Why I Don't Like to Use Extensions
The most dangerous thing in your browser might be the browser extension you installed yourself. Some extensions have access to everything you do—every keystroke, every page, every password. And not all of them have good intentions. A distressing number of extensions are covertly in the business of spying on you and selling the data. Extensions can be incredibly useful. Maybe you installed one to find coupon codes, write better
emails, or block cookie banners. But there are many that, while seeming to be harmless, quietly sell your browsing history, inject malicious code to drain your wallet, or install spyware. There are even extensions that have been caught stealing emails and attachments straight from users’ inboxes—funneling private data directly to foreign intelligence operations. In this video, we dive into the dark side of browser extensions and give you chilling real-world examples of how they’ve been hacked, repurposed, or deliberately built to exploit users. We also break down what different browser
permissions actually do. Because here’s the catch: malicious extensions often ask for the SAME permissions as the good ones. It's very difficult for a user to be able to tell, like, this is a good extension and it's asking for permission that it absolutely needs, versus this is a bad extension, that is gonna use this for bad purposes It’s not about what they ask for, it’s about how they use it. We’ll show you exactly what’s possible with browser extensions, and how to protect yourself. First let's highlight the problem. We probably all use browser extensions as a normalized part of using the internet, but these things are far more permissive than most people realize and can sometimes have malicious intent.
Just take the case of DataSpii. Back in 2019 there was a suite of productivity tools in the form of browser extensions. HoverZoom was one extension. It's basically a magnifying glass. If you have this browser extension enabled and you hover over an image it gets bigger so you can see it better. This extension has hundreds of thousands of installs. Trusted by so many people.
That must mean it's safe right? Right? Security researcher Sam Jadali discovered that Hover Zoom was collecting and sending user data to a data broker. Browser History, search history, and data typed into forms, were all collected without the users knowing. As he dug deeper, he discovered the developer had 8 extensions that were all doing this. Very innocent looking ones too, like a measurement tool, and a text to speech tool. This turned into the DataSpii scandal, where over 4 million users had their browsing data taken without their consent. All these tools were free by the way. The way the developer made money was by selling the user data.
Google removed these extensions from the Chrome store after hearing about this. Now even if you trust the developer, it still doesn’t mean an extension is safe. Take what happened at Mega. This is a cloud file storage service, which is actually really good about privacy.
I mean I've trusted them with my files even. And they have a browser extension which helps you upload and manage files. Well, in 2018, someone hacked into where Mega maintains the extension and added some malicious code into it, and pushed it out to all the users. Even a company that you really trust might one day be hacked and neither you nor the developer might immediately realize. What happened next was terrifying. The extension immediately got to work stealing passwords you typed into websites. And it wasn't just grabbing all passwords, it was specifically looking for passwords you have on Google, Github, Microsoft, and crypto sites.
Mega, of course, fixed this problem within 4 hours and now takes extra steps at securing things like this from happening in the future. But it’s just one of many examples of users getting their accounts hijacked and crypto stolen by an extension that they trusted was safe. Or take this recent extension drama that happened in December 2024. Chrome reported they got their browser extension hacked. Now Chrome is a cyber security company which creates a browser extension that monitors what you type and warns you before putting sensitive information into a website or email. It's actually a trusted and legitimate tool.
