Web browser extensions are a double-edged sword. On the one hand, they can block ads and trackers. But, if you let them, they can also read and modify the contents of every displayed page. Yikes! Nothing could be more dangerous. Your browser sees all your passwords. It sees your bank balance and account numbers. Making this worse, is that there are no clear warnings when you install an extension that it can read and modify every character on every web page. There should be a huge red flag (literally). But, there is not.

Frankly, the lack of warning is disgraceful. While the ability to see and modify everything is necessary for an extension to block ads and trackers, far too many extensions are silently granted this ability. Even the most secure, generally available operating system, ChromeOS (which runs Chromebooks), has browser extensions as an Achilles heel. The only way to hack a Chromebook is to convince someone to install a malicious browser extension.

Making a bad situation worse is that browser extensions silently self-update, with few checks to make sure they are not malicious. So, a good extension can go bad without warning. In the Extension Articles section below, there is an article from August 21, 2025 about an extension that did Break Bad.

Another problem with browser extensions are copycat extensions. Just as with domain names, bad guys create scam extensions with names similar to popular ones. Bad guys can get away with this because, by and large, nobody is looking/checking. This article, Google Chrome: legit EditThisCookie extension removed instead of malicious copycat by Martin Brinkmann (December 31, 2024) is about a good extension called EditThisCookie that had over 3 million users and 11,000 ratings. That popularity spawned a malicious extension called EditThisCookies. At some point, the bad extension was renamed to EditThisCookie®.

FYI: A Chromebook in Guest mode does not allow any extensions.

FYI: On Android, the only browser that supports extensions is Firefox.

Never install an extension just because a web site says you need it. There is a good chance, that message is a scam; very very few websites need you install an extension.

RATINGS OF EXTENSIONS

• There are user ratings of extensions, but they are useless in terms of Defensive Computing.
• And, there are very few trusted sources for extensions and no useful system for defining a trusted source. You are on your own with browser extensions, it is the Wild West out there.
• To combat this, when installing an extension, pay close attention to who/what created the extension. Or, maybe, don't install anything other than uBlock Origin.
• One useful website for evaluating extensions is CRXaminer. The home page asks for the ID of the Chrome extension you want to analyze. You can find the ID in the Chrome Web Store. First bring up the web page for an extension. The ID is at the end of the page URL. For example, in this URL
  https://chromewebstore.google.com/detail/betterttv/ajopnjidmegmdimjlfnijceegpefgped
  the ID is after the last slash and starts with "ajop" All IDs are 32 characters long.
• To get a feel for the report created by CRXaminer, here is the one for the Sound Booster extension and the one for the Tripadvisor extension. Note that both have a HIGH risk level. For a scan of a safe extension, see the report for Privacy Badger from the EFF.

Many techies, not just me, would suggest installing an ad blocker extension. This is not because it makes web pages load faster (it does) but mostly because ads have been abused too many times to install malicious software or take you to scam websites. And, they are distracting. And, if care about privacy, you need a tracker blocker too.

The recognized leader in the "blocking" field is uBlock Origin by Raymond Hill (aka gorhill). uBlock Origin is available for many browsers. Beware however, that the popularity of uBlock Origin is such that scam copies have been created. One such scam is uBlock Pro, another goes by just uBlock. Mr Hill warns that uBlock Origin is completely unrelated to the site "ublock.org". When in doubt, check that the extension is from Raymond Hill (aka gorhill).

Needless to say, Google, which makes its money on advertising, does not like ad blocking extensions. Sometime early in 2025 Google introduced a new interface between their Chrome browser and its extensions. This new interface was not compatible with uBlock Origin and Chrome eventually disabled the extension. I got a number of calls from people who were being scammed by malicious ads after Google disabled uBlock Origin. One response to this is to use another web browser that still supports uBlock Origin (Brave, Firefox) or use the Mullvad Browser which has uBlock Origin built into the browser itself. Anyone staying with Chrome, should install the uBlock Origin Lite extension, also from Raymond Hill (aka gorhill).

