I’ve always considered myself to be a privacy-focused individual. I use strong passwords, I’m careful about what I share online, and I audit the permissions of my apps, probably more than I should. But recently, I realized that I have been overlooking one of the biggest security and privacy threats around, the browser extension (also called add-ons or plug-ins).
Most internet-savvy users rely on extensions every day, to block ads, to make work easier, to check prices, manage tabs and more. But behind the convenience that they offer, many get an alarming level of access to our data.
I’m guilty too. I have installed extensions in the past without paying too much attention to who created them or what permissions they get. I just assumed that the big tech companies were doing their job vetting these extensions, but I’ve come to realize that isn’t always the case, and they have increasingly become an attack vector for hackers.
How Can Browser Extensions Be Dangerous?
Every extension you install gets a front row seat to nearly everything you do online. Some read the content of pages you visit, some capture your form data, and many inject their own code into sites. What makes privacy issues with extensions so hard to spot is that legitimate extensions often need deep levels of access to do their job. In the hands of bad actors, this access can be dangerous, making your browser susceptible to data theft, tracking, website redirection, malware, and more.
Even if you do your best to ensure that the extension is legit and does what you need, there are still circumstances that can put your data at risk. For me, that puts browser extensions in the high-risk category. You install them casually, use them daily, and yet they operate with a level of access that you wouldn’t give to most apps on your phone or computer.
Browser Extension Exploit Examples
The risks around extensions aren’t hypothetical. Popular tools have turned malicious overnight, trusted business add-ons have been hijacked, and smaller projects have been sold off and turned into adware. Here are three examples that show just how fast things can go wrong.
The Great Suspender
You may recall The Great Suspender extension. It was quite popular with over 2 million installs, and for good reason. It fixed a common Chrome problem. People like me with too many tabs open in Chrome were having resource problems. The Great Suspender unloaded tabs that weren’t in use in order to free up CPU and RAM. In early 2021, the app was sold to an unknown entity that pushed an update designed to track users and commit ad fraud.
Cyberhaven
At the end of 2024, an employee of Cyberhaven fell victim to a phishing attack that compromised their Google account. Hackers were then able to replace the company’s browser extension with one that contained malicious code designed to steal sensitive data. Then through a malicious update, 400,000 users were impacted.
Particle
Back in 2017, Particle got sold and the new owner added malware that essentially turned the extension into adware. The extension would inject ads into websites like Google, Yahoo, Bing, Amazon, and others, committing ad fraud. At the time of the breach the extension had about 31,000 users.
How to Protect Yourself From Malicious Browser Extensions
In order to mitigate these risks, you need to take a smarter approach to using extensions. I only install extensions from trusted sources like the Chrome Web Store, Mozilla Add-Ons, or Mac/iOS App Store. I inspect the reviews looking for red flags. I look at how often the extension has been updated. Abandoned extensions are ripe targets for these types of exploits.
I audit my extensions regularly, which requires me to ask myself if I really need each one. If I don’t need it or haven’t used it in ages, I remove it. For those extensions I deem necessary, I take time to examine permissions for each one. When installing new extensions, I do the same. If an extension asks for permissions that don’t make sense, that’s a red flag. I check my extensions to make sure they have been updated properly. If they need it, I update them but now I check the permissions after the update.
In Chrome, it’s a simple process. Click the three dots in the upright hand corner of your browser window, then click manage extensions.
You’ll see all your installed extensions on this screen. Choose the one you are auditing and click on the details.
On the following screen you’ll see all the information about the extension, including the version, the permissions, and more.
Another simple step you can take is limiting where an extension can run. In Chrome and Edge, you don’t have to give an extension the option to run on every site, you can set it to work only on specific websites or even “on click.” That way, a screenshot tool or password manager isn’t quietly watching everything you do online, it’s only working on the sites you want it to.
Conclusion
Let’s not give up on browser extensions. But we do have to acknowledge that they’re tools that come with big risks if they aren’t managed properly. Keeping only the essentials and checking permissions regularly can help you get the benefits with less risk.
