"Unused Bandwidth" - the botnet built on Chrome extensions

The Data War: Extensions and Botnets 00:00

• Browser extensions are turning nearly 1 million browsers into website scraping bots without users' knowledge.
• Increasing restrictions from major sites (like Twitter and Reddit) on API/data access are raising the value of web data.
• As AI companies demand more training data, incentives to circumvent blockers with scraping and botnets have grown rapidly.
• Extension developers are often approached with lucrative offers to monetize user bases, but many don't understand the risks.
• Monetization-as-a-service companies offer payment for adding libraries to extensions, sometimes not needing additional permissions.

How the Melotell Library Works 03:29

• The MelotellJS library transforms browser extensions into a distributed web scraping network, creating an unwitting botnet.
• Monetization methods have evolved from just tracking clickstreams to paying developers for using users' unused bandwidth.
• MelotellJS is open source (GPL licensed), which can give a false sense of security and trust to developers.
• Integrating Melotell requires dangerous permissions (declarative net request and access to all URLs), allowing code to run on every site a user visits.
• Most users are not made aware or asked for meaningful consent before their bandwidth and browser are used in the botnet.
• Library installation can be hidden by auto-updates and no user-opt-in, depending on developer implementation.

Technical Mechanism and Security Risks 08:19

• Melotell works by injecting hidden iframes on every page a user visits, loading various target websites for scraping.
• This technique leverages user browsers to distribute compute and bandwidth load, and—critically—IP addresses, which bypasses typical server-farm blocks.
• Web security headers (like content security policy and x-frame options) are actively removed in real-time, exposing users to attacks like cross-site scripting.
• Extensions with Melotell can act as man-in-the-middle agents, intercepting and modifying web requests and responses.
• Such manipulation allows bot operators to bypass site restrictions and access content not otherwise available from data centers.

The Organizations and Monetization Pipeline 15:42

• Melotell is developed by individuals linked to Idle Forest and Allstep, a company offering large-scale scraping APIs by brokering user traffic.
• Allstep's APIs allow customers to specify URLs, geographic location, and return format, sourcing data collection from real-user browsers via Melotell.
• There's little transparency, and while developers may be told they're monetizing unused bandwidth, users are generally not informed or compensated.

Impact and Broader Risks 17:21

• Arbitrary web requests through users' logged-in browsers could have serious security repercussions, such as posting to banking endpoints with user cookies.
• Malicious actors can exploit these proxies for attacks while appearing as normal user traffic, evading detection.
• Melotell claims to avoid sending cookies in iframes, but the safeguards are fragile and easily circumvented.
• Browser extensions become new, difficult-to-detect points for attackers to obscure the origins of their internet traffic.

Ecosystem Response and Ongoing Concerns 20:25

• Melotell integration was proposed but ultimately rejected by popular extension platform Plasmo after concerns were raised.
• Nonetheless, Melotell was included in several extensions (some only temporarily), with traces found in Chrome, Edge, and Firefox; removal by browser vendors remains limited.
• As of reporting: 129 Edge and 71 Firefox extensions identified, with over 1 million users potentially affected.
• Google has started removing some extensions, but many remain active, underscoring the inadequacy of current safeguards.

Final Thoughts and Advice for Users 22:34

• There are many sketchy browser extensions; even seemingly innocuous tools may expose users to severe privacy and security threats.
• Browser extensions can have as much or more power than many desktop applications, so users should vet them as carefully as any software installation.
• Users should avoid ad blockers and privacy extensions that aren't highly reputable (specifically recommending Ublock Origin or Origin Light).
• The need for web data continues to rise, and there will likely be more incidents of this kind; users and companies should be vigilant.
• Recommendation: Audit and minimize browser extensions, check permissions, and treat them with a high level of caution.