The Privacy Guides website recommendations for Browser Extensions are uBlock Origin, uBlock Origin Lite and, for iOS users running Safari, AdGuard.

I suggest a default posture of installing as few extensions as possible.

• The one extension everyone should install is uBlock Origin.
• Perhaps the only other extension I would suggest is Privacy Badger from the EFF. It was created to block tracking, but as a side effect, it also ends up blocking ads. On Windows, Privacy Badger runs on Chrome, Firefox, Edge and Opera. It also works in the Android version of Firefox. It does not work in Safari on macOS, but as of June 2025, they are working on this. It will never work in Safari on iOS due to the nature of iOS.
• A safe way to use any other extension is to install it in a web browser that you only use when you need that extension. Most of the time, use another browser. If the extension is spying on you, this minimizes what it can see.

The downside of any blocking (ads or trackers) is that it will break some websites. One solution is learn how to turn uBlock Origin off for a problematic site (click the blue circle that has a vertical line through its top). Another option is keep a second web browser with no extensions at all. A second (or 3rd) browser is also a good idea when you really need a particular extension. Use that browser only on the site(s) that need the extension.

I suggest that you periodically review your installed extensions, in every browser that you use, and remove any you do not recognize or no longer use. To display the installed extensions, use these address bar URLs (perhaps bookmark them):
In chrome chrome://extensions
In Brave brave://extensions   (not valid on iOS or Android)
In Firefox about:addons

