hi @Bespoke thanks for that last bit of information, I think everybody who use such service were speaking about assume that what they advertise on their website is equivalent across the platforms they offer their services in. That being said, 128 bit encryption is necessarily bad, I personally think the reasoning as to why 128 bit was standardized is because of computational, memory, and the time it takes to encrypt data. Especially in mobile platforms such as iOS ad Android/Fuchsia it would make sense because it would be more efficient in several aspects not just pertaining to the device itself but on the server side as well.

‘128 bit encryption is considered to be logically unbreakable…as the length of the key makes the 256 bit encryption slower, hence not as complex as 128 bit type. Just to make it clear, both methods of security are strong and do what they are suppose to do - encrypt data.’

I think they have this whole bit, pardon the pun, to help their users understand why they don’t standardize the larger size though I’m to understand 256-bit is available as an option. -

As for

can you clarify in a bit more detail what you mean because that little statement doesn’t really make much sense. Sorry.

If you meant their extension is functioning properly and reveals ones personal IP, I find that somewhat dubious considering the engineering team they have behind their service and the amount of years they’ve been established, that has to be something they continuously checked. If your right though, it’s indentical to errors that many start-ups have faced earlier on and it’s something that definitely has to be reported for the preservation of their customers’ privacy.


Sorry for the confusion.

If I use TunnelBears browser add-on and I go to any IP check website, I see the add-ons IP. Not the IP I have from their (or any other) VPN.


I wasn’t aware of add-ons having their own IPs I have always been under the assumption that many of the IPs are shared supplied by their dedicated servers, which I’m sure they are.

Send them a link of this topic and let them reply here. Many of them are going to have to in the near future once the team at Brave finally deploy most of those extension based VPN/Proxies.


Got this from PIA.

“Thanks for the head’s up! We will definitely talk w Brave about this. We already have a partnership with them where Pia ips are used to mask the bitcoin transactions.”


Web of Trust is not implemented to Brave, so the personal data leakage via that extension does not happen.

On Brave no extensions are enabled by default except PDF reader, which is fully open-sourced (and audited by us). If you don’t enable the other extensions manually, data leakage via extensions will never happen.

Brave implements countermeasures against known tracking methods and it is possible to block them on board via Shields. The team keeps fighting against any attempts to disclose your personal data.

Still, if you find new kind of techniques, please let us know as I did.

In my opinion, the strongest way of disabling tracking for now is to block scripts by default and let them run only where it is needed.


Hi @suguru it would be brilliant if you could could correspond with @feross regarding the the juxtopision of browser based VPNs and the extension he’s working on in Brave and mention

I don’t have a Git account so I can’t message him directly and he seems very active but there hasn’t be any updates/features pushed in the extension he’s working on especially considering a method for better obfuscation/forced encryption was suggested and wasn’t replied back to.


TunnelBear just released a third party audit.

closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.