-
24 streaming extensions tied to QVI (Quality Viewership Initiative) track what you watch on Netflix, Hulu, Disney+, and Amazon Prime Video. They even guess your age and gender using your email address.
-
12 ad blockers with over 6.5 million users sell browsing data instead of just blocking ads. One tool admits inferring health conditions and sexual orientation from the sites you visit.
-
29 corporate-focused extensions capture employee activity inside company systems. This includes SaaS dashboards and research workflows. Competitors can buy that data.
Over 6.5 million people unknowingly share their browsing habits, job applications, and even health data with Chrome Extensions.
These tools aren’t hidden malware. Their privacy policies openly admit to selling user information.
Your helpful tool has a hidden price
A new report revealed that a lot of browser extensions you install that give you Netflix picture-in-picture or skip Hulu ads might be selling your data. LayerX Security dug through thousands of Chrome extensions. And the researchers found 82 of them openly selling user data to third parties.
Here’s the kicker: it’s completely legal. These tools say so in their privacy policies. You clicked “I agree” without reading, giving them the right to share your viewing history with advertisers. At least 6.5 million people have been affected. And that’s just the confirmed count.
The QVI network: Watching you watch TV
During their research, LayerX researchers came across what is called Quality Viewership Initiative, or QVI. It sounds like something helpful, but it turned out to be more like a single operation collecting user data for marketing.
At least 24 extensions are tied to this QVI, and they promise better streaming quality. These extensions enable Chrome services like Netflix, HBO Max, Hulu, and Apple TV+ to remain on 1080p resolution, which is actually better streaming quality.
But that comes at a cost –they track everything you do, your viewing history, preferred shows, subscription status, your downloads, and even your streaming behavior. They even collect your age and gender. If you don’t provide demographics, they match your email address against third-party databases to guess.
Who’s behind this? An anonymous publisher called HideApp LLC, based in Cheyenne, Wyoming. They operate under the brand “dogooodapp.” Their extensions have reached nearly 800,000 installations.
The biggest one is “Custom Profile Picture for Netflix” with 200,000 users. “Hulu Ad Skipper” has 100,000. These tools sell reports to content creators, streaming platforms, and marketing agencies.
Even tools meant to enhance privacy can sometimes fail. A VPN service slip-up recently exposed the identity of a suspected North Korean hacker, showing that no privacy tool is perfect, and that users, including cybercriminals, can be identified through technical vulnerabilities.
Ad blockers that feed advertisers
The researchers confirmed that eight ad blockers sell your data or share user info with third parties. People install these tools to stop tracking, but instead, they’re selling tracking data. Combined, these ad blockers have gathered more than 5.5 million users.
Take Stands AdBlocker. It has 3 million users. Its policy says it sells browsing data for “market analytics purposes.” Then there’s Poper Blocker with 2 million users. This tool admits to selling inferred sensitive data. That includes health conditions, religious beliefs, and sexual orientation. All is guessed from the URLs you visit.
All Block, a YouTube ad blocker with 500,000 users, sells anonymized data for commercial purposes. Urban AdBlocker routes your browsing data and AI conversations through a data broker called BiScience.
These aren’t hidden malware; they tell you in writing via their privacy policy, but the majority of us just never read it.
Even wallpapers and job tools sell your data too
Additionally, nearly 50 other extensions account for over 100,000 users. And they monetize general web activity.
Career.io Job Auto Apply has 10,000 users. It may sell data from your resume to data brokers for targeted advertising. Imagine a job tool that sells your CV. It’s a breach of privacy you shouldn’t ignor.
Another one is Dog Cuties, a cute dog wallpaper extension. This extension is a confirmed data seller through the Apex Media network. EmailOnDeck gives you temporary email addresses. People use it specifically to hide their real info. Its policy says it may sell its mailing list.
And Survey Junkie sells URLs visited, clickstream data, and consumer preference models to ad agencies.
The corporate risk no one sees, and how to avoid it
Here’s where it hits businesses. Of the 82 extensions, 29 are B2B sales intelligence tools. They sit on employee devices. They capture internal browsing activity. That includes visits to company systems, software as a service (SaaS) platforms, and research workflows.
All that data flows into commercial datasets. Your competitors can buy it. It’s not a hypothetical risk, but a stated business practice.
Right now, 75 of these 82 extensions remain on the Chrome Web Store. Only 7 have been removed. And removal doesn’t mean users have uninstalled them. Those tools can keep running in your browser.
So here’s my advice. Check your extensions. If you have any QVI-related tools, remove them. Stick to tools listed on official service websites. And remember: if an extension has a long privacy policy, read it. Or better yet, just don’t install things you don’t absolutely need.
When it comes to ad blockers specifically, choosing a reputable option is critical. Our curated list of the best ad blockers focuses on tools that block ads effectively without collecting or selling your personal data, so you can browse safely and privately. Your data is valuable. Don’t give it away for a wallpaper or a fake email address.
