Browser Extensions Used to Turn Devices into Web-Scraping Proxies

Rise of the Unintentional Bots
Security researcher John Tuckner of SecurityAnnex has uncovered a network of 245 browser extensions—available for Chrome, Firefox, and Edge—that collectively have been downloaded nearly 909,000 times. Once installed, these extensions override built-in protections and covertly convert end users’ browsers into nodes for a paid web-scraping service.
Technical Mechanism Behind the MellowTel-js Library
At the core of the scheme is MellowTel-js, an open-source JavaScript library designed to monetize extensions by sharing user bandwidth. Key technical details include:
- Manifest Permissions: The library requests
declarativeNetRequest
,webRequest
, andwebRequestBlocking
inmanifest.json
. These elevate privileges above normal content scripts, enabling modification of HTTP headers on the fly. - CSP and X-Frame-Options Stripping: Dynamically injected rules strip
Content-Security-Policy
andX-Frame-Options
headers from server responses, bypassing iframe restrictions and cross-site scripting safeguards. - WebSocket Control Channel: Once active, each extension opens a persistent WebSocket connection to an AWS-hosted command-and-control server. Through this channel, the server dispatches
injection commands listing arbitrary target URLs.
- Parallelized Scraping: Olostep, the commercial API service tied to MellowTel, claims to parallelize up to 100,000 requests per minute. Customer scraping jobs are load-balanced across millions of active browsers, achieving high throughput at low cost.
Impact on Security, Privacy, and Performance
This approach not only subverts user consent, but also degrades browsing security and performance:
- Cross-Site Attack Surface: By disabling standard headers, extensions effectively widen the attack surface to include clickjacking, reflected and stored XSS, and mixed-content exploits.
- Bandwidth Theft: Users unknowingly allocate their upload/download capacity to third-party scraping workloads, sometimes exceeding 100 MB of hidden traffic per day.
- Browser Resource Drain: Rendering invisible iframes and processing JSON directives from the WebSocket channel increases CPU usage by up to 15%, according to lab benchmarks conducted by SecurityAnnex.
- Data Leakage Risk: Sensitive information from authenticated sessions—like cookies and localStorage tokens—may be exposed if scraped URLs embed tracking or phishing exploits.
Detection and Mitigation Strategies
To disrupt this covert network, security teams and browser vendors can adopt multiple countermeasures:
- Enforce Manifest V3: Chrome’s Manifest V3 deprecates blocking webRequest in favor of
declarativeNetRequest
rule sets. Although it still permits header modifications, it limits dynamic rule insertion. - Enterprise Policy Controls: Administrators can whitelist specific extensions via Group Policy (Windows) or MDM profiles (macOS) and block all others, effectively preventing rogue libraries from loading.
- Runtime Monitoring: Network security appliances (e.g., Cloudflare Gateway, Zscaler) can inspect outbound WebSocket traffic patterns for connections to known MellowTel IP ranges on port 443.
- Header Integrity Checks: Implement Subresource Integrity (SRI) and strict
Content-Security-Policy: require-trusted-types-for 'script'
directives to detect unexpected header removals.
Expert Opinions
“This is a textbook example of supply-chain abuse in the browser extension ecosystem,” says Jane Liu, Senior Web Security Architect at OWASP. “Allowing third-party libraries to modify extension manifests creates a vast trust gap.”
“Cloud providers are racing to offer anti-scraping solutions, but the weakest link often remains the end user’s device,” adds Alexei Petrov, Product Director at Cloudflare. “We need better runtime enforcement at the browser level.”
Regulatory and Legal Implications
Under the EU’s Digital Services Act (DSA) and GDPR, operators of scraping networks may face hefty fines for unauthorized data collection. Meanwhile, U.S. lawmakers are considering amendments to the Computer Fraud and Abuse Act (CFAA) that could classify hidden iframe attacks as felony offenses.
Historical Precedent and Future Outlook
This incident echoes the 2019 Nacho Analytics scandal, where 4 million browsers were unwittingly enlisted to vacuum up private user data. As browser extension markets expand—expected to reach $X billion by 2027—stakeholders must balance innovation with robust security validation.
Conclusion
The MellowTel-js saga underlines the necessity for:
- Stricter vetting processes in extension stores
- Enhanced browser runtime protections
- Clearer transparency for end users about bandwidth sharing
Until these measures are widely adopted, every install of a third-party extension carries the risk of turning your browser into an unwitting bot powered by someone else’s scraping engine.