WhatRuns

WhatRuns launched on Hacker News on August 25, 2017, marketed as a competitor to website-technology profilers such as Wappalyzer & BuiltWith.^[3] The extension's stated function is to read a page the user is already viewing, fingerprint the technologies in use, & display a sidebar that names them. A typical user installs WhatRuns because they want a one-click way to answer the question of what a site is built with, for example whether a blog runs WordPress, what fonts a competitor's homepage uses, or which analytics package an e-commerce site has loaded.^[2]

The Chrome Web Store listing positions WhatRuns directly against four named competitors. The product description on the listing reads in part that WhatRuns identifies technologies running on any site & frames itself as an alternative to Wappalyzer, BuiltWith, Datanyze, and Ghostery.^[2] The listing categorizes the extension under Developer Tools.

The extension's own privacy policy, last updated August 2025, tells users that the only data leaving their browser is technical fingerprinting material. The policy states that the extension may collect "Source code snippets and public resources (e.g., scripts, metadata, or stylesheets) solely to identify technologies" along with "Timestamps and diagnostic information for debugging and performance tuning" & "A randomly generated identifier to differentiate anonymous extension sessions."^[4] The same policy states that "All collected data is anonymised and aggregated before any analysis or sharing" & that "We do not engage in cross-site tracking or behavioural profiling."^[4] Neither URLs nor AI chat content appear anywhere in the policy.

On May 11, 2026, James Arnott published an entry on the Am I Being Pwned? "AI Chat Scraping Extension Wall of Shame" naming WhatRuns as confirmed entry #6 in the table, with 400,000 users, the Featured & Verified badges, and an obfuscation status of None.^[1] Arnott's "Confirmed" classification carries a specific operational meaning on the page. He writes that "Confirmed means I observed chat content leaving the browser in network traffic during manual testing."^[1]

In a short note above the WhatRuns table row, Arnott discloses that he had personally used the extension before testing it:

WhatRuns shows users "what runs" on the sites they visit, for example if you visit a site that runs WordPress, it'll tell you it runs WordPress. It's actually pretty useful. I (James) previously had it installed, this one hits close to home.

^[1]

Arnott then states the observed behavior in one sentence:

WhatRuns exfiltrates every URL you visit, alongside AI chats. No exceptions here, they don't even bother to obfuscate the requests which is nice to see, although there's no indication to the user this exfiltration is happening.

^[1]

Arnott documents his methodology in a separate section of the same post, describing it as "the AIBP analysis pipeline (dynamic and static analysis in a sandbox), then manually verified by me, James, watching the AI chat exfiltration happen in my own (sandboxed) browser with my own eyes, inspecting outbound network requests."^[1] A companion video on the amibeingpwned YouTube channel, titled WhatRuns caught scraping AI chats, shows the network capture from Arnott's sandbox.^[5]

As of May 29, 2026, no other named security researcher has independently published a corroborating analysis of WhatRuns. The disclosure rests on Arnott's single-researcher observation.

Arnott's finding is that two streams of data leave the browser of every WhatRuns user & arrive at Owned it Ltd's servers. The first stream is the full URL of every page the user opens, not only the pages where the user clicks the WhatRuns icon. The second stream is the content of conversations the user has with hosted AI chatbots while the extension is installed.^[1] Neither stream is mentioned in the extension's privacy policy or its Chrome Web Store data-safety declaration.^[4][2]

The technical detail that matters here is Arnott's "no obfuscation" finding. In the Wall of Shame table, the Obfuscation column for WhatRuns reads None, the same value Arnott assigns to Similarweb & a less invasive value than the Extensive he assigns to the Stylish extension.^[1] Several other extensions in the same table wrap their exfiltrated payloads in LZ-String compression, base64, or character-mapping schemes that make the captured data harder to read at a glance during a network inspection.^[1] WhatRuns does not. The URL & chat-content payloads travel from the browser to Owned it Ltd in cleartext form within the TLS connection to the server, which means anyone with network-trace access to a WhatRuns user's machine, such as a corporate IT team running endpoint inspection, can read the captured data directly without decoding it. Arnott characterizes the absence of obfuscation as "nice to see" from a researcher's perspective, because it makes the behavior immediately visible in a network trace, while noting that "there's no indication to the user this exfiltration is happening."^[1]

