Madiator's CornerBrowser extensions turn nearly 1 million browsers into website-scraping bots
sabreW4K3arstechnica.com/security/2025/07/browser-extens…
2 Comments
Comments from other communities
CatZoomiesThese extensions use MellowTel-js. After this article from ArsTechnica went live, the developer responded in full detail and transparency.
If you’re a Dark Reader user (as that’s one of the most widely used extensions), definitely read MellowTel’s response on how their technology works. It made me realize the Ars article was not fully vetted.
https://www.mellowtel.com/blog/responding-to-ars-technica-and-mellow-drama-article
Edit: Dark Reader on this list is actually a knock off version just for Edge browser only - it’s not the widely used Dark Reader that’s on multiple browser engines. See another user’s comment that replied to me.
7eterThe popular Dark Reader is not affected by this as far as I know.
Only this knock off for the edge browser.
Source: https://docs.google.com/spreadsheets/d/e/2PACX-1vT1XgBs25gRlg5e3nYCAff967WMtZZTO-TB3rR9zszaJpTpCVFg8j7FkBxnHb3tw3aHGjKBGSxYyLgV/pubhtml
Nice, thanks for discovering that. I wasn’t aware there was a rip off version of it.
Still sounds gross. While the developer might have opted in to selling your processing power to scrape websites, I doubt the users of each extension opted in.
Still sounds gross. While the developer might have opted in to selling your processing power to scrape websites, I doubt the users of each extension opted in.
Response from the developer:
" Users who want to support a free software product or creator can decide to opt-in to share their bandwidth. ... Developers can decide to offer them additional features and content or simply use the money to keep the products free and available."
On User Consent:
"Our approach is always opt-out by default. I'll write more below on how we are going about enforcing it now as part of a stricter approach to maintaining a transparent ecosystem. We provide default opt-in/out hosted pages to simplify asking consent and have left this page where users can see all the plugins to which they have opted-in and manage their settings with no developer as an intermediary: mellow.tel/user-control."
In other words, users are opted-out by default. They can also go to that web site, and when they click the link, the page checks which extensions are installed in the browser and whether or not you opted in.
On Opt-In Enforcement:
Ars Technica article states there are "no checks to determine if a real user knows what they are approving or to determine if the developer just opts all users in on their behalf".
"We do have a page where users can go and see if they are opted-in or have been opted in without their knowledge from the developer: mellow.tel/user-control. But you are right and we should do more. We have started enforcing the opt-in policy from today (by simply checking each integration and not sending requests to those that don't show an opt-in) and will be doubling down on that in the coming days. Each new websocket request from an unknown integration will be quarantined and we won't allow requests to go through until we have controlled the integration is compliant and is asking users to opt-in + is leaving an opt-out option clearly visible. We will also start enforcing routine checks on our Mellowtel integrations to create a transparent environment."
In other words, the Mellow.tel developer has it set to always opt-out by default. However, developers of extensions may just opt-in the users without consent - which, I agree with you is gross. It's possible those developers don't explain the full implications. Now, the Mellow.tel developer is putting in remediations to ensure that the opt-in policy is enforced, and users will have more exposure to knowing whether or not this is happening. Meaning, they're going to try to enforce default opt-out (as they stated this was always their policy), and make it easier for users to know they get opted in.
On Personally Identifiable Information and Monetisation:
The developers basically claims everything is anonymized. And the way they make money is, if you opt-in, you share "a fraction of your bandwidth" when browsing the web, fetching from a server, etc. They don't collect or sell your user data because they aren't advertising, and their business model is not advertising.
"all [Response data] is completely anonymous, it doesn't point back to any user, and isn't stored except the minimum time to at on it... Location - The only information used is country level (e.g., US, ES, DE), [and] it isn't associated with any Personally-Identifiable-Information (PII) at all."
So my conclusion - I care about my privacy. I don't like being opted into things without my consent. According to this developer's response, they never did. They're trying to come up with a model to help the web stay free. Who knows if this will be viable or not. Developers of extensions can leverage this stuff, and in the past, some of those developers may have opted users in without their consent (or without full transparency or understanding of how this was happening). Even if a user was "opted in", it doesn't appear to be a significant impact to privacy as they have their source code published, processing happens locally on the user's device, and the data that gets process is not transmitted, sold, or even have any identifiers. In fact, the data they claim is quite sparse to the extent that it's limited to bandwidth allotment, country, and simple "keep alive" checks (heartbeat). Now I don't have any association with this company, know this developer, nor do I have any stakes at all in this. This just caught my attention and I Had to read and learn more about it, and assess whether or not it affects my privacy threat model (it doesn't for me, simply because none of the extensions I use have this thing).
