Privacy Extension OptMeowt Flags Data‑Selling Sites but Raises Security Concerns
What Happened – OptMeowt, a free browser extension that surfaces Global Privacy Control (GPC) signals, lets users see which visited sites claim to sell personal data. Independent testing found the extension rated 5.0/10 on a security index, with two critical warnings: unrestricted network‑traffic access and the ability to inject and execute code on visited pages.
Why It Matters for TPRM –
- Extension permissions create a potential supply‑chain attack vector against any organization that recommends or mandates its use.
- Malicious code injection could exfiltrate corporate credentials or proprietary data from employee browsers.
- The tool’s visibility into data‑selling practices may expose third‑party vendors to regulatory scrutiny if mis‑used.
Who Is Affected – SaaS platforms, enterprise browsers, and any organization that allows employees to install third‑party extensions (technology, finance, healthcare, retail, etc.).
Recommended Actions –
- Conduct a risk assessment before approving OptMeowt for corporate devices.
- Enforce least‑privilege extension policies and monitor network traffic from browsers.
- Consider alternative GPC‑compatible tools with higher security ratings.
Technical Notes – The extension requires webRequest, webRequestBlocking, and activeTab permissions, enabling it to read all HTTP requests and inject scripts into page DOMs. No known CVEs are associated, but the permission set aligns with known malicious browser‑based malware patterns. Source: ZDNet Security – OptMeowt privacy tool