Louis: new product article on the whatruns chrome extension. covers the 2017 hacker news launch, the may 2026 arnott disclosure that it exfiltrates urls and ai-chat content with no obfuscation, the owned it ltd companies house record (formerly braggnow ltd), and the broader prompt poaching pattern.

2026-05-29T21:00:58Z

new product article on the whatruns chrome extension. covers the 2017 hacker news launch, the may 2026 arnott disclosure that it exfiltrates urls and ai-chat content with no obfuscation, the owned it ltd companies house record (formerly braggnow ltd), and the broader prompt poaching pattern.

New page

{{ProductCargo
| ArticleType = Product
| Category = Browser extension
| Company = Owned it Ltd
| Description = Chrome and Edge extension that identifies website technologies; in May 2026 observed exfiltrating full URLs & AI chat content without disclosure.
| InProduction = Yes
| ReleaseYear = 2017
| Website = https://www.whatruns.com/
}}

'''WhatRuns''' is a Chrome and Edge browser extension, published by UK company [[Owned it Ltd]], that identifies the frameworks, fonts, content management systems, plugins, and analytics tools running on any website the user opens. On May 11, 2026, security researcher James Arnott of Am I Being Pwned? reported that WhatRuns also transmits every URL its roughly 400,000 users visit, along with the content of those users' conversations with hosted AI chatbots, back to Owned it Ltd's servers, with no obfuscation of the request payloads & no disclosure of this collection in either the extension's privacy policy or its Chrome Web Store data-safety declaration.<ref name="aibp">{{Cite web |last=Arnott |first=James |date=2026-05-11 |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame/ |website=Am I Being Pwned? |access-date=May 29, 2026}}</ref><ref name="cws">{{Cite web |date=2026-04-27 |title=WhatRuns |url=https://chromewebstore.google.com/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip |website=Chrome Web Store |publisher=Google |access-date=May 29, 2026}}</ref> As of May 29, 2026, the extension is still listed on the Chrome Web Store with both the ''Featured'' & ''Established Publisher'' badges in place.<ref name="cws" />

== Background ==

WhatRuns launched on Hacker News on August 25, 2017, marketed as a competitor to website-technology profilers such as Wappalyzer & BuiltWith.<ref name="hn">{{Cite web |date=2017-08-25 |title=Whatruns: Identify technologies used on any website |url=https://news.ycombinator.com/item?id=15098028 |website=Hacker News |access-date=May 29, 2026}}</ref> The extension's stated function is to read a page the user is already viewing, fingerprint the technologies in use, & display a sidebar that names them. A typical user installs WhatRuns because they want a one-click way to answer the question of what a site is built with, for example whether a blog runs WordPress, what fonts a competitor's homepage uses, or which analytics package an e-commerce site has loaded.<ref name="cws" />

The Chrome Web Store listing positions WhatRuns directly against four named competitors. The product description on the listing reads in part that WhatRuns identifies technologies running on any site & frames itself as an alternative to Wappalyzer, BuiltWith, Datanyze, and Ghostery.<ref name="cws" /> The listing categorizes the extension under Developer Tools.

The extension's own privacy policy, last updated August 2025, tells users that the only data leaving their browser is technical fingerprinting material. The policy states that the extension may collect ''"Source code snippets and public resources (e.g., scripts, metadata, or stylesheets) solely to identify technologies"'' along with ''"Timestamps and diagnostic information for debugging and performance tuning"'' & ''"A randomly generated identifier to differentiate anonymous extension sessions."''<ref name="policy">{{Cite web |date=August 2025 |title=Privacy Policy |url=https://www.whatruns.com/privacy |website=WhatRuns |access-date=May 29, 2026}}</ref> The same policy states that ''"All collected data is anonymised and aggregated before any analysis or sharing"'' & that ''"We do not engage in cross-site tracking or behavioural profiling."''<ref name="policy" /> Neither URLs nor AI chat content appear anywhere in the policy.