See also the page on web browsers

• August 21, 2025: Google yet to take down 'screenshot-grabbing' Chrome VPN extension by Gareth Halfacree for The Register. Koi Security detected a shift in the behavior of a popular Chrome VPN extension, FreeVPN.One. The extension has been around for years, and appears to have been doing exactly what it promised for most of that time. It has a verified status in the Chrome Web Store and featured placement there too. It had more than 100,000 verified installations. But, it recently started taking screenshots of every web page viewed by the browser and transmitting them to a remote server. The end user has no idea about this new behavior. Koi Security reported this to Google who took about a week to remove the extension.
• July 8, 2025: Malicious Chrome extensions with 1.7M installs found on Web Store by Bill Toulas for Bleeping Computer. Quoting: "Almost a dozen malicious extensions with 1.7 million downloads in Google's Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses. Most of the add-ons provide the advertised functionality and pose as legitimate tools like color pickers, VPNs, volume boosters, and emoji keyboards. Researchers at Koi Security ... discovered the malicious extensions in Chrome Web Store and reported them to Google. Some of the extensions are no longer present but many of them continue to be available."
• July 7, 2025: Honey just lost a million more Chrome users by Ben Schoon for 9to5 Google. Quoting: "Following an exposé late last year, PayPal’s popular Honey extension has slowly been dropping users ... Prior to a video from MegaLag last year that exposed a handful of shady tactics from PayPal Honey, the extension was a smashing success with upwards of 20 million users on Google Chrome at one point ... as of July 2025, is down to 14,000,000 users according to the Chrome Web Store." Slowly, word gets out.
• July 6, 2025: Mellow Drama: Turning Browsers Into Request Brokers by John Tuckner of Secure Annex the company that discovered this. More than one million users have installed browser extensions that turn their browsers into proxies for a botnet. The extensions contain a library named Mellowtel that waits for users to go inactive, disables page security protections, and then loads a remote website inside a hidden iframe. SecureAnnex found the Mellowtel library in 245 extensions for Chrome, Edge, and Firefox and they notified the browser developers. To date, the malware has been removed from only 12 of the 45 known bad Chrome extensions. On Edge, only 8 of the 129 extensions have removed the code. On Firefox, only 2 of the 69 have been cleaned up. So, basically, you're on your own.
• June 18, 2025: The article describes an attack vector used by malicious ads to trick victims into calling bad guys for tech support. Just one of millions of articles about malicious ads. Address bar shows hp.com. Browser displays scammers’ malicious text anyway by Dan Goodin for Ars Technical.
• June 9, 2025: Chrome extension privacy promises undone by hardcoded secrets, leaky HTTP by Shweta Sharma for CSO Online. Symantec found several widely used Chrome extensions, including DualSafe Password Manager, Avast Online Security & Privacy, SEMRush Rank, PI Rank, MSN New Tab/Homepage and Browsec VPN extension, exposing information through insecure HTTP transmission. You can see in the address bar that a website is using secure HTTPS, but you can't see into the source of installed browser extensions to check if they do too. (Yes, technically, you can, but realistically most people can not)
• May 29, 2025: 57 shady Chrome extensions clock up six million installs by Alanna Titterington for Kaspersky. This article is about the same research as the one below. Two sections of the article: Why extensions are dangerous, and how convenience undermines security, and Too many unnecessary permissions. It also notes that the malicious extensions were not malicious immediately. In case they were being examined just after they were installed, they did not do anything malicious for a while. Secure Annex published a list of the malicious extensions.
• April 19, 2025: The Most Dangerous Thing in Your Browser by Naomi Brockwell for the Ludlow Institute. Quoting: "Extensions are way more permissive and dangerous than people realize. They might be spying on you, logging your browsing history, injecting malicious code, even stealing your passwords and cookies – all without you even realizing it." The article has an accompanying YouTube video show below.
• April 2025: Browser Extensions are DANGEROUS by Naomi Brockwell. A 20 minute YouTube video.
• April 17, 2025: Chrome extensions with 6 million installs have hidden tracking code by Bill Toulas for Bleeping Computer. "A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts." Most of the extensions do not show up on Chrome Web Store searches. They can only be installed if the user/victim has the direct URL. It is assumed that bad guys do this to evade detection while pushing them through malicious ads and malicious websites. The extensions were discovered by Secure Annex researcher John Tuckner. Some of the publicly available extensions were removed by Google from the Chrome Web Store. But . . . not all.
• April 11, 2025: Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs by Dan Goodin for Ars Technica. Sub-heading: Even weirder: Why would Google give so many the "Featured" stamp for trustworthiness? Me: Google has been failing on Browser Extensions from the get-go. For years and years.
• January 20, 2025: Malicious extensions circumvent Google’s remote code ban by Wladimir Palant. Quoting: "... I consider it highly problematic that Google for a long time allowed extensions to run code they downloaded from some web server, an approach that Mozilla prohibited long before Google even introduced extensions to their browser. For years this has been an easy way for malicious extensions to hide their functionality ... This article looks into more approaches I found used by malicious extensions in Chrome Web Store."
• January 13, 2025: Chrome Web Store is a mess by Wladimir Palant

January 8, 2025: This article is further proof that no one watches over Chrome browser extensions: Here's how hucksters are manipulating Google to promote shady Chrome extensions by Dan Goodin for Ars Technica. Sub-title: How do you stash 18,000 keywords into a description? Turns out it's easy.

