Browser Extensions Turn Nearly 1 Million Browsers Into Website Scraping Bots

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researcher John Tuckner of Secure Annex has identified 245 browser extensions containing a JavaScript library called MellowTel that turns user browsers into website scraping infrastructure. The affected extensions span Chrome (45 extensions), Microsoft Edge (129 extensions), and Firefox (71 extensions), with a combined user base approaching one million installations.

MellowTel operates by loading websites into invisible browser windows without user knowledge, enabling third parties to scrape web content using the computing resources and IP addresses of extension users. The library is marketed to extension developers as a monetization tool, offering revenue sharing in exchange for embedding the code.

Tuckner's investigation, published on July 9, 2025, found that MellowTel's documentation describes the service as providing "residential proxy" capabilities, allowing customers to route web requests through the browsers of unsuspecting users. The extensions containing this library range from productivity tools to ad blockers, with some having tens of thousands of active users.

The discovery raises questions about browser extension review processes across major platforms. While browser vendors maintain policies against deceptive behavior, the MellowTel library appears to have evaded detection in hundreds of extensions across three major browser ecosystems. Extension users have no visible indication that their browsers are being used for web scraping activities.

At the time of reporting, neither Google, Microsoft, nor Mozilla had issued public statements regarding the affected extensions or potential removal actions.

John Tuckner, founder of browser extension security firm Secure Annex, published research on July 9, 2025, documenting the presence of MellowTel code across 245 browser extensions.

The investigation began when Tuckner noticed unusual network behavior in several browser extensions during routine security analysis. Further examination revealed a common JavaScript library being loaded from MellowTel's servers.

According to Tuckner's analysis, the affected extensions break down by browser platform as follows: 45 extensions on Chrome Web Store, 129 extensions on Microsoft Edge Add-ons, and 71 extensions on Firefox Add-ons. The combined installation count across all platforms approaches one million users.

MellowTel's own documentation, reviewed by Tuckner, describes the service as enabling "ethical web intelligence" through a distributed network of browser extension users. The company offers extension developers a revenue share based on the amount of web traffic routed through their users' browsers.

The extensions containing MellowTel span multiple categories including productivity tools, screenshot utilities, ad blockers, and browser customization add-ons. Some of the affected extensions have been available on browser stores for several years.

Figure 2: How the authentication bypass vulnerability works

Tuckner's technical analysis identified several concerning behaviors in the MellowTel library:

The library creates invisible iframe elements within the browser, loading arbitrary URLs specified by MellowTel's servers. These iframes are positioned off-screen or set to zero dimensions, making them invisible to users.

Network traffic analysis showed that affected browsers make requests to websites unrelated to the extension's stated functionality. These requests originate from the user's IP address, effectively making the user appear to be the one visiting the target websites.

MellowTel's marketing materials, obtained by Tuckner, describe the service as providing "residential IP" access for web scraping customers. The documentation explicitly mentions that requests appear to come from real residential internet connections rather than data center IP addresses.

The library includes obfuscation techniques that make static code analysis more difficult. Variable names are randomized, and the core functionality is loaded dynamically from remote servers rather than being included directly in extension packages.

Extension developers receive payment based on the number of active users and the volume of web requests processed through their users' browsers, according to MellowTel's developer documentation.

For extension developers, MellowTel offers a monetization path that does not require displaying advertisements or collecting user data for marketing purposes. Developers of free extensions often struggle to generate revenue, and services like MellowTel present an alternative to traditional advertising models.

MellowTel's documentation claims that the service only accesses publicly available web content and does not collect personal user data. The company states that scraped data is used for market research, price comparison, and search engine optimization analysis.

The distributed nature of the scraping network provides web intelligence customers with access to content that might be blocked when accessed from known data center IP addresses. Some websites implement anti-bot measures that specifically target requests from cloud infrastructure.

Figure 3: Privilege escalation from user to SYSTEM level

Users of affected extensions have no knowledge that their browsers and internet connections are being used for third-party web scraping. The invisible nature of the activity means users cannot consent to or opt out of participation.