== The May 2026 disclosure ==

On May 11, 2026, James Arnott published an entry on the Am I Being Pwned? ''"AI Chat Scraping Extension Wall of Shame"'' naming WhatRuns as confirmed entry #6 in the table, with 400,000 users, the ''Featured & Verified'' badges, and an obfuscation status of ''None''.<ref name="aibp" /> Arnott's ''"Confirmed"'' classification carries a specific operational meaning on the page. He writes that ''"Confirmed means I observed chat content leaving the browser in network traffic during manual testing."''<ref name="aibp" />

In a short note above the WhatRuns table row, Arnott discloses that he had personally used the extension before testing it:

<blockquote>''WhatRuns shows users "what runs" on the sites they visit, for example if you visit a site that runs WordPress, it'll tell you it runs WordPress. It's actually pretty useful. I (James) previously had it installed, this one hits close to home.''</blockquote><ref name="aibp" />

Arnott then states the observed behavior in one sentence:

<blockquote>''WhatRuns exfiltrates every URL you visit, alongside AI chats. No exceptions here, they don't even bother to obfuscate the requests which is nice to see, although there's no indication to the user this exfiltration is happening.''</blockquote><ref name="aibp" />

Arnott documents his methodology in a separate section of the same post, describing it as ''"the AIBP analysis pipeline (dynamic and static analysis in a sandbox), then manually verified by me, James, watching the AI chat exfiltration happen in my own (sandboxed) browser with my own eyes, inspecting outbound network requests."''<ref name="aibp" /> A companion video on the amibeingpwned YouTube channel, titled ''WhatRuns caught scraping AI chats'', shows the network capture from Arnott's sandbox.<ref name="yt">{{Cite web |last=Arnott |first=James |title=WhatRuns caught scraping AI chats |url=https://www.youtube.com/watch?v=UYwUmaVohQk |website=YouTube |publisher=amibeingpwned |access-date=May 29, 2026}}</ref>

As of May 29, 2026, no other named security researcher has independently published a corroborating analysis of WhatRuns. The disclosure rests on Arnott's single-researcher observation.

== Data exfiltration mechanics ==

Arnott's finding is that two streams of data leave the browser of every WhatRuns user & arrive at Owned it Ltd's servers. The first stream is the full URL of every page the user opens, not only the pages where the user clicks the WhatRuns icon. The second stream is the content of conversations the user has with hosted AI chatbots while the extension is installed.<ref name="aibp" /> Neither stream is mentioned in the extension's privacy policy or its Chrome Web Store data-safety declaration.<ref name="policy" /><ref name="cws" />

The technical detail that matters here is Arnott's ''"no obfuscation"'' finding. In the Wall of Shame table, the ''Obfuscation'' column for WhatRuns reads ''None'', the same value Arnott assigns to Similarweb & a less invasive value than the ''Extensive'' he assigns to the Stylish extension.<ref name="aibp" /> Several other extensions in the same table wrap their exfiltrated payloads in LZ-String compression, base64, or character-mapping schemes that make the captured data harder to read at a glance during a network inspection.<ref name="aibp" /> WhatRuns does not. The URL & chat-content payloads travel from the browser to Owned it Ltd in cleartext form within the TLS connection to the server, which means anyone with network-trace access to a WhatRuns user's machine, such as a corporate IT team running endpoint inspection, can read the captured data directly without decoding it. Arnott characterizes the absence of obfuscation as ''"nice to see"'' from a researcher's perspective, because it makes the behavior immediately visible in a network trace, while noting that ''"there's no indication to the user this exfiltration is happening."''<ref name="aibp" />

== Owned it Ltd ==

The extension's publisher is registered with the UK Companies House as OWNED IT LTD, company number 07755519.<ref name="ch">{{Cite web |title=OWNED IT LTD overview |url=https://find-and-update.company-information.service.gov.uk/company/07755519 |website=Companies House |publisher=UK Government |access-date=May 29, 2026}}</ref> The company was incorporated on August 30, 2011 under the original name BRAGGNOW LTD; its name was changed to OWNED IT LTD on December 2, 2011, roughly three months after incorporation & nearly six years before the WhatRuns extension launched on Hacker News.<ref name="ch" /><ref name="hn" /> The registered office is 11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP.<ref name="ch" />

Companies House lists the company's SIC code as 63990, ''"Other information service activities not elsewhere classified,"'' & its status as Active. Last accounts were made up to March 31, 2025.<ref name="ch" /> The address on the Companies House record matches the developer address Owned it Ltd publishes on its Chrome Web Store listing, which gives the developer as ''Ownedit Ltd'' at the same Birmingham B1 2LP location.<ref name="cws" /> The Chrome Web Store renders the publisher name as the compressed string ''Ownedit Ltd''; the UK registry name is ''OWNED IT LTD''.