• January 6, 2025: Honey, we've been tricked: PayPal faces lawsuit over shady browser extension by Mahmoud Itani for Android Authority. Creators are unhappy about "the biggest scam in YouTube history." The PayPal-owned Honey browser extension was recently caught deceiving customers and poaching affiliate revenue from creators. Lawyer Devin Stone has filed a class action lawsuit against PayPal over these shady practices.
• January 3, 2025: The worst came to pass with 33 browser extensions: Time to check if you ran any of these 33 malicious Chrome extensions by Dan Goodin for Ars Technica. Many Chrome browser extensions have been hacked to push out malicious updates. One company whose extension was hacked was Cyberhaven which really looks bad as they are a security company with corporate customers. The hacking continued for 18 months before being discovered. In every case, the developers of a good extension were scammed by an email message. In part, they were also scammed by look-alike domain names. Had they read the Domain Name Rules page on this site, the scam would have been obvious. The bad guys wanted account credentials at Facebook and chatgpt.com. Estimates are that 2.6 million devices were running a malicious extension.
• November 3, 2024: You're overexposed online. This service fixes 223 privacy settings for you. Geoffrey A. Fowler for the Washington Post. The article is about an extension/service from a startup called Block Party. It is available on the Windows, macOS and Linux versions of Chrome, Firefox, and Edge. It works on the websites of Facebook, Instagram, Google, YouTube, X, LinkedIn, Reddit, Strava and Venmo. For these 9 companies, it reviews your privacy settings, recommends changes and can make the changes for you. There is a 7 day trial, after which the service is $20/year. I would add to the article that you might want to disable the extension when you are not using it. Quoting: "I thought I had my Facebook, Google, Instagram, X, Venmo and LinkedIn on privacy lockdown. Then I got terrified by a new service called Block Party. It scans nine critical apps for 223 privacy, security and other settings. Again and again, Block Party found problems with how I'd set up my accounts that left me exposed ... Tech companies want to collect as much of your data as possible, and, often, to share it widely. So they present privacy and other settings with so many confusing knobs and buttons that it feels like flying a 747. There are 44 different privacy settings on Facebook alone. Worse, apps move around settings - and keep adding new ones that find more ways to exploit your personal data."
• June 23, 2024: Risk of getting malicious extension from Chrome store way worse than Google's letting on, study suggests by Thomas Claburn for The Register. Three academic researchers published a paper about Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to. Google uses a convenient definition of "bad" when discussing bad extensions. The researchers use a more accurate definition. They found that over 346 million users installed a bad extension in the last three years (280 million malware, 63 million policy violation, and 3 million vulnerable to know bugs.
• June 20, 2024: For Chrome browser: Staying Safe with Chrome Extensions from Google. If you go to the extensions page (chrome://extensions) it warns you of any extensions you have installed that might pose a security risk. But, this puts the burden on the end user most of whom do not know this. So, useless.
• The Chrome browser has a "Safety Check" that you get to with: chrome://settings/safetyCheck
  (Last verified with Chrome version 129 on Windows 10 in November 2024)
  Again, mostly useless as the end user has to know to do this.
• November 2023: HOW Browser Extensions Steal Your Data YouTube video by Naomi Brockwell. 21 minutes. Quoting: "Browser extensions can be a lot more dangerous than you realize. You probably don't understand the permissions that you're granting when installing a browser extension, so in this video we look at these permissions under a microscope, and explain what each one means. We also uncover the sketchy underground extension marketplace that no one talks about -- extensions that have lots of users are purchased and repurposed to collect data and do all kinds of nefarious things."
• In June 2023, many malicious Chrome browser extensions were detected, and not by Google. See Google's Android and Chrome extensions are a very sad place. Here’s why by Dan Goodin for Ars Technica. Quoting: " ... researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company's official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages ... Google has removed many but not all of the malicious entries ... Other than issuing canned statements saying Google takes user security seriously, company representatives pretty much maintain radio silence in response to questions about malicious wares available in its marketplace ... Google generally doesn’t notify users once it discovers they have installed one of its malicious offerings." As I said above, it is the Wild West. You have been warned.
• I blogged about potentially dangerous extensions here and here and here.
• Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode.
• February 2020: The Case for Limiting Your Browser Extensions by Brian Krebs. Quoting: "it's not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals."
• December 2019: Best to avoid extensions from Avast and AVG as per this story: Senator Wyden Asks Avast Antivirus Why it Sells Users' Browsing Data by Joseph Cox for Vice. Mozilla removed Avast's and AVG's extensions for harvesting user data.
• March 2019: A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account.

Matt Frisbie is a software engineer focused on web browser extensions.

• He has written many articles on his substack
• In February 2023, he wrote: Let's build a Chrome extension that steals everything
• In November 2022 his book was published: Building Browser Extensions: Create Modern Extensions for Chrome, Safari, Firefox, and Edge