WhatRuns: Difference between revisions
new product article on the whatruns chrome extension. covers the 2017 hacker news launch, the may 2026 arnott disclosure that it exfiltrates urls and ai-chat content with no obfuscation, the owned it ltd companies house record (formerly braggnow ltd), and the broader prompt poaching pattern. |
Legal fixes + clarity |
||
| Line 9: | Line 9: | ||
}} | }} | ||
'''WhatRuns''' is a Chrome and Edge browser extension, published by UK company [[Owned it Ltd]], that identifies the frameworks, fonts, content management systems, plugins, and analytics tools running on any website the user opens. On May 11, 2026, security researcher James Arnott of Am I Being Pwned? reported that WhatRuns also transmits every URL its roughly 400,000 users visit, along with the content of those users' conversations with hosted AI chatbots, back to Owned it Ltd's servers, with no obfuscation of the request payloads & no disclosure of this collection in | '''WhatRuns''' is a Chrome and Edge browser extension, published by UK company [[Owned it Ltd]], that identifies the frameworks, fonts, content management systems, plugins, and analytics tools running on any website the user opens. On May 11, 2026, security researcher James Arnott of Am I Being Pwned? reported that WhatRuns also transmits every URL its roughly 400,000 users visit, along with the content of those users' conversations with hosted AI chatbots, back to Owned it Ltd's servers, with no obfuscation of the request payloads & no clear disclosure or explicit consent from the user of this collection in its Chrome Web Store data-safety declaration. Its privacy policy does briefly mention AI-feature processing but makes no indication that it exfiltrates AI chats from external services.<ref name="aibp">{{Cite web |last=Arnott |first=James |date=2026-05-11 |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame/ |website=Am I Being Pwned? |access-date=May 29, 2026}}</ref><ref name="cws">{{Cite web |date=2026-04-27 |title=WhatRuns |url=https://chromewebstore.google.com/detail/whatruns/cmkdbmfndkfgebldhnkbfhlneefdaaip |website=Chrome Web Store |publisher=Google |access-date=May 29, 2026}}</ref> As of May 29, 2026, the extension is still listed on the Chrome Web Store with both the ''Featured'' & ''Established Publisher'' badges in place.<ref name="cws" /> | ||
== Background == | ==Background== | ||
WhatRuns launched on Hacker News on August 25, 2017, marketed as a competitor to website-technology profilers such as Wappalyzer & BuiltWith.<ref name="hn">{{Cite web |date=2017-08-25 |title=Whatruns: Identify technologies used on any website |url=https://news.ycombinator.com/item?id=15098028 |website=Hacker News |access-date=May 29, 2026}}</ref> The extension's stated function is to read a page the user is already viewing, fingerprint the technologies in use, & display a sidebar that names them. A typical user installs WhatRuns because they want a one-click way to answer the question of what a site is built with, for example whether a blog runs WordPress, what fonts a competitor's homepage uses, or which analytics package an e-commerce site has loaded.<ref name="cws" /> | WhatRuns launched on Hacker News on August 25, 2017, marketed as a competitor to website-technology profilers such as Wappalyzer & BuiltWith.<ref name="hn">{{Cite web |date=2017-08-25 |title=Whatruns: Identify technologies used on any website |url=https://news.ycombinator.com/item?id=15098028 |website=Hacker News |access-date=May 29, 2026}}</ref> The extension's stated function is to read a page the user is already viewing, fingerprint the technologies in use, & display a sidebar that names them. A typical user installs WhatRuns because they want a one-click way to answer the question of what a site is built with, for example whether a blog runs WordPress, what fonts a competitor's homepage uses, or which analytics package an e-commerce site has loaded.<ref name="cws" /> | ||
| Line 17: | Line 17: | ||