== Other extensions in Arnott's Wall of Shame ==

WhatRuns is one of seven Chrome extensions Arnott catalogs on the AIBP Wall of Shame as either ''Confirmed'' or ''Capability'' for AI chat exfiltration in May 2026, alongside Stylish, Poper Blocker, Similarweb, StayFocusd, CrxMouse, StayFree, and UrbanVPN.<ref name="aibp" /> The broader category was named in December 2025 by John Tuckner of Secure Annex, who coined the term ''Prompt Poaching'' for the practice of browser extensions capturing user conversations with AI chatbots & transmitting them to the extension publisher for use as training, analytics, or commercial intelligence material.<ref name="sa">{{Cite web |last=Tuckner |first=John |date=2025-12-28 |title=Prompt poaching runs rampant in extensions |url=https://secureannex.com/blog/prompt-poaching/ |website=Secure Annex |access-date=May 29, 2026}}</ref>

Tuckner's December 2025 post identifies Similarweb & StayFocusd as the two extensions his analysis examined in detail; it does not name WhatRuns.<ref name="sa" /> Tuckner's contribution to the WhatRuns story is the category, not the identification. Arnott's May 2026 post is the first published security analysis to place WhatRuns inside the Prompt Poaching pattern. For the cross-extension pattern as a whole, see [[Browser extension AI chat exfiltration]].

== Chrome Web Store status ==

The Chrome Web Store listing for WhatRuns as of May 29, 2026, eighteen days after Arnott's disclosure, shows version 1.10.0, last updated April 27, 2026, with a download size of 1.9 MiB.<ref name="cws" /> The listing reports 400,000 users & a rating of 4.2 out of 5 from 813 user ratings.<ref name="cws" />

Two Google badges sit on the listing. The first is the ''Featured'' badge, which Google describes as ''"assigned to extensions that follow our technical best practices and meet a high standard of user experience and design"'' & which Google says is awarded after manual evaluation by Chrome team members, paying attention to ''"providing an enjoyable and intuitive experience, using the latest platform APIs and respecting the privacy of end-users."''<ref name="badge">{{Cite web |last=Kim |first=Debbie |date=2022-04-20 |title=Find great extensions with new Chrome Web Store badges |url=https://blog.google/products/chrome/find-great-extensions-new-chrome-web-store-badges/ |website=The Keyword |publisher=Google |access-date=May 29, 2026}}</ref> The second is the ''Established Publisher'' badge, which Google describes as showcasing publishers who have ''"verified their identity and demonstrated compliance with the developer program policies."''<ref name="badge" /> Google states that ''"publishers cannot pay to receive either badge."''<ref name="badge" /> The WhatRuns listing displays the Established Publisher tooltip text ''"The publisher has a good record with no history of violations."''<ref name="cws" />

The listing also carries Google's standard data-safety section, in which Owned it Ltd declares to users that data handled by WhatRuns is ''"Not being sold to third parties, outside of the approved use cases"'' & ''"Not being used or transferred for purposes that are unrelated to the item's core functionality."''<ref name="cws" /> The same listing notifies EU consumers that ''"This developer has not identified itself as a trader. For consumers in the European Union, please note that consumer rights do not apply to contracts between you and this developer."''<ref name="cws" />

As of May 29, 2026, no public evidence indicates that Google has revoked either badge, removed the listing, or issued a public statement in response to Arnott's report.

== Consumer guidance ==

A user installing WhatRuns to identify the technologies behind a website does not need an extension that runs in the background on every page the user opens. The technology-profiler feature requires only that the extension read the page the user has explicitly asked it to read. Per Arnott's observation, WhatRuns transmits the URL of every page the user visits whether or not the user has interacted with the extension on that page, & transmits the content of conversations the user has with hosted AI chatbots.<ref name="aibp" />

Users who installed WhatRuns specifically for the technology-detection feature can uninstall it & use a server-side alternative that does not require browser-resident access to the user's full browsing history or AI chat sessions, such as a website-technology lookup performed from a separate browser tab against a URL the user types in directly. Users who keep WhatRuns or any similar extension installed should review the extension's host permissions in the Chrome ''chrome://extensions'' page; the access scope an extension declares there is the upper bound on what it can read from the browser.

== See also ==

* [[Browser extension AI chat exfiltration]]
* [[Owned it Ltd]]
* [[SimilarWeb]]
* [[Chrome Web Store]]

== References ==

{{reflist}}

[[Category:Browser extensions]]
[[Category:Products]]
[[Category:Privacy incidents]]

WhatRuns - Revision history

Louis: new product article on the whatruns chrome extension. covers the 2017 hacker news launch, the may 2026 arnott disclosure that it exfiltrates urls and ai-chat content with no obfuscation, the owned it ltd companies house record (formerly braggnow ltd), and the broader prompt poaching pattern.