But someone phished the company, and got control of their Chrome extension code, and uploaded a new version of the extension with malicious code in it. This resulted in hundreds of thousands of people getting their data scraped by this extension until Chrome discovered it and fixed it. But it was too late, lots of people had their cookies stolen, session tokens taken, and even authentication credentials grabbed. People who had this extension installed and were also logged into Facebook were getting their Facebook accounts taken over. This incident caught the eye of security researcher John Tuckner. My name is John Tucker. I'm the founder of Secure Annex
John analyzed the malicious code put into the CyberHaven Chrome extension, then looked to see if any other extensions had that same malicious code. It was actually a really interesting incident because it was very targeted across not just CyberHaven, but another, uh, 13 or so extensions that also had the same code deployed, and the developers of those extensions were phished in the same manner, In total there were countless users likely getting their data stolen, and the extension creators probably didn't even know they were compromised. A lot of people think that these extensions are meant for a single purpose, but they are really able to capture the information as you go through every website that you're visiting. Everything that people were doing could be recorded. Their entire browsing behaviors, their web searches, their, uh, form submissions browser extensions are even able to take screenshots of what you're visiting. The reason why these kinds of vulnerabilities are possible is because extensions are able to update themselves. This means they can switch out the code that’s been installed on your
computer at any given time, without the user even knowing. As a result, makers of popular extensions are constant targets for attack. But they’re also targeted for other reasons; under the constant pressure to sell their extension to people who want to buy them. You may create an extension to provide some functionality to a user base, and you find that extension becomes wildly successful. That developer
would love to be compensated for their great work. And so they’re usually receptive when someone reaches out and asks if they can purchase the extension. This isn’t always some innocent purchase, though. Far too often it’s much darker than that. There's this, um, whole underground industry. Matt Frisbee is the author of Building Browser Extensions, and he first encountered this seedy underground world of buying and selling browser extensions when he launched his own extension.
It got a pretty good number of users and, you know, I started to get inbound of people wanting to buy it. They don't really explain what they want it for. This happens to everyone that has a well used extension. You can get a pretty good payout if you have a lot of users. And why do they want to buy them? The unspoken conclusion there is that they're using it for bad purposes and they're sort of selling the data or stealing it in worse cases or like injecting ads or whatever it is. If it has access to Facebook, someone goes in and goes, “Oh, I can steal the Facebook data of a hundred thousand people's users? Let's send 'em an offer! Why not?” You might have installed something legitimate, but it’s since changed hands and is being used for a completely different purpose. Like The Great Suspender, for example. This was a browser extension which simply closed tabs you weren't using anymore.
Very popular, and developed by someone trusted in the developer community. If you were ultra-cautious about installing extensions, this one would have passed all your tests. But then, in mid-2020, the developer quietly sold it to an unknown entity, and that’s when things took a dark turn.
Without warning, the new owner turned The Great Suspender into a surveillance tool, injecting malicious code that secretly connected to third-party servers. It could track users’ browsing habits, manipulate web traffic, and possibly even commit ad fraud. Microsoft was the first to detect the suspicious activity, pulling it from their Edge extension store.
But on Chrome, the malware-laced version remained live, quietly spying on users. Until people started digging into the code and discovered the truth. By the time Google finally removed it, millions of users had already been exposed.
A once-trusted tool had become a mass surveillance weapon, watching everything your browser saw, without you ever knowing. And not all of this buying and selling goes on behind closed doors, there are all kinds of marketplaces with hundreds of thousands of installs for sale. Of course not all of these sales are dodgy; but the fact is, it’s never been easier for someone to buy a popular extension, insert malicious code, and now that extension you thought was safe is spying on you.
So what can we do to protect ourselves? I think a lot of us, when installing an extension or app, look to see how many downloads it has. If it’s popular, we think it's probably safe. But some wildly popular extensions have turned out to be malware. In 2020 one study revealed 33 million downloads of malicious extensions that they traced back to just one company. What if you just look at reviews, and make sure it’s a developer you trust? But as we just saw, that kind of validation simply doesn't work when extensions get hacked, or sold to whoever wants to steal and sell your data without you knowing. Can you just install antivirus software to protect yourself? It’s actually really hard for antivirus safeguards to detect malicious activity when it comes from inside a browser. And if you think installing another browser extension is going to protect you against malicious browser extensions, think again. An extension cannot intercept traffic from another extension.
They can only operate on traffic that's coming from web pages. One thing we can do is better understand the permissions we grant to extensions—because that tells us what they’re actually capable of. Even though extensions can silently update their code without you ever knowing, they’re still restricted to the original permissions that you approved.