The Chrome Web Store listing positions WhatRuns directly against four named competitors. The product description on the listing reads in part that WhatRuns identifies technologies running on any site & frames itself as an alternative to Wappalyzer, BuiltWith, Datanyze, and Ghostery.<ref name="cws" /> The listing categorizes the extension under Developer Tools. | The Chrome Web Store listing positions WhatRuns directly against four named competitors. The product description on the listing reads in part that WhatRuns identifies technologies running on any site & frames itself as an alternative to Wappalyzer, BuiltWith, Datanyze, and Ghostery.<ref name="cws" /> The listing categorizes the extension under Developer Tools. | ||
The extension's own privacy policy, last updated August 2025, tells users that the only data leaving their browser is technical fingerprinting material. The policy states that the extension may collect ''"Source code snippets and public resources (e.g., scripts, metadata, or stylesheets) solely to identify technologies"'' along with ''"Timestamps and diagnostic information for debugging and performance tuning"'' & ''"A randomly generated identifier to differentiate anonymous extension sessions."''<ref name="policy">{{Cite web |date=August 2025 |title=Privacy Policy |url=https://www.whatruns.com/privacy |website=WhatRuns |access-date=May 29, 2026}}</ref> The same policy states that ''"All collected data is anonymised and aggregated before any analysis or sharing"'' & that ''"We do not engage in cross-site tracking or behavioural profiling."''<ref name="policy" /> Neither URLs nor AI chat content appear anywhere in the policy. | The extension's own privacy policy, last updated August 2025, tells users that the only data leaving their browser is technical fingerprinting material. The policy states that the extension may collect ''"Source code snippets and public resources (e.g., scripts, metadata, or stylesheets) solely to identify technologies"'' along with ''"Timestamps and diagnostic information for debugging and performance tuning"'' & ''"A randomly generated identifier to differentiate anonymous extension sessions."''<ref name="policy">{{Cite web |date=August 2025 |title=Privacy Policy |url=https://www.whatruns.com/privacy |website=WhatRuns |access-date=May 29, 2026}}</ref> The same policy states that ''"All collected data is anonymised and aggregated before any analysis or sharing"'' & that ''"We do not engage in cross-site tracking or behavioural profiling."''<ref name="policy" /> Neither URLs nor explicit mentions of AI chat content appear anywhere in the policy. "Aggregated interaction data generated through the use of AI-powered or automated features, which may be analysed to enhance accuracy, performance, and reliability across the WhatRuns Services." is is stated in the "Data Collected Through the WhatRuns Extension" section, which does not make clear to the user that they are collecting full AI chats from external services. | ||
== The May 2026 disclosure == | ==The May 2026 disclosure== | ||
On May 11, 2026, James Arnott published an entry on the Am I Being Pwned? ''"AI Chat Scraping Extension Wall of Shame"'' naming WhatRuns as confirmed entry #6 in the table, with 400,000 users, the ''Featured & Verified'' badges, and an obfuscation status of ''None''.<ref name="aibp" /> Arnott's ''"Confirmed"'' classification carries a specific operational meaning on the page. He writes that ''"Confirmed means I observed chat content leaving the browser in network traffic during manual testing."''<ref name="aibp" /> | On May 11, 2026, James Arnott published an entry on the Am I Being Pwned? ''"AI Chat Scraping Extension Wall of Shame"'' naming WhatRuns as confirmed entry #6 in the table, with 400,000 users, the ''Featured & Verified'' badges, and an obfuscation status of ''None''.<ref name="aibp" /> Arnott's ''"Confirmed"'' classification carries a specific operational meaning on the page. He writes that ''"Confirmed means I observed chat content leaving the browser in network traffic during manual testing."''<ref name="aibp" /> | ||
| Line 35: | Line 35: | ||
As of May 29, 2026, no other named security researcher has independently published a corroborating analysis of WhatRuns. The disclosure rests on Arnott's single-researcher observation. | As of May 29, 2026, no other named security researcher has independently published a corroborating analysis of WhatRuns. The disclosure rests on Arnott's single-researcher observation. | ||
