Is your browser extension spying on you?
Permissions to check before you click "Add to browser".
Browser extensions occupy a strange trust position: they run inside the one application that sees your email, your banking, your health portal, and everything you type. A code editor plugin can read your code; a browser extension can potentially read your life. And yet most of us install them with less scrutiny than we give a phone app.
Here’s how to audit an extension in two minutes — before installing, and for the ones you already have.
The permission that matters most
When an extension asks to “Read and change all your data on all websites”, that phrase means exactly what it says. An extension with this permission can:
- Read every page you visit, including logged-in content
- Capture anything you type into any form — passwords included
- Inject or modify content on any page
- Send what it collects anywhere
Some extensions genuinely need this — ad blockers and password managers, by definition, work on every page. The question is never just “what does it ask for?” but “does the ask match the job?”
A dark-mode toggle needs page access. A “cute cursor” extension asking for all-site data does not. A coupon finder that wants to read all sites and your browsing history is telling you its business model.
The quieter red flags
Ownership changes. The most common way a good extension goes bad: the developer sells it, and the buyer monetizes the installed base. Overnight, a well-reviewed extension with a million users ships an update that harvests browsing data. Reviews mentioning “new owner”, “started showing ads”, or “asks for new permissions” are exit signals.
New permission requests on update. When an extension suddenly asks for more access than it had, that’s the moment to ask why. Browsers prompt you for this — read the prompt instead of clicking through it.
Recently transferred or vague listings. No website, no privacy policy, developer email at a free provider, description written in SEO keywords — each is minor alone; together they’re a pattern.
Clones of popular tools. Search results for “adblock” return dozens of lookalikes designed to catch mistyped trust. Check the install count and the developer name against the official site.
Audit what you already have
Open your extension list (chrome://extensions, about:addons, or your browser’s equivalent) and, for each one:
- Do I still use this? If not, remove it. Every extension is standing attack surface, and abandoned ones don’t get security fixes.
- What can it access? Click “Details” and read Site access. Downgrade what you can — most browsers let you restrict an extension to specific sites, or to “on click” activation only.
- When was it last updated? Years-old abandonware in a moving browser is a liability.
- Would I install it again today? If the answer is “eh”, that’s a no.
The “on click” site-access mode deserves special mention: the extension gets access only to the page where you clicked its icon, only in that moment. For tools you use occasionally — screenshotters, translators, coupon finders — it removes the standing surveillance capability entirely at nearly zero cost in convenience.
A sane policy going forward
- Fewer is better. Every extension is code from a stranger running inside your most sensitive app. Five trusted extensions beat twenty convenient ones.
- Prefer open source with a real maintainer — auditability isn’t a guarantee, but it raises the cost of misbehaving.
- Install from official stores only, and even there, verify the developer.
- Separate profiles for separate risk. Do your banking in a browser profile with zero extensions. It costs nothing and cleanly amputates the whole risk class from the accounts that matter most.
Extensions aren’t the enemy — some are the best security tools you can install. The enemy is the default of granting total visibility into your browsing to whoever happens to hold the publishing keys today. Check the ask against the job, keep the list short, and re-audit twice a year.