But here’s the catch: what they can do within those permissions is incredibly broad. An extension that once blocked ads can update itself to start logging keystrokes or exfiltrating data without ever asking for new permissions. That’s why understanding those permissions isn’t just important, it’s essential. What are some of the worst offenders on here that we should be worried about? Do I have to just pick one? Let's start with the “history” permission. What does that mean? The browser will happily dump out your history as a, as an array. Like, this is your browsing
history, you visited these websites, we can, you know, build this profile of you. So literally, the extension gets full access to your browsing history and can use that data how they want. Then there’s the cookie permission If you call this single line of JavaScript, it dumps out a list of all your cookies and all the domains they're associated with. That's how our browsers authenticate with servers. If someone steals your cookies, they can pretend to be you in all sorts of nasty ways.
That’s how hackers took over Linus Tech Tips’ Youtube account, they didn’t need to steal his password or 2FA. They just stole his cookies. Next, screen captures. There are actually a number of APIs that an extension can use to capture your desktop capture the current page you're looking at and all of these will incur a pop-up. For example it'll say, you know, which window do you want? Or, which desktop screen do you want? But there’s also a 3rd capture option, tab capture. The capture visible tab API, no warning and it just, it takes a screen grab and sends it off and you will never know what's happening.
Let's say you could detect they’re on a banking website, I could take a screenshot every second and send that off. That’s quite a permission. Next, the Web request permission. You can basically sniff the request going to every website and see what it's sending.
It doesn't matter if it's https, it's basically a man in the middle and it can see everything. You're sending. So stripe.com, like their security is immaculate, it doesn't matter. I can see what you're sending to stripe.com. Anything that's watching traffic, especially the payloads, that's pretty damaging.
It's all plain text and they can just read it right out of there. You would see all your credit card information, address, password, username, everything, of all the things I'd put here. This is probably the most offensive vector. What about the web navigation permission? This API I is a real time feed of wherever you're navigating. It's grabbing the top level details of basically where you went on the page.
Now let’s look at keyloggers. This one's super easy cuz this one you don't actually need any permissions. Yep, you heard that right. You don’t need a special keylogger permission to use one.
This is the first that only requires a content script. This is just a tiny piece of JavaScript that you're running on the page. This content script, technically called a host permission, would create a popup that says “allow this extension to read everything on, say, Google.com” If you're adding an extension that does something fun to your Google search results, of course it's gonna run on Google.com.
Really it's able to see everything you're doing on Google.com, all the things you're searching, all your keystrokes, everything. It would send them to our background script; background script sends them to our server. None of that requires any permissions other than the ability to run this script on Google.com. It's incredibly dangerous and very easy to do.
Then there’s Input capturing, which happens inside another content script This is pretty similar to the key logger. This one can be used for logging things like password manager inputs, where they autofill your login credentials automatically. Those might not be registered as keystrokes. So as a malicious actor, I still want that data. So instead I'm going to watch anytime an input changes, which is a login box, search bar, credit card entry, whatever. Anytime they change, I want to capture what's changed. So even if you’re trying to be safe by using a password manager, a malicious extension that’s capturing inputs would be able to see these private details. Geolocation capturing is a tricky activity to perform because there are some restrictions in place around how it can be collected.
The only place that I can get geolocation is in a real user interface. This means a background worker can’t collect geolocation without the user’s knowledge. But an extension can render a real user interface in the form of a popup, and then it can collect your location.
So I click to take a note, if I have the geolocation permission, I can read where you are every time you open the popup. But there’s another, sneakier way an extension can get a user’s geolocation. If they visit a website that already has the geolocation permission, it is actually possible to piggyback off the page's permissions. It really shouldn't work that way. To do this, it uses a content script.