== Data exfiltration mechanics == | ==Data exfiltration mechanics== | ||
Arnott's finding is that two streams of data leave the browser of every WhatRuns user & arrive at Owned it Ltd's servers. The first stream is the full URL of every page the user opens, not only the pages where the user clicks the WhatRuns icon. The second stream is the content of conversations the user has with hosted AI chatbots while the extension is installed.<ref name="aibp" /> Neither stream is mentioned in the extension's privacy policy or its Chrome Web Store data-safety declaration.<ref name="policy" /><ref name="cws" /> | Arnott's finding is that two streams of data leave the browser of every WhatRuns user & arrive at Owned it Ltd's servers. The first stream is the full URL of every page the user opens, not only the pages where the user clicks the WhatRuns icon. The second stream is the content of conversations the user has with hosted AI chatbots while the extension is installed.<ref name="aibp" /> Neither stream is mentioned in the extension's privacy policy or its Chrome Web Store data-safety declaration.<ref name="policy" /><ref name="cws" /> | ||
| Line 41: | Line 41: | ||
The technical detail that matters here is Arnott's ''"no obfuscation"'' finding. In the Wall of Shame table, the ''Obfuscation'' column for WhatRuns reads ''None'', the same value Arnott assigns to Similarweb & a less invasive value than the ''Extensive'' he assigns to the Stylish extension.<ref name="aibp" /> Several other extensions in the same table wrap their exfiltrated payloads in LZ-String compression, base64, or character-mapping schemes that make the captured data harder to read at a glance during a network inspection.<ref name="aibp" /> WhatRuns does not. The URL & chat-content payloads travel from the browser to Owned it Ltd in cleartext form within the TLS connection to the server, which means anyone with network-trace access to a WhatRuns user's machine, such as a corporate IT team running endpoint inspection, can read the captured data directly without decoding it. Arnott characterizes the absence of obfuscation as ''"nice to see"'' from a researcher's perspective, because it makes the behavior immediately visible in a network trace, while noting that ''"there's no indication to the user this exfiltration is happening."''<ref name="aibp" /> | The technical detail that matters here is Arnott's ''"no obfuscation"'' finding. In the Wall of Shame table, the ''Obfuscation'' column for WhatRuns reads ''None'', the same value Arnott assigns to Similarweb & a less invasive value than the ''Extensive'' he assigns to the Stylish extension.<ref name="aibp" /> Several other extensions in the same table wrap their exfiltrated payloads in LZ-String compression, base64, or character-mapping schemes that make the captured data harder to read at a glance during a network inspection.<ref name="aibp" /> WhatRuns does not. The URL & chat-content payloads travel from the browser to Owned it Ltd in cleartext form within the TLS connection to the server, which means anyone with network-trace access to a WhatRuns user's machine, such as a corporate IT team running endpoint inspection, can read the captured data directly without decoding it. Arnott characterizes the absence of obfuscation as ''"nice to see"'' from a researcher's perspective, because it makes the behavior immediately visible in a network trace, while noting that ''"there's no indication to the user this exfiltration is happening."''<ref name="aibp" /> | ||
==Owned it Ltd== | |||
== Owned it Ltd == | |||
