Seems harmless, right?
Extensions are way more permissive and dangerous than people realize.
They might be spying on you, logging your browsing history, injecting malicious code, even stealing your passwords and cookies – all without you even realizing it.
Let’s talk about the dark side of browser extensions. Because once you see what they’re capable of, you might think twice before installing another one.
Real-world attacks: From spyware to crypto theft
This isn’t a "worst-case scenario". It’s already happening.
- North Korean hackers have used malicious browser extensions to spy on inboxes and exfiltrate sensitive emails.
- The DataSpii scandal exposed the private data of over 4 million users—collected and sold by innocent-looking productivity tools.
- Mega.nz, a privacy-respecting file storage service, had its Chrome extension hacked. Malicious code was pushed to users, silently stealing passwords and crypto wallet keys. It took them four hours to catch it—more than enough time for real damage.
- Cyberhaven, a cybersecurity company, was breached in late 2024. Their extension was hijacked and used to scrape cookies, session tokens, and authentication credentials—compromising over 400,000 users.
How is this even allowed to happen?
- Extensions can silently update themselves. The code running on your device can change at any time—without your knowledge or approval.
- Permissions are ridiculously broad. Even if a malicious extension has the same permissions as a good one, it can abuse them in ways the browser can’t distinguish. Once you grant access, it’s basically an honor system.
- Extensions can’t monitor each other. If you think that installing a malware-blocking extension is going to protect you, think again. Your defense extensions have no way of knowing what your other extensions are up to. Malicious ones can lurk undetected, even alongside security tools.
A Shadow market for extensions
Extensions aren’t just targets for hackers—they’re targets for buyers. Once an extension gets popular, developers often start getting flooded with offers to sell. And because extensions can silently update, a change in ownership can mean a complete change in behavior—without you ever knowing.
Got an extension with 2 million Facebook users? Buy it, slip in some malicious code, and suddenly you’re siphoning data from 2 million people.
There are entire marketplaces for buying and selling browser extensions—and a thriving underground market too.
Take The Great Suspender, for example. It started as a widely trusted tool that saved memory by suspending unused tabs. Then the developer quietly sold it. The new owner injected spyware, turning it into a surveillance tool. Millions of users were compromised before it was finally flagged and removed.
The danger is in the permissions
One of the biggest challenges? Malicious extensions often ask for the same permissions as good ones. So it’s helpful to understand exactly what each permission is capable of, so that you realize how vulnerable it could make you in the wrong hands.
We spoke to Matt Frisbie, author of Building Browser Extensions, to explain the capabilities of some of these permissions:
Browsing history
Matt Frisbie:
“The browser will happily dump out your history as an array.”
The browsing history permission grants full access to every site you visit—URLs, timestamps, and frequency. This can help build out a detailed profile on you.
Cookies
The cookie permission exposes your browser’s cookies—including authentication tokens. That means a malicious extension can impersonate you and access your accounts without needing a password or 2FA.
Matt Frisbie:
“If someone steals your cookies, they can pretend to be you in all sorts of nasty ways.”
This is exactly how Linus Tech Tips had their YouTube account hijacked.
Screen capture
Allows extensions to take screenshots of what you're viewing. Some types trigger a popup, but tab capture does not—it silently records the visible browser tab, even sensitive pages like banking or crypto dashboards.
Matt Frisbie:
“It just takes a screengrab and sends it off, and you will never know what’s happening.”
Web requests
This lets the extension monitor all your browser’s traffic, including data sent to and from websites. Even if the data is being sent over HTTPS, to the extension it’s all in the clear. They can read form data, credit card details, everything.
Matt Frisbie:
“It’s basically a man-in-the-middle… I can see what you’re sending to stripe.com—even if their security is immaculate.”
Web navigation
Provides a live feed of your browsing behavior—what pages you visit, how you get there, and when.
Keystroke logging
Records everything you type—searches, passwords, messages—without needing any special permissions. All it takes is a content script, which runs invisibly on websites.
Matt Frisbie:
“It’s incredibly dangerous and very easy to do.”
Input capture
Watches for changes in form fields, allowing extensions to steal autofilled passwords or credit card numbers—even if you don’t type anything.
Matt Frisbie:
“Anytime an input changes—login box, search bar, credit card entry—this extension can capture what’s changed.”
Geolocation
Extensions can’t access your location in the background. But they can render a user interface—like a popup window—and collect your location when you interact with it. If you’ve granted the extension geolocation permission, it can capture your location every time you open that popup.
Even sneakier? Extensions can piggyback off websites that already have location access. If you’ve allowed a site like maps.google.com or hulu.com to use your location, an extension running on that site can silently grab it—no popup required.
Matt Frisbie:
“If the user goes to maps.google.com and they’ve previously said maps.google.com can read my location… then the extension can piggyback on that and grab their location. No pop-ups generated.”
Other Piggybacking
If you’ve granted a site permission—like location, notifications, or potentially even camera and microphone—an extension running on that same site can sometimes piggyback off that access and silently collect the same data.
Matt Frisbie:
“It is actually possible to piggyback off the page’s permissions. … It really shouldn’t work that way.”
So… How Do You Protect Yourself?
Here are some smart rules to follow:
- Understand permissions
Know what you’re granting access to, and what that permission might be capable of. - Be careful granting any permissions
Whether it’s a browser setting, a site request, or an extension prompt, even a single permission can open the door to surveillance. - Use extensions sparingly
The more extensions you install, the larger your attack surface—and the more unique your browser fingerprint becomes. - Use a privacy-first browser instead
Browsers like Brave build privacy protections—like ad and tracker blocking—directly into the browser itself, so you don’t need extensions just to stay private. - Follow the principle of least privilege
Only allow an extension to run when you click it, instead of “on all websites.” - Use code review tools
Sites like Extension Total and Secure Annex can help you vet extensions before you install them.
Takeaway
We all want our browser to be faster, cleaner, and more functional. Extensions can help—but they can also turn into powerful surveillance tools. Even a single line of malicious code, slipped in through an update or new owner, can put your most sensitive information at risk.
So before you install that next extension, ask yourself:
Do I really trust this extension not to be hacked, sold, or misused—and is the extra risk worth it?
Stay sharp. Stay private. Stay safe out there.
Yours in privacy,
Naomi