Let's say I have a content script that can run on all Google domains. So if the user goes to maps.google.com and they've previously said “maps.google.com can read my location,” then the extension running on that page can say, “Oh, they already have geolocation permission. I don't need to prompt the user again, I can piggyback on that permission and then grab their location additionally.” No pop-ups generated. Hulu for example, they require your location every time they go to hulu.com, “Great. I don't need to ask them, I can grab their location.” The piggybacking of the
permissions is an especially disturbing one. Not hard to think of ways that this could be abused. There are other permissions that extensions can piggyback on. Lots of sites say, “Can I show notifications? “And I always go, “No, you can't show notifications!” If you said yes to anywhere, that would be another one that the extensions API could theoretically piggyback on. So that’s the next thing we can do to try to stay safe: Be careful of granting permissions in general, because they could be abused in ways you hadn’t realized. You don't need all of these permissions to do something bad, right? You need maybe one or two. Next, use extensions sparingly. Does
this mean that people shouldn’t use extensions at all? Not necessarily. Password managers and ad blockers are very, very powerful tools for consumer privacy. I think everyone should use them. They are going to have to request dangerous APIs. The ones that I use are from reputable sources. I don't think the thing to take away from that is don't use a password manager. Pete Snyder is the principal privacy researcher at Brave software, who says that you SHOULD use a password manager, even if it comes in the form of an extension.
Certainly better than not using a password manager at all. But you want to really make sure that it’s from a company you really trust. Remember, every extension is an attack vector that could turn into something malicious without you even realizing, whether intentionally or not. You should really think deeply, uh, if you actually need that extension or not. Next, instead of installing privacy extensions you can try using a browser that has those privacy protections built in by default. Adding many extensions to your browser actually becomes a way of fingerprinting you. Browsers like Brave,
Firefox, and Tor work hard at trying to protect you by blocking browser fingerprinting. You very likely are undoing some of those protections by throwing a whole bunch of customizations on top of the browser. Extensions are, are the easiest way to shoot yourself in the foot doing that. If you’re just using one extension that’s really popular, like uBlock Origin, there’s not as much danger because you’re still blending in with a large group of all the other people who also have uBlock Origin. But if you also add a password manager like BitWarden, you’re now part of a smaller group that has both uBlock Origin and BitWarden installed. The more extensions you add,
You're pretty quickly becoming a party of one. By installing more extensions to try to be more private, you actually end up sticking out very uniquely. Next, If you do have an extension installed, grant it the least privilege needed.
For example you’ll be asked to choose when the extension is allowed to operate, and you can pick either: on all sites, on this particular site, or when you click the extension. Whenever possible, have the extension only operate when it’s clicked, so that it’s not reading your content at all times. And finally, there are more and more resources where you might be able to do a code review yourself.
John is building a tool called Secure Annex, there’s Extension Auditor, as well as Extension Total, as examples. These sites help you try to understand Does this extension actually do what it's intending or what it describes to the user, or does it have an ulterior motive? Is there something deep in the code that a user might not be thinking about, or it might not line up with the actual intent of that service. It’s not going to be able to make your choices for you, but it’s a good place to start when it comes to understanding whether an extension might have any red flags.
So in summary, extensions may seem like fun add-ons, that can add sparkles to your cursor, change every photo to a picture of Nicolas Cage, generate text with AI, or any number of things. But- The consumer has no idea what they're installing, really. I think that's the, that's the long and short of it. And given how much sensitive stuff you do in your browser, like your banking, logging in with important passwords, or writing private communications, you should think REALLY carefully before installing anything. NBTV is a project of the Ludlow Institute. A non profit research and media institute, that educates people about how to reclaim ownership of their digital lives. Help us shift culture around
privacy. Visit ludlowinstitute.org/donate or support us by buying some cool shirts, like this one with a cat on it, or this other one with a cat on it! I really like cats. Treat your extensions like one of your exes. If they get too controlling, just remove them from your life.
2025-04-24 16:38
