[yoz]

Here's my wild guess:

Some other code running in the browser window (probably a browser extension, but possibly another script tag in the page, inserted by an intermediate firewall/proxy) is doing this. It could be corporate spyware (i.e. forced on users by the IT department), or an extension that only tends to be used by large institutions (because it relates to some expensive enterprise product). Alternatively, it could be a much more popular browser extension, but it only executes this capture when it determines that the user is within a target list of large institutions.

I'm making the same guess as the author about the execution process: that the code is shipping a huge amount of page content to a cloud server, e.g. the full DOM, and then rendering that DOM in this older Chrome version. It's not fetching the same page from the origin server, which is how it's able to do this without auth cookies.

As part of rendering, the page's script tags all get executed again, which is why Upollo is seeing this. (Note that I don't know if this re-execution of script tags is deliberate. There's a good chance that it's an unintended side-effect of loading the DOM into Chrome, but it doesn't seem to break anything so nobody's bothered to disable it.)

It's only sampling a small percentage of executions, which is why it's not continually happening for every interaction by these users.

It's waiting ten seconds so that the page's network interactions are likely to have finished by then. Waiting longer would increase the odds of the user navigating to another page before the code has had a chance to run.

The article doesn't say if there are particular kinds of pages being grabbed, but looking for commonality between them would help.

The main thing that stumps me – assuming I've understood it correctly – is why the second render is happening across such a diverse set of cloud networks.

[caydenm]

Browser extension is what we originally thought for exactly the same reasons you did. We started to see some requests show up from iOS devices which didn't support extensions so that made us think MitM corporate proxies.

The diversity of cloud networks looks to be due to these being deployed by individual institutions (eg. universities, corporations etc.) rather than only run from Palo Alto Network's data centers.

We also saw slightly different configurations with different browser versions, but with the same pattern of behaviour.

[yoz]

iOS has supported Safari extensions since iOS 15 (late 2021). There are far fewer extensions for Safari than Chrome or Firefox; they've been steadily adding more as Safari gets closer to the same Web Extension standard used by other browsers, but most developers still shun iOS support since the extension has to be wrapped in an iOS app rather than being loaded from the web.

https://support.apple.com/guide/iphone/get-extensions-iphab0...