For my background - I'm a software engineer for a SaaS provider. My company processes observability telemetry, and we assist customers to instrument agents in their environments (server, machines, clusters, DB, and end-user devices like browsers and mobile devices) to collect metrics to enable observability of their platform, and generate automatic application topology. Also a suite of tools to examine metrics and dynamic baselines, health rules for baseline deviations or other anomalies, analytics, user queries, complete business transaction view, incident remediation, etc. However, I have no background whatsoever in security. So I can't comment on the security point because I don't have a cyber security background. I'm only going off what the developer said, and it made sense to me. But I'd defer to a person with cyber security expertise to comment here.
Edit: Added some additional context, fixed some spelling.
Pearl
ZerushI use the inbuild Dark Mode in Vivaldi (on/off with shortcut, wors even in intern pages and menus) and none of the extensions from the list, most extensions from the Store anyway are redundant in Vivaldi translation, reader mode, tabs, feeds, ad/tracker blocker..........)
-
I'll save everybody a click because it's what we all want to know. "Dog Facts Unlimited" extension is on the list.
☂️-
Stewbs"Cat Facts Unleashed" too.... My heart is sinking and I am dying now....
XNXDark Reader is on the list :(
That is not THE Dark Reader!
Only this knock off for the edge browser is affected.
youtube unhook is too. very dissappointing they were both recommended by mozilla.
we really need a better way to audit these extensions.... and now we really need a new dark mode extension.
oh shit. I used to use this but removed later after realizing it wasn't open source.
Definitely read the original SecureAnnex article as well. The behavior of this software and the people behind it are damning.
DuskyRoI used Youtube unhook in the past but before the AI craze so I'm probably good.
I know a lot of people use Dark Reader so that's gotta hurt.
Other than that I think I'm safe.
The popular Dark Reader is not affected by this.
I see Dark Reader for Edge but not Firefox. Are they the same extension?
LEM 1689This is from Mozilla
Dark Reader doesn't show ads and doesn't send user's data anywhere. It is fully open-source https://github.com/darkreader/darkreader
They seem to all link back to the same github page.
https://github.com/darkreader/darkreader
Edit: not the same one as on the list
ScrubblesThis is confirmed btw. I was just fired from a company who hired a new vp who worked in ad tech. Part of the gig was scraping. But how do they get around Ip blocks and so many guardrails?
Easy. They started a sister business that had an extension they gave away for free, some menial task like taking a screenshot or something to dupe people into getting it
And in the piles of ToS it gave the extension the legal ability to grab random websites, scrape them, and send the data home. Now you have a internet wide scraper platform, and best parts is that you can't be up blocked and even better, you aren't paying for compute.
This is fucked up. Dark Reader?
Alphane MoonThankfully it seems that this is only for Dark Reader on Edge (not Firefox or Chrome).
Still worrying to see them integrate this fraudulent service.
talI think that this may be some duplicate extension trying to generate and take advantage of user confusion between the real Dark Reader extension for Edge and this one.
Real Dark Reader:
https://microsoftedge.microsoft.com/addons/detail/dark-reader/ifoakfbpdcdoeenechcleahebpibofpc
What appears to be the copycat with the malware:
I suppose that that potential to impersonate addons is also a security concern, though.
Thanks for the clarification!
The web is unusable without Dark Reader and uBlock Origin.
poryThe firefox list is pretty much entirely overly specific youtube tweaks (that you should be using uBlock or a more fully featured Youtube extension for), "games in sidebar", and custom cursors. Bonzi buddy and toolbars, anyone?
Seriously, an NES emulator? As a browser addon? That needs permission to access "your data on all websites"?
Who in the hell would use a volume booster extension? Just turn your volume up? Wut.
This kind of extension is used when your device's output sucks and "cranking it to 140%" is the only way to make it audible (usually mangling the quality). Possibly used by hard-of-hearing users too. Or maybe they're stuck on monitor speakers and "just pay $15 for cheapo cans" isn't an option, and the monitor's OSD controls are clunky and awful (they always are).
I've used "volume booster" features in apps before when listening to badly mixed podcasts/audiobooks, because turning up the system volume on a phone makes other apps too loud. I could see a desktop situation that mirrors this for someone, a setting in FF is faster/easier than the windows volume mixer.
You can check if you have an affected extension installed by going to the mellowtel settings page, where you can configure mellowtel if its installed (or get a message that you don't run mellowtel): https://www.mellow.tel/user-control
This is why I cringe when people recommend random ass addons to do random shit. Better to just literally stick to ublock origin and maybe 1 other. I really don't trust most extensions.
Ublock origin, noscript and canvas anti fingerprinting. Works great
AceFuzzLordBesides random extensions, I also recommend checking when the last update was if possible.
I used to use the KDE Plasma Integration extension but have since ditched it when I found out the last update was in 2024, a little over a year ago now. Unless they update it, I'mma treat that 1 year old extension like a 10 year old extension in terms of security.
Here is the full list of extensions: https://docs.google.com/spreadsheets/u/0/d/e/2PACX-1vT1XgBs25gRlg5e3nYCAff967WMtZZTO-TB3rR9zszaJpTpCVFg8j7FkBxnHb3tw3aHGjKBGSxYyLgV/pubhtml?pli=1
Thank you, Friend.