Most of us install Chrome extensions for convenience. I have three that are currently active – my password manager, a grammar checker, and Adobe Acrobat. But those helpful little add-ons might be silently opening the door to privacy invasions, data theft, or worse. A new study by Cybernews revealed that the vast majority of the top 100 Chrome extensions request excessive and sometimes highly dangerous permissions. The worst part, you have no choice but to accept all permissions or not use the extension.
According to the report, 86% of popular Chrome extensions request high-risk permissions the moment they’re installed. These aren’t just low-level settings. We’re talking about access to everything you do in your browser – your open tabs, the content of every webpage you visit, your browsing history, and even your downloads. Some extensions go further, requesting permission to modify traffic (which could allow ad injection or redirection) or tap into local files and storage.
It’s worth pausing here: these are the kinds of capabilities that, in the wrong hands, could enable everything from phishing to keylogging to full-blown data theft. And yes, those “wrong hands” can sometimes slip through the cracks of Chrome’s Web Store. During Cybernews’s analysis, two extensions were removed entirely – one with over a million installs was reportedly caught distributing malware.
The problem isn’t just individual bad actors. It’s systemic. As researcher Teona Patussi at Cybernews points out, you can’t customize what permissions you grant when installing a Chrome extension. It’s all or nothing. “Users have almost no control over what permissions extensions use,” she says.
I’d argue it’s well worth the few minutes it takes to review every extension you’ve installed in your browser. Ask yourself: do I actually use this? Does it perform a function I can’t get elsewhere – perhaps built into Chrome or a more privacy-conscious alternative? If not, delete it. And if you’re on the fence, disable the extension for a week and see if you miss it. That’s often the fastest way to separate essential tools from digital clutter – or potential risk.
Read more: Google Now Allows IP Tracking & Fingerprinting – Here’s How to Protect
Some of the worst offenders are extensions people use every day. Productivity tools and AI-based assistants like “Tampermonkey,” “AI New Tab: Calendar, Tasks, ChatGPT,” and “Checker Plus for Gmail” ask for as many as 18 permissions. Even well-known extensions like Adobe’s PDF tools, popular screen recorders, and password managers often require deep system access.
The danger isn’t necessarily the number of permissions, but the combinations. A handful of high-risk permissions – like scripting access paired with traffic control or data storage – can be enough to build spyware capable of tracking your keystrokes or hijacking your session.
While the Cybernews study is all doom and gloom, that doesn't mean you should stop using extensions altogether. Most extensions are not dangerous, and some truly require elevated access to function. Don’t just trust an extension just because it’s popular or has good ratings. Look at the developer, check recent reviews, and keep your list of active extensions lean.
Read more: Google’s New VPN Verified Badge: Does It Guarantee Safety?
How to Check Your Chrome Extensions – and Spot Red Flags
If it’s been a while since you’ve checked which Chrome extensions are running in your browser, now’s the time. Just type chrome://extensions into your address bar to see the full list. You can toggle any extension off without deleting it, which is an easy way to test if you actually need it.
Look closely at what each extension can access. Click “Details” and scroll to the “Site access” section. If an extension has access to all sites, that’s your first red flag. Does the extension’s function logically require it? A grammar checker, for example, might need access to the text you write, but a PDF converter has no business reading your emails.
Next, pay attention to whether the extension has permission to read and change data, access your browsing history, manage downloads, or communicate with native applications. These are high-risk permissions that can be exploited if the extension is compromised or poorly secured. The more of these permissions you see – especially in combination – the more concerned you should be.
Look at your extensions on the Chrome Web Store. Google adds a checkmark next to the developer's name if the app is "Created by the owner of the listed website [and] the publisher has a good record with no history of violations."
Here are a few specific red flags to watch for:
- Excessive permissions that don’t match the extension’s stated purpose
- Unknown or obscure developers, especially those with no website or contact information
- Extensions with few or no recent reviews, or complaints about ads, redirects, or broken functionality
- Sudden behavior changes, like pop-ups appearing on websites you visit, pages loading slower, or unfamiliar redirects
And if you ever see an extension you didn’t install yourself, remove it immediately – it may have piggybacked on another download or update.
Chrome does some policing, but malicious or overly aggressive extensions still slip through. Some even change behavior after gaining a large install base, taking advantage of user trust. That’s why regular check-ins matter. Think of it as routine maintenance. Your data deserves better than blind trust.
[Image credit: Browser hacking concept generated by DALL-E]
