Extensions Turn Nearly a Million Browsers into Scraping Bots

Red Dog Security

3 min read
Extensions Turn Nearly a Million Browsers into Scraping Bots

Chrome, Firefox, and Edge extensions—installed nearly a million times—are quietly turning users' browsers into commercial scraping tools, bypassing security measures and violating user trust.

According to analysts at SecurityAnnex, a total of 245 malicious extensions have amassed approximately 909,000 downloads. While marketed for innocuous functions—such as bookmark management, clipboard utilities, volume boosting, or random number generation—they all share one common element: integration with the open-source MellowTel-js library, a tool that enables developers to monetize browser extensions.

How the Scheme Works

SecurityAnnex researchers report that monetization occurs by using these extensions to scrape websites on behalf of paying clients. According to Arsian Ali, the developer of MellowTel, those clients include AI startups seeking access to large volumes of publicly available data.

Analysts traced connections between MellowTel and a little-known company called Olostep, which markets itself as “the world’s most reliable and cost-effective scraping API.” According to Olostep’s website, its bots can “avoid detection and process up to 100,000 requests in parallel within minutes.” Clients specify the web pages they want to target, and Olostep routes those requests through a global network of user browsers running MellowTel-powered extensions.

“We have reason to believe that Olostep’s scraping requests are distributed across all active extensions using the MellowTel library,” SecurityAnnex researchers said.

Privacy Risks and Technical Concerns

MellowTel’s developer argues that the system is designed for sharing users’ internet connections, not tracking or injecting ads. “The main reason companies pay for traffic is to gain reliable and cost-effective access to publicly available website data,” Ali explains. Extension developers keep 55% of the revenue, while MellowTel takes the remainder.

But according to SecurityAnnex, the real-world behavior of MellowTel-powered extensions raises serious red flags:

  • Extensions activate a persistent WebSocket connection to an AWS-hosted server, sending data on user location, bandwidth, activity level, and extension status.
  • A hidden iframe is injected into visited pages, used to load sites from a list controlled by the AWS server—without the user's knowledge.
“But shouldn’t there be safeguards to prevent this?” SecurityAnnex researchers ask.
“Normally, browser headers like Content-Security-Policy and X-Frame-Options would block such behavior. However, the MellowTel library requests declarativeNetRequest and other access permissions in the manifest. These allow the extension to modify web requests and strip security headers from responses—then reinsert them after pages load.”

This temporary weakening of browser protections not only facilitates scraping but also exposes users to cross-site scripting (XSS) attacks that would otherwise be blocked.

Enterprise Risk and Lack of Visibility

Experts also warn that users have no visibility into which sites are being loaded or accessed via these hidden iframes. Essentially, users must blindly trust MellowTel to vet every resource their browser is conscripted to access.

The implications are especially serious in corporate environments, where strict controls are placed on allowed content types, external requests, and network behavior. SecurityAnnex calls this type of unauthorized behavior a potential threat vector for enterprise networks.

Current Status of Affected Extensions

Chrome: 12 out of 45 flagged extensions have been disabled. Some were removed for malware; others were abandoned by developers.
Edge: Only 8 out of 129 detected extensions have been deactivated.
Firefox: Just 2 of 71 malicious extensions have been taken down.

A full list of impacted extensions is available here.

MellowTel’s Official Response

In response to the allegations, MellowTel founder Arsian Ali published a lengthy defense, asserting that the project aims to create an ethical alternative to surveillance-based monetization:

“Instead of collecting user data, tracking them across the internet, and endlessly serving ads, we’re building a monetization system for developers based on shared internet connections and resources.”

Ali claims users can voluntarily opt in to share their connection as a way to support open-source software, and that AI clients like ChatGPT Search, Deep Research, and Perplexity are paying for access to public websites via the MellowTel network.

“These companies pay for site access, and we share revenue with developers whose users choose to support them. Developers can use these funds to add features, provide extra content, or keep their products free.”
Arsian Ali, Founder of MellowTel

The Bigger Picture

This incident highlights growing tensions between monetization models, user privacy, and security standards on the modern web. While MellowTel presents its service as a privacy-friendly alternative to ads, critics argue that users are being conscripted into a scraping botnet—often without consent or awareness.

As browsers and extensions become more powerful, the burden of ensuring ethical behavior increasingly falls on ecosystem gatekeepers, from browser vendors to extension marketplaces.

Read more