The extension's publisher is registered with the UK Companies House as OWNED IT LTD, company number 07755519.<ref name="ch">{{Cite web |title=OWNED IT LTD overview |url=https://find-and-update.company-information.service.gov.uk/company/07755519 |website=Companies House |publisher=UK Government |access-date=May 29, 2026}}</ref> The company was incorporated on August 30, 2011 under the original name BRAGGNOW LTD; its name was changed to OWNED IT LTD on December 2, 2011, roughly three months after incorporation & nearly six years before the WhatRuns extension launched on Hacker News.<ref name="ch" /><ref name="hn" /> The registered office is 11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP.<ref name="ch" /> | The extension's publisher is registered with the UK Companies House as OWNED IT LTD, company number 07755519.<ref name="ch">{{Cite web |title=OWNED IT LTD overview |url=https://find-and-update.company-information.service.gov.uk/company/07755519 |website=Companies House |publisher=UK Government |access-date=May 29, 2026}}</ref> The company was incorporated on August 30, 2011 under the original name BRAGGNOW LTD; its name was changed to OWNED IT LTD on December 2, 2011, roughly three months after incorporation & nearly six years before the WhatRuns extension launched on Hacker News.<ref name="ch" /><ref name="hn" /> The registered office is 11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP.<ref name="ch" /> | ||
| Line 48: | Line 47: | ||
Companies House lists the company's SIC code as 63990, ''"Other information service activities not elsewhere classified,"'' & its status as Active. Last accounts were made up to March 31, 2025.<ref name="ch" /> The address on the Companies House record matches the developer address Owned it Ltd publishes on its Chrome Web Store listing, which gives the developer as ''Ownedit Ltd'' at the same Birmingham B1 2LP location.<ref name="cws" /> The Chrome Web Store renders the publisher name as the compressed string ''Ownedit Ltd''; the UK registry name is ''OWNED IT LTD''. | Companies House lists the company's SIC code as 63990, ''"Other information service activities not elsewhere classified,"'' & its status as Active. Last accounts were made up to March 31, 2025.<ref name="ch" /> The address on the Companies House record matches the developer address Owned it Ltd publishes on its Chrome Web Store listing, which gives the developer as ''Ownedit Ltd'' at the same Birmingham B1 2LP location.<ref name="cws" /> The Chrome Web Store renders the publisher name as the compressed string ''Ownedit Ltd''; the UK registry name is ''OWNED IT LTD''. | ||
== Other extensions in Arnott's Wall of Shame == | ==Other extensions in Arnott's Wall of Shame== | ||
WhatRuns is one of seven Chrome extensions Arnott catalogs on the AIBP Wall of Shame as either ''Confirmed'' or ''Capability'' for AI chat exfiltration in May 2026, alongside Stylish, Poper Blocker, Similarweb, StayFocusd, CrxMouse, StayFree, and UrbanVPN.<ref name="aibp" /> The broader category was named in December 2025 by John Tuckner of Secure Annex, who coined the term ''Prompt Poaching'' for the practice of browser extensions capturing user conversations with AI chatbots & transmitting them to the extension publisher for use as training, analytics, or commercial intelligence material.<ref name="sa">{{Cite web |last=Tuckner |first=John |date=2025-12-28 |title=Prompt poaching runs rampant in extensions |url=https://secureannex.com/blog/prompt-poaching/ |website=Secure Annex |access-date=May 29, 2026}}</ref> | WhatRuns is one of seven Chrome extensions Arnott catalogs on the AIBP Wall of Shame as either ''Confirmed'' or ''Capability'' for AI chat exfiltration in May 2026, alongside Stylish, Poper Blocker, Similarweb, StayFocusd, CrxMouse, StayFree, and UrbanVPN.<ref name="aibp" /> The broader category was named in December 2025 by John Tuckner of Secure Annex, who coined the term ''Prompt Poaching'' for the practice of browser extensions capturing user conversations with AI chatbots & transmitting them to the extension publisher for use as training, analytics, or commercial intelligence material.<ref name="sa">{{Cite web |last=Tuckner |first=John |date=2025-12-28 |title=Prompt poaching runs rampant in extensions |url=https://secureannex.com/blog/prompt-poaching/ |website=Secure Annex |access-date=May 29, 2026}}</ref> | ||
| Line 54: | Line 53: | ||