The use of residential IP addresses for web scraping raises legal questions in jurisdictions with computer fraud and unauthorized access laws. Users could theoretically face consequences if scraped websites pursue legal action against IP addresses involved in automated access.

Browser performance and bandwidth consumption increase when extensions run MellowTel code. Users on metered internet connections or slower hardware may experience degraded performance without understanding the cause.

The presence of MellowTel in extensions that have passed browser store review processes indicates gaps in automated and manual security screening. Extensions with this library have been available for download for extended periods.

Some of the scraped websites may have terms of service that prohibit automated access. Users unknowingly become participants in potential terms of service violations.

MellowTel operates through a JavaScript library that extension developers include in their code. When a user installs an affected extension, the MellowTel code activates and establishes a connection to MellowTel's command servers.

The library receives instructions specifying which URLs to load. It creates hidden iframe elements in the browser, loading the target URLs within these invisible frames. The browser executes all JavaScript and renders the page content as it would for a normal page visit.

Once the page loads, the library extracts the rendered HTML content and transmits it back to MellowTel's servers. The entire process occurs in the background without any visible indication to the user.

From the perspective of the target website, the request appears to originate from a normal residential internet user. The website sees the user's actual IP address, browser fingerprint, and other identifying characteristics.

Technical context (optional): The library uses the browser's built-in iframe functionality, which is a legitimate web technology. The innovation lies in using extension permissions to create iframes that load arbitrary content and extract the results. Extensions typically have broader permissions than regular web pages, enabling this cross-origin data extraction.

The MellowTel discovery exposes a monetization model that has operated across multiple browser platforms without detection. The scale of the operation, spanning 245 extensions and approaching one million users, suggests that similar schemes may exist undetected.

Browser extension review processes face inherent challenges in detecting malicious or deceptive behavior. Static code analysis can identify known malware signatures, but novel monetization schemes that use legitimate browser APIs in unexpected ways may evade detection.

The web scraping industry has long sought access to residential IP addresses to bypass anti-bot measures. MellowTel represents a formalization of this demand into a developer-facing product, potentially inspiring similar services.

Extension developers face pressure to monetize their work, and the availability of services like MellowTel creates incentives that may conflict with user interests. The browser extension ecosystem lacks standardized disclosure requirements for monetization methods.

The full list of affected extensions has not been publicly released. Tuckner's research identifies the scope but does not name all 245 extensions, citing ongoing coordination with browser vendors.

Browser platform responses remain pending. At the time of reporting, Google, Microsoft, and Mozilla had not issued public statements about the affected extensions or planned enforcement actions.

The duration of MellowTel's operation is not fully documented. Some affected extensions have been available for years, but the timeline of when MellowTel code was added to each extension is not established.

The identity and location of MellowTel's operators remain unclear. The company's website provides limited corporate information, and the jurisdiction under which it operates is not publicly documented.

Whether extension developers fully understood the implications of including MellowTel code is unknown. The library's documentation describes the functionality, but developer awareness of user impact varies.

Browser vendor responses to Tuckner's research will indicate how platforms handle monetization schemes that use user resources without clear disclosure. Removal of affected extensions would signal stricter enforcement.

Extension store policy updates may follow if this discovery prompts platform operators to explicitly address proxy and scraping monetization models.

Similar services may face increased scrutiny. Security researchers examining browser extensions may prioritize identifying other monetization libraries with comparable functionality.

User awareness of extension permissions and behaviors may increase following media coverage of this research. Browser vendors may consider adding more granular permission controls or activity indicators.

Legal and regulatory responses in jurisdictions with strong consumer protection laws could establish precedents for how such monetization schemes are treated under existing frameworks.

1. Ars Technica - "Browser extensions turn nearly 1 million browsers into website-scraping bots" - July 9, 2025 - https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/

2. Secure Annex Blog - "MellowTel: Browser Extension Monetization Through Residential Proxies" - July 9, 2025 - https://secureannex.com/blog/mellowtell-browser-extension-monetization/

3. Hacker News Discussion - Thread on MellowTel browser extension research - July 9, 2025 - https://news.ycombinator.com/item?id=44515895