Do You Use “Awesome Screenshot” Extension for Chrome? Read This Now!

According to the latest numbers on the Chrome Web Store, Awesome Screenshot has 1,300,282  users. That is huge. Very huge, and very tempting.

I am no security expert, so I will borrow words of Miguel Jacq, a Linux administrator who has an interesting story to tell, about this extension and a related bot, “niki-bot”. He started seeing this new bot trying to access some pages that a regular crawler may not get access to, pages that require authentication to access, or to know even know that they exist. Somehow, niki-bot seems to know about these URLs.

Unless someone tracks your browsing activity from the browser, and stores it somewhere etc.


Bolstered by this corroborating story, I decided to look further into this AwesomeScreenshot extension. It wasn’t long before negative reviews on the Chrome app store led me to these two articles, which both seemed to confirm that the extension contains javascript which sends browsing activity in plaintext to an upstream service, which redirects or makes use of an API belonging to, which some say is part of a third service called SimilarWeb. 

The tracking and transmission of your browsing history is happening automatically, silently, with no proper explanation in the extension’s details on the Chrome App Store. The potentially sensitive URLs are sent over plaintext HTTP in easily base64-decryptable form, and through the use of some ‘niki-bot’ crawler (which is apparently so malicious its User-Agent requires obfuscation with no reference to SimilarWeb, Awesome Screenshot, or any other explanation for its use – nor does it bother to respect robots.txt), seems to intend to make further reconnaissance against these URLs at a later date. I see little difference between a client-side attack and this ‘service’, except that it can be argued that the end user willingly (but maybe unwittingly) entered into the agreement.

I think that’s enough information for you to review your extension and decide for yourself what  do. If you are looking for a mode detailed information and the complete story, read it here.

Leave a Reply

Your email address will not be published.