A browser extension is not a small convenience bolted to the side of your browser. It's software running inside your most sensitive application — the one you use for banking, email, work, and health portals. The browser is the new operating system, and extensions are programs with deep access to it. Yet they're installed in two clicks, from a store most people trust implicitly, after a permission prompt almost nobody reads.
That gap between the power extensions hold and the scrutiny they receive is one of the most underrated risks in everyday computing.
What "Read and Change All Your Data" Really Means
When you install an extension, you may see a prompt like: "This extension can read and change all your data on the websites you visit." That sentence is doing enormous work. In practice it can mean the extension is allowed to:
- See the full content of every page you load — including pages behind a login
- Read anything you type into a form, including passwords and messages, before it's encrypted in transit
- Inject its own scripts into pages, modifying what you see
- Watch your browsing history across every site in real time
- Send all of that to a remote server
End-to-end encryption protects data between your browser and the server. It does not protect against code running inside your browser, on the page itself, after decryption. A malicious extension sits on the wrong side of that boundary. This is the same reason end-to-end encryption can't save you from a compromised endpoint — the extension is the endpoint.
Treat an extension with "all sites" access the way you'd treat a keylogger you chose to install. If you wouldn't grant a stranger that access, don't grant it to an add-on you can't vouch for.
The Extensions You Forgot You Installed
The most common danger isn't a brand-new malicious extension — it's an old, legitimate one that turned. There's a well-documented pattern in the extension economy:
- A developer builds a genuinely useful, popular extension and earns a large user base.
- A third party offers to buy it, or to pay the developer to insert "monetization" code.
- The extension updates automatically — extensions update silently, without re-prompting — and the new version quietly adds tracking, ad injection, or data exfiltration.
- Users keep the same icon in their toolbar, unaware the software behind it changed hands.
Because updates are automatic and permissions were granted once at install, the new owner inherits all the access the original earned. This has happened repeatedly to extensions with hundreds of thousands of users. The trust you extended to a developer doesn't transfer with the sale — but the permissions do.
An extension's danger isn't fixed at install time. It's a living relationship with whoever controls the code today — which may not be who controlled it when you installed it.
Categories Worth Extra Suspicion
Some extension categories are structurally riskier because their stated function requires broad access or aligns with data harvesting:
| Category | Why It's Risky |
|---|---|
| Coupon / shopping finders | Need to watch every shopping page; the business model is often selling browsing and purchase data. |
| "Free" VPN add-ons | Route traffic through unknown servers; some have been caught logging or selling browsing data. See VPN limitations. |
| Screen recorders / screenshot tools | By design can capture everything visible on a page. |
| Generic "PDF converter" / utility bait | Low function, broad permissions — a common disguise for adware. |
| Anything with few users but suspiciously high ratings | Fake reviews are cheap; install counts and review quality should track together. |
How to Vet an Extension Before You Install It
You don't need to read source code. A few habits filter out most of the risk:
- Check the permissions against the function. A dark-mode toggle does not need to read data on all sites. If the access requested exceeds the obvious need, walk away.
- Prefer "on click" or per-site access. Modern browsers let you restrict an extension to run only when you click it, or only on specific sites. Use that instead of "always, everywhere."
- Look at who maintains it. A named developer or org with a real website and a track record beats an anonymous publisher.
- Favor open-source extensions where the code can be inspected and the published version can be checked against the repository — the same logic behind reproducible builds.
- Read recent reviews, not just the average. A sudden wave of complaints about ads or odd behavior often marks the moment an extension changed hands.
Ongoing Hygiene
Vetting at install time isn't enough, because extensions change. Build a maintenance routine:
- Audit quarterly. Open your extensions list and remove anything you don't actively use. Every extension is attack surface, even idle ones.
- Use a separate browser or profile for sensitive activity. Keep your banking and email in a profile with zero or minimal extensions; keep experiments elsewhere.
- Watch for behavior changes. New ads, redirected searches, or unexpected pop-ups after an update are red flags — disable first, investigate second.
- Be skeptical of permission upgrades. If an extension suddenly requests broader access on update, that's a signal worth pausing on.
The Principle Underneath
Extensions are a concentrated case of a general truth: convenience features quietly accumulate trust you never consciously granted. The fix isn't paranoia — useful extensions exist and many are maintained responsibly. The fix is treating browser access as the high-value asset it is, granting it deliberately, and revisiting those grants on a schedule.
It's the same instinct behind reviewing mobile app permissions: the question is never "is this tool useful?" but "does what it can see match what it needs to do its job?" When the answer is no, the convenience isn't worth it.