Color Picker extension with 400,000 users caught adding encrypted tracking code, researcher says

A popular Chrome extension called Color Picker – Eyedropper Tool, installed by over 400,000 users, appears to have quietly added code that tracks your browsing and encrypts that data before sending it off to a remote server, according to a researcher who posted a detailed breakdown on X.

The researcher, going by the handle @tuckner, spotted the changes in version 1.4.4 of the extension.

Comparing it to the previous version (1.4.3), the code diff shows the update added encryption utilities to the extension’s service worker, something that, from what I can tell, has no obvious reason to be in a tool that’s only supposed to help you pick colors off a webpage.

From the screenshots shared, the updated extension now sends data to colorspicker.net/trendingSafe, and that data includes visited URLs and referrer information. The payload is encrypted, which tuckner argues is a deliberate attempt to make the tracking harder to spot.

Adding to that, when the extension runs, users now see a screen asking them to agree to letting Color Picker collect “anonymous data (visited URLs and CSS colors)” to improve a feature called Trending Colors. Most people will just click Agree and move on.

The extension is listed as Featured on the Chrome Web Store with a 4.8-star rating. Heck, even I’ve used the extension in the past, which is what drew my attention to the report in the first place. Featured status is supposed to signal that Google has vetted the extension to some degree.

It is worth noting that what actually gets transmitted after a user clicks Agree is still not fully clear from screenshots alone. But the code is there, and the behavior tuckner describes looks pretty hard to explain as anything other than browsing surveillance baked into a simple utility.

That said, extensions seem to be in the limelight for all the wrong reasons lately. Earlier today, we covered a separate investigation into how LinkedIn appears to be scanning users’ installed browser extensions on every page load and sending that data off, without mentioning it in its privacy policy. And not long ago, our sister site Tech Issues Today reported that Mozilla was forced to block the popular 600% Sound Volume Booster extension for Firefox after it was found injecting affiliate ads quietly into users’ browsers.

Google has not commented on the Color Picker situation so far. The extension remains live on the Chrome Web Store at the time of writing.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.