Your Browser Extensions Are Watching You

What an extension actually sees

Most browser extensions ask for access to every page you visit. In Chrome, the permission is called "Read and change all your data on the websites you visit". That sounds technical, but in practice it means the extension can read any field on any page, including password inputs, session tokens inside the DOM, private messages, banking data, anything.

At the same time it can intercept requests, read cookies, open tabs, capture keystrokes, and inject content you can't visually distinguish from real elements. An extension is effectively a man in the browser. That isn't a bug; it's the design choice that lets password managers, ad blockers, and translators work at all.

The browser shows you those permissions once, at install time, and then never again. In many stores, updates can broaden existing permissions without re-prompting you, as long as no entirely new category is added.

How extensions become attack surface

Extensions get compromised in three ways, all of which have become more common in recent years.

Sale to new owners. A hobbyist maintains a small tool for years, then gets a buyout offer. The buyers are almost always marketing firms, sometimes disguised operators, who want an existing user base for ad injection, affiliate redirection, or outright infostealer campaigns.

Phishing against developers. In 2023, more than twenty Chrome extensions were seized over a single weekend because their developers fell for an OAuth prompt disguised as a Google Mail notice. The attacker pushed malicious updates before anyone noticed the access.

Dependencies. Extensions pull in libraries. Those libraries have their own maintainers and their own supply chains. A hijacked npm package can flow through several extensions into end-user browsers without the extension authors themselves doing anything malicious.

Cases you probably haven't heard of

The list is long and getting longer. The Great Suspender was the most famous example. Nano Adblocker and Nano Defender went malicious in 2020 after an ownership change and started logging user requests. Stylish, an extension for customizing site styles with two million users, was acquired and started sending every URL visit to external servers.

In 2024, Secure Annex documented several dozen Chrome extensions across notes, PDF, weather, and screenshot categories that had all been retrofitted with credential- stealing code. Together they had more than sixty million installs.

Auditing your own extension stack

This runbook takes ten minutes and settles which extensions deserve to stay.

1. 1

   Open your browser's extensions page

   chrome://extensions in Chrome, about:addons in Firefox, edge://extensions in Edge. You'll see everything you have ever installed.
2. 2

   Delete anything you haven't used in the last two weeks

   Any extension you don't actively use is pure attack surface. An occasional screenshot tool doesn't justify a permanent read-everywhere permission.
3. 3

   For the rest, check the developer and the last update date

   Unknown developer, recent sale, or no update in more than a year are all warning signs. A long update gap means missing security patches; frequent ownership changes mean potential takeovers.
4. 4

   Restrict site access where possible

   In Chrome you can scope extensions to individual sites or set them to "on click". A note-taking tool doesn't need to run on your online banking.

A safer default setup

The best answer is rarely "throw out every extension". A password manager and an ad blocker earn their keep. The answer is to move sensitive browsing into an environment that has no extensions at all. A fresh, isolated browser with no add-ons is the cleanest attack surface you can have.

In practice that means your everyday browser keeps the extensions you love, you understand the risk, and you audit regularly. Banking, admin logins, crypto wallets, and research on sites you don't trust all run in an isolated session. There's no extension that can read along, because there's no extension.