Tuckner's December 2025 post identifies Similarweb & StayFocusd as the two extensions his analysis examined in detail; it does not name WhatRuns.<ref name="sa" /> Tuckner's contribution to the WhatRuns story is the category, not the identification. Arnott's May 2026 post is the first published security analysis to place WhatRuns inside the Prompt Poaching pattern. For the cross-extension pattern as a whole, see [[Browser extension AI chat exfiltration]]. | Tuckner's December 2025 post identifies Similarweb & StayFocusd as the two extensions his analysis examined in detail; it does not name WhatRuns.<ref name="sa" /> Tuckner's contribution to the WhatRuns story is the category, not the identification. Arnott's May 2026 post is the first published security analysis to place WhatRuns inside the Prompt Poaching pattern. For the cross-extension pattern as a whole, see [[Browser extension AI chat exfiltration]]. | ||
== Chrome Web Store status == | ==Chrome Web Store status== | ||
The Chrome Web Store listing for WhatRuns as of May 29, 2026, eighteen days after Arnott's disclosure, shows version 1.10.0, last updated April 27, 2026, with a download size of 1.9 MiB.<ref name="cws" /> The listing reports 400,000 users & a rating of 4.2 out of 5 from 813 user ratings.<ref name="cws" /> | The Chrome Web Store listing for WhatRuns as of May 29, 2026, eighteen days after Arnott's disclosure, shows version 1.10.0, last updated April 27, 2026, with a download size of 1.9 MiB.<ref name="cws" /> The listing reports 400,000 users & a rating of 4.2 out of 5 from 813 user ratings.<ref name="cws" /> | ||
| Line 64: | Line 63: | ||
As of May 29, 2026, no public evidence indicates that Google has revoked either badge, removed the listing, or issued a public statement in response to Arnott's report. | As of May 29, 2026, no public evidence indicates that Google has revoked either badge, removed the listing, or issued a public statement in response to Arnott's report. | ||
== Consumer guidance == | ==Consumer guidance== | ||
A user installing WhatRuns to identify the technologies behind a website does not need an extension that runs in the background on every page the user opens. The technology-profiler feature requires only that the extension read the page the user has explicitly asked it to read. Per Arnott's observation, WhatRuns transmits the URL of every page the user visits whether or not the user has interacted with the extension on that page, & transmits the content of conversations the user has with hosted AI chatbots.<ref name="aibp" /> | A user installing WhatRuns to identify the technologies behind a website does not need an extension that runs in the background on every page the user opens. The technology-profiler feature requires only that the extension read the page the user has explicitly asked it to read. Per Arnott's observation, WhatRuns transmits the URL of every page the user visits whether or not the user has interacted with the extension on that page, & transmits the content of conversations the user has with hosted AI chatbots.<ref name="aibp" /> | ||
| Line 70: | Line 69: | ||
Users who installed WhatRuns specifically for the technology-detection feature can uninstall it & use a server-side alternative that does not require browser-resident access to the user's full browsing history or AI chat sessions, such as a website-technology lookup performed from a separate browser tab against a URL the user types in directly. Users who keep WhatRuns or any similar extension installed should review the extension's host permissions in the Chrome ''chrome://extensions'' page; the access scope an extension declares there is the upper bound on what it can read from the browser. | Users who installed WhatRuns specifically for the technology-detection feature can uninstall it & use a server-side alternative that does not require browser-resident access to the user's full browsing history or AI chat sessions, such as a website-technology lookup performed from a separate browser tab against a URL the user types in directly. Users who keep WhatRuns or any similar extension installed should review the extension's host permissions in the Chrome ''chrome://extensions'' page; the access scope an extension declares there is the upper bound on what it can read from the browser. | ||
== See also == | ==See also== | ||
* [[Browser extension AI chat exfiltration]] | *[[Browser extension AI chat exfiltration]] | ||
* [[Owned it Ltd]] | *[[Owned it Ltd]] | ||
* [[SimilarWeb]] | *[[SimilarWeb]] | ||
* [[Chrome Web Store]] | *[[Chrome Web Store]] | ||
== References == | ==References== | ||
{{reflist}} | {{reflist}} | ||