The extension's publisher is registered with the UK Companies House as OWNED IT LTD, company number 07755519.^[6] The company was incorporated on August 30, 2011 under the original name BRAGGNOW LTD; its name was changed to OWNED IT LTD on December 2, 2011, roughly three months after incorporation & nearly six years before the WhatRuns extension launched on Hacker News.^[6][3] The registered office is 11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP.^[6]

Companies House lists the company's SIC code as 63990, "Other information service activities not elsewhere classified," & its status as Active. Last accounts were made up to March 31, 2025.^[6] The address on the Companies House record matches the developer address Owned it Ltd publishes on its Chrome Web Store listing, which gives the developer as Ownedit Ltd at the same Birmingham B1 2LP location.^[2] The Chrome Web Store renders the publisher name as the compressed string Ownedit Ltd; the UK registry name is OWNED IT LTD.

WhatRuns is one of seven Chrome extensions Arnott catalogs on the AIBP Wall of Shame as either Confirmed or Capability for AI chat exfiltration in May 2026, alongside Stylish, Poper Blocker, Similarweb, StayFocusd, CrxMouse, StayFree, and UrbanVPN.^[1] The broader category was named in December 2025 by John Tuckner of Secure Annex, who coined the term Prompt Poaching for the practice of browser extensions capturing user conversations with AI chatbots & transmitting them to the extension publisher for use as training, analytics, or commercial intelligence material.^[7]

Tuckner's December 2025 post identifies Similarweb & StayFocusd as the two extensions his analysis examined in detail; it does not name WhatRuns.^[7] Tuckner's contribution to the WhatRuns story is the category, not the identification. Arnott's May 2026 post is the first published security analysis to place WhatRuns inside the Prompt Poaching pattern. For the cross-extension pattern as a whole, see Browser extension AI chat exfiltration.

The Chrome Web Store listing for WhatRuns as of May 29, 2026, eighteen days after Arnott's disclosure, shows version 1.10.0, last updated April 27, 2026, with a download size of 1.9 MiB.^[2] The listing reports 400,000 users & a rating of 4.2 out of 5 from 813 user ratings.^[2]

Two Google badges sit on the listing. The first is the Featured badge, which Google describes as "assigned to extensions that follow our technical best practices and meet a high standard of user experience and design" & which Google says is awarded after manual evaluation by Chrome team members, paying attention to "providing an enjoyable and intuitive experience, using the latest platform APIs and respecting the privacy of end-users."^[8] The second is the Established Publisher badge, which Google describes as showcasing publishers who have "verified their identity and demonstrated compliance with the developer program policies."^[8] Google states that "publishers cannot pay to receive either badge."^[8] The WhatRuns listing displays the Established Publisher tooltip text "The publisher has a good record with no history of violations."^[2]

The listing also carries Google's standard data-safety section, in which Owned it Ltd declares to users that data handled by WhatRuns is "Not being sold to third parties, outside of the approved use cases" & "Not being used or transferred for purposes that are unrelated to the item's core functionality."^[2] The same listing notifies EU consumers that "This developer has not identified itself as a trader. For consumers in the European Union, please note that consumer rights do not apply to contracts between you and this developer."^[2]

As of May 29, 2026, no public evidence indicates that Google has revoked either badge, removed the listing, or issued a public statement in response to Arnott's report.

A user installing WhatRuns to identify the technologies behind a website does not need an extension that runs in the background on every page the user opens. The technology-profiler feature requires only that the extension read the page the user has explicitly asked it to read. Per Arnott's observation, WhatRuns transmits the URL of every page the user visits whether or not the user has interacted with the extension on that page, & transmits the content of conversations the user has with hosted AI chatbots.^[1]

Users who installed WhatRuns specifically for the technology-detection feature can uninstall it & use a server-side alternative that does not require browser-resident access to the user's full browsing history or AI chat sessions, such as a website-technology lookup performed from a separate browser tab against a URL the user types in directly. Users who keep WhatRuns or any similar extension installed should review the extension's host permissions in the Chrome chrome://extensions page; the access scope an extension declares there is the upper bound on what it can read from the browser.

• Browser extension AI chat exfiltration
• Owned it Ltd
• SimilarWeb
• Chrome Web Store