CRW

Home Wiki

SimilarWeb

Last updated View on consumerrights.wiki ↗

Contents9
  1. Background
  2. Browser extensions
  3. Incidents
  4. Stylish data-exfiltration disclosure (2018)
  5. Stylish return and Wall of Shame (February 2026)
  6. SimilarWeb-branded extension confirmed exfiltration (May 2026)
  7. Products
  8. See also
  9. References
SimilarWeb
Basic information
Founded 2007
Legal Structure Public
Industry Digital market intelligence,Web analytics,Browser extensions
Also known as Similarweb,Similarweb Ltd.,SMWB
Official website https://www.similarweb.com/

SimilarWeb (legally Similarweb Ltd.) is an Israeli digital-market-intelligence company that owns two Chrome Web Store extensions independently documented exfiltrating their users' browsing data: Stylish, with roughly 2 million users, and a self-branded SimilarWeb traffic-rank extension with roughly 1 million users.[1][2] The company trades on the New York Stock Exchange under the ticker SMWB after a May 12, 2021 initial public offering.[3] Both extensions were classified as "Confirmed" AI-chat scrapers in security researcher James Arnott's May 11, 2026 audit, which documented chat content from ChatGPT, Claude, and Character.AI leaving users' browsers in network traffic.[1]

Background

SimilarWeb was founded in 2007 by Or Offer and is headquartered in Givatayim, Israel. Its core business sells web and app traffic intelligence to brands, investors, and publishers; a portion of the underlying panel data is sourced from a network of browser extensions, mobile applications, and user panels that the company owns or partners with.[2]

The company priced its IPO on May 12, 2021, selling 8,000,000 ordinary shares on the New York Stock Exchange under ticker SMWB, with J.P. Morgan, Citigroup, Barclays, and Jefferies serving as joint book-running managers.[3] On May 13, 2026, the board announced that founder and CEO Or Offer would step down by mid-2027 and opened a formal succession process.[4]

Browser extensions

In January 2017, the then-owner of Stylish announced a data-collection partnership tying the user-styles extension into SimilarWeb's analytics panel. At the time of the partnership, Stylish had approximately 2 million users across Chrome, Firefox, Opera, and Safari.[2] SimilarWeb itself was the named owner of the extension by the time Robert Heaton's July 2018 disclosure prompted Chrome and Firefox to remove it.[5] The Chrome Web Store listing as of May 2026 still shows roughly 2 million users.[1]

The company also distributes a self-branded SimilarWeb traffic-rank extension with roughly 1 million Chrome Web Store users, which serves both as a consumer-facing site-comparison tool and as a primary data-collection channel feeding SimilarWeb's panel.[1] Neither extension's Chrome Web Store listing discloses, on the install page itself, the AI-chat exfiltration documented by independent researchers in 2025 and 2026.[1]

Incidents

This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the SimilarWeb category.

Stylish data-exfiltration disclosure (2018)

On July 2, 2018, software engineer Robert Heaton published a technical write-up showing that the SimilarWeb-owned Stylish extension was sending every URL its users visited, together with a persistent unique identifier, to api.userstyles.org. Heaton noted that for users who had also created a userstyles.org account, the identifier could be linked to a login cookie, tying browsing histories to real-world identities.[5] Within two days of publication, both Google and Mozilla removed Stylish from the Chrome Web Store and the Firefox add-ons store; The Register & BleepingComputer independently confirmed the removals.[5][6] A modified version was back in the Firefox add-on store by August 16, 2018 behind an opt-in startup screen.[7]

Stylish return and Wall of Shame (February 2026)

On February 26, 2026, security researcher James Arnott of amibeingpwned documented that Stylish, by then carrying Chrome Web Store "Featured" and "Verified Publisher" badges, was again exfiltrating every URL its users visited, along with conversation content from AI chat sites including ChatGPT, Claude, and Character.AI. Arnott reverse-engineered a five-stage obfuscation pipeline: URL encoding, double base64 of JSON, columnar transposition, AES-256-CBC encryption with a symmetric key hard-coded in the extension source, and a final base64 wrap.[8] On May 11, 2026, Arnott published an AI Chat Scraper Wall of Shame that classified Stylish as "Confirmed" with "Extensive" obfuscation, citing direct observation of chat content leaving the browser in network traffic.[1]

SimilarWeb-branded extension confirmed exfiltration (May 2026)

Arnott's May 11, 2026 Wall of Shame separately classified the self-branded SimilarWeb extension (≈1 million users, carrying a Chrome Web Store "Verified" badge) as "Confirmed" for exfiltrating AI chat content and full URLs. Arnott noted that the data collection occurs "even when you're not using the extension" and that, unlike Stylish, the SimilarWeb-branded extension applies no obfuscation to the exfiltrated payload.[1] Arnott made a video documenting the behavior.[9]

Products

See also

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 Arnott, James (11 May 2026). "The AI Chat Scraping Extension Wall of Shame". amibeingpwned. Archived from the original on 2 Jun 2026. Retrieved 1 Jun 2026.
  2. 2.0 2.1 2.2 Cimpanu, Catalin (4 Jan 2017). "2 Million Users Impacted by New Data Collection Policy in Stylish Browser Add-On". BleepingComputer. Archived from the original on 27 Jun 2017. Retrieved 1 Jun 2026.
  3. 3.0 3.1 "Similarweb Announces Closing of Initial Public Offering". Similarweb. 2021-05-14. Retrieved 2026-05-30.
  4. "Similarweb begins CEO succession process as founder Or Offer plans to step down". Calcalist Tech. 13 May 2026. Archived from the original on 16 May 2026. Retrieved 1 Jun 2026.
  5. 5.0 5.1 5.2 Heaton, Robert (2 Jul 2018). "Stylish browser extension steals all your internet history". Robert Heaton. Archived from the original on 3 Jul 2018. Retrieved 1 Jun 2026.
  6. Chirgwin, Richard (5 Jul 2018). "Chrome, Firefox pull very unstylish Stylish invasive browser plugin". The Register. Archived from the original on 8 May 2026. Retrieved 1 Jun 2026.
  7. Heaton, Robert (16 Aug 2018). ""Stylish" is back, and you still shouldn't use it". Robert Heaton. Archived from the original on 28 Nov 2018. Retrieved 1 Jun 2026.
  8. Arnott, James (26 Feb 2026). "Stylish is Back, Back again!". amibeingpwned. Archived from the original on 2 Jun 2026. Retrieved 1 Jun 2026.
  9. AmIBeingPwned (31 May 2026). "Similarweb - URL, OpenAI JWT and AI chat exfiltration demo". YouTube. Archived from the original on 2 Jun 2026. Retrieved 1 Jun 2